Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IdeaShareKeyInstaller.exe

Overview

General Information

Sample Name:IdeaShareKeyInstaller.exe
Analysis ID:876179
MD5:c7dfff14e887613a25cec2e1ee87f5a9
SHA1:5dc3cbf93f7981ab7198e6769749f021cd01c062
SHA256:d08117db56fe4550a2c35a3ab3140a515e2a2e9ebbfc2ab8b89d2ab12e0a5786
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:16
Range:0 - 100

Signatures

DLL side loading technique detected
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries device information via Setup API
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Binary contains a suspicious time stamp
Contains functionality to read device registry values (via SetupAPI)
Uses taskkill to terminate processes
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • IdeaShareKeyInstaller.exe (PID: 6132 cmdline: C:\Users\user\Desktop\IdeaShareKeyInstaller.exe MD5: C7DFFF14E887613A25CEC2E1EE87F5A9)
    • taskkill.exe (PID: 1836 cmdline: "taskkill" /F /T /IM FaultReport.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 6900 cmdline: "taskkill" /F /T /IM IdeaShareKey.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 5976 cmdline: taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq running MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 5788 cmdline: "taskkill" /F /T /IM FaultReport.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • taskkill.exe (PID: 1844 cmdline: "taskkill" /F /T /IM IdeaShareKey.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IdeaShareService.exe (PID: 5840 cmdline: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe MD5: 4C43F81A16703A0539A95CCCB064585F)
    • schtasks.exe (PID: 5528 cmdline: schtasks /delete /tn /f MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6912 cmdline: schtasks /create /xml C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml /tn IdeaShareServiceAt20230526130440 MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IdeaShareService.exe (PID: 1836 cmdline: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Windows\system32\config\systemprofile\AppData\Local\IdeaShareKey\IdeaShareService.exe MD5: 4C43F81A16703A0539A95CCCB064585F)
    • dllhost.exe (PID: 5788 cmdline: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} MD5: 2528137C6745C4EADD87817A1909677E)
  • IdeaShareService.exe (PID: 2348 cmdline: "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service MD5: 4C43F81A16703A0539A95CCCB064585F)
  • IdeaShareService.exe (PID: 3968 cmdline: "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service MD5: 4C43F81A16703A0539A95CCCB064585F)
  • IdeaShareService.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service MD5: 4C43F81A16703A0539A95CCCB064585F)
  • IdeaShareService.exe (PID: 2488 cmdline: "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service MD5: 4C43F81A16703A0539A95CCCB064585F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: schtasks.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\uninst.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: taskkill.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exeJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: WINSTA.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: WININET.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecsframework.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\zlib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_msg.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\vccorlib140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_mediaservice.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: SHFOLDER.DLLJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_xml.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_dns.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ctk.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_os_adapter.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecsdata.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_air_client.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HW_H265dec_Win32D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_publiclib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\hwuc.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264E.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\securec.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: UxTheme.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_commonlib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_video.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: WTSAPI32.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_Srtp_ALG.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecscommon.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263E.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\rtp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\fr_plugin.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_httptrans.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libssl-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\h265EncDll.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: VERSION.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ideasharesdk.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc140u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ucrtbase.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ACE.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_https_clt.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dllJump to behavior

Compliance

barindex
Uses 32bit PE files
Source: IdeaShareKeyInstaller.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: schtasks.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\uninst.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: taskkill.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeEXE: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exeJump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: WINSTA.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: WININET.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecsframework.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\zlib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_msg.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\vccorlib140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_mediaservice.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: SHFOLDER.DLLJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_xml.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_dns.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ctk.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_os_adapter.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecsdata.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_air_client.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HW_H265dec_Win32D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_publiclib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263D.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\hwuc.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264E.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\securec.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: UxTheme.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_commonlib.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_video.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: WTSAPI32.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_Srtp_ALG.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ecscommon.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263E.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\rtp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\fr_plugin.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_httptrans.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\libssl-1_1.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\h265EncDll.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeDLL: VERSION.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ideasharesdk.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\mfc140u.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ucrtbase.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\ACE.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\tup_https_clt.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDLL: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dllJump to behavior
PE / OLE file has a valid certificate
Source: IdeaShareKeyInstaller.exeStatic PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecscommon.pdb44$GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Work\Projects\Protocol_SpeedDown_AntiPulseLosePacket\src\service\build-win32\out\Release\rtp.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_httptrans.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379193800.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_video.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\trunk\platform\securec\make\windows\securec\Release\securec.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381835390.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsdata.pdb--#GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380699809.00000000028D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.375307380.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecscommon.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_dns.pdb--" source: IdeaShareKeyInstaller.exe, 00000000.00000003.402634591.00000000030F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380850018.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\build\LOG_2_2_0_SCCEnc_CMC\code\current\publish\build\VS2017\Release\h265EncDll.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_xml.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383000586.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_mediaservice.pdb88! source: IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\V2R8_H263Enc_WIN32_Vs2015\code\current\publish\Demo\Build\Vs2015\Release\HME_Video_H263E.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379470944.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_commonlib.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.360183579.0000000002D18000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.370656624.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc110u.i386.pdbWT& source: IdeaShareKeyInstaller.exe, 00000000.00000003.368820894.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\BaseFrame\lib_vc9\ctk.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391032334.00000000030FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mfc110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380163936.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\hwuc.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_commonlib.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380766046.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382332768.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_video.pdb&& source: IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vccorlib140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.375307380.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsframework.pdb**# source: IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382578796.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_dns.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402634591.00000000030F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110.i386.pdb0 source: IdeaShareKeyInstaller.exe, 00000000.00000003.374933296.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vccorlib140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\TUP_Trunk_VersionCompile\code\current\tupci\service\faultreport\bin\release\fr_plugin.pdb$0 source: IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379719123.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\V2R8_H263Dec_WIN32_Vs2015\code\current\publish\Demo\Build\Vs2015\Release\HME_Video_H263D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc110u.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.368820894.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383926836.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsframework.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382907422.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382151499.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_login.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -O2 -DL_ENDIAN -DOPENSSL_PIC -D_FORTIFY_SOURCE=2 source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.000000000325A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382799277.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\target\ideasharekey\bin\Release\IdeaShareKey.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.385688768.0000000003261000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\LOG_1_2_0_SCCDec_CMC\code\current\publish\Build\VS2015\HW_H265dec_Win32D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-downlevel-kernel32-l2-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383264544.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\tr6Bugfix_nico\service\build-win32\out\Release\tup_exception.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381196191.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.375798038.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\AirPresence\desktop\Windows\AirPresenceMonitor\Release\IdeaShareService.pdb source: IdeaShareService.exe, 00000019.00000000.447529528.00000000011CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378928716.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: API-MS-Win-Eventing-Provider-L1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383352636.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\hwuc.pdbVV)GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -O2 -DL_ENDIAN -DOPENSSL_PIC -D_FORTIFY_SOURCE=2OpenSSL 1.1.1f 31 Mar 2020in order to bep, build date is removeplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "D:\share_lin\030606_codehub_win32\open_src_build\openssl\release\lib\engines-1_1"not available source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.000000000325A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShareKeyInstaller.exe, 00000000.00000003.360183579.0000000002D18000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libssl-1_1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\MFCM140U.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374720041.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\TUP_Trunk_VersionCompile\code\current\tupci\service\faultreport\bin\release\fr_plugin.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\LOG_iMedia_Video1_2_0_H264Dec\code\current\publish\Build\Vs2015\HME_Video_H264D\Release\HME_Video_H264D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.395560847.00000000030F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374567471.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\app code\airpresence_2\desktop\SDK\OpenSourceCode\ACE\include\lib\ACE.pdb^ source: IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374933296.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsdata.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\windows-bainyi\0927\HMEV2012\build\vc2015\Release\HME_Video.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_login.pdb==" source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.376314713.00000000028D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\windows-bainyi\0927\HMEV2012\build\vc2015\Release\HME_Video.pdbD source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\target\ideasharekey\bin\Release\IdeaShareKey.pdbII." source: IdeaShareKeyInstaller.exe, 00000000.00000003.385688768.0000000003261000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\app code\airpresence_2\desktop\SDK\OpenSourceCode\ACE\include\lib\ACE.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382220665.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libssl-1_1.pdbAA source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381444648.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381116835.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_mediaservice.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\tr6Bugfix_nico\service\build-win32\out\Release\tup_exception.pdb,," source: IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\AirPresence\desktop\Windows\AirPresenceMonitor\Release\IdeaShareService.pdb991GCTL source: IdeaShareService.exe, 00000019.00000000.447529528.00000000011CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: mfc110.i386.pdbP) source: IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.370656624.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libcrypto-1_1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\BaseFrame\lib_vc9\ctk.pdbaa# source: IdeaShareKeyInstaller.exe, 00000000.00000003.391032334.00000000030FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.365225488.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: d04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s/Ws/SmcExternal2.asmx
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugreports.qt.io/
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000000.355313023.0000000000409000.00000002.00000001.01000000.00000003.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000002.412809253.0000000000409000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.406551623.000000000310C000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.404252393.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002D05000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.399892875.00000000030FE000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.color.org)
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s/Ws/SmcExternal2.asmx
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s/getClientParam.action?client=%s&registe=%u
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%u.%u.%u.%u:%u%s
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curCA.zipcurCA.tgz/newCA.tgz:8544/eua/rest/cert/downloadstup_http_download_file
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391032334.00000000030FA000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
Source: IdeaShareKeyInstaller.exe, 00000000.00000002.412942145.00000000006BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: IdeaShareKeyInstaller.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C1A30: hid_get_feature_report,DeviceIoControl,GetLastError,GetOverlappedResult,11_2_011C1A30
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-io-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-security-base-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-downlevel-kernel32-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-eventing-provider-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localregistry-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-misc-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
Source: IdeaShareKeyInstaller.exeBinary or memory string: OriginalFilename vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.385688768.00000000032E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIdeaShare Key.exe< vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameACE.DLL( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFC140U.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.0000000002CA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFC110.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHME_Video_H263D.dllN vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.383000586.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.370656624.0000000002D00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFC140.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHME_Video_H263E.dllN vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesecurec.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Triage dumps cannot contain PII. 0x%xDump type requires streaming but output provider does not support streamingWrite.Start failed, 0x%08xkernel32.dllQueryDosDeviceWOpenThreadThread32FirstThread32NextModule32FirstModule32NextModule32FirstWModule32NextWCreateToolhelp32SnapshotGetLongPathNameAGetLongPathNameWGetProcessTimesGetTimeZoneInformationGetThreadSelectorEntryGetThreadTimesIsProcessorFeaturePresentFindResourceAGetCachedSigningLevelSetCachedSigningLevelGetEnabledXStateFeaturesInitializeContextkernelbase.dllapi-ms-win-core-processthreads-l1-1-0.dllapi-ms-win-core-file-l1-1-0api-ms-win-core-timezone-l1-1-0.dllapi-ms-win-core-kernel32-legacy-l1-1-0.dllapi-ms-win-security-base-l1-2-0.dllapi-ms-win-security-base-l1-1-0.dllapi-ms-win-core-processsecurity-l1.dllapi-ms-win-core-versionansi-l1-1-0.dllapi-ms-win-core-version-l1-1-0.dllapi-ms-win-core-xstate-l2-1-0.dllapi-ms-win-core-toolhelp-l1-1-0.dllapi-ms-win-core-kernel32-private-l1-1-0.dllBaseSetLastNTErrorapi-ms-win-downlevel-kernel32-l2-1-0.dllapi-ms-win-core-processthreads-l1-1-2.dllSoftware\Microsoft\Windows NT\CurrentVersionBuildLabExSoftware\Microsoft\Windows NT\CurrentVersionCurrentTypechecked\NtQuerySystemInformation failed, 0x%08xLoadNtDeviceMapCache failed, 0x%08xTrackDiscoveredModule failed, 0x%08xEnumModulesUsingNt failed, 0x%08xA:\\\Device\Mup\Device\LanmanRedirector\Device\WinDfs\\TSCLIENT\Device\RdpDr\TSCLIENT\\?\MINIDUMP_AUXILIARY_PROVIDERwintrust.dllWinVerifyTrustWTHelperProvDataFromStateDataWTHelperGetProvSignerFromChaincrypt32.dllCertVerifyCertificateChainPolicy\StringFileInfo\040904b0\OriginalFilenameSoftware\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDllsSoftware\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDllsCLRDataCreateInstancepowrprof.dllCallNtPowerInformationverifier.dllVerifierEnumerateResourcepsapi.dllapi-ms-win-core-psapi-obsolete-l1-1-0.dllK32EnumProcessModulesK32GetModuleFileNameExWK32GetProcessMemoryInfoEnumProcessModulesGetModuleFileNameExWGetProcessMemoryInfoversion.dllGetFileVersionInfoSizeExAGetFileVersionInfoExAVerQueryValueAGetFileVersionInfoSizeAGetFileVersionInfoSizeWGetFileVersionInfoAGetFileVersionInfoW vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGCORE.DLLj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.374933296.00000000028D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp110.dll^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.376314713.00000000028D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr110.dll^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.374720041.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFCM140U.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.360183579.0000000002D18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Core.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.381835390.00000000028DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Network.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382332768.00000000030FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.375798038.00000000028DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.368820894.0000000002CC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFC110U.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.378928716.00000000028D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Gui.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.374567471.00000000028DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMFCM140.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.380766046.00000000028DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382578796.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.365225488.00000000028DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Widgets.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.380850018.00000000028D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.380163936.00000000028D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.410733793.0000000003165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIdeaShareServiceB vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.379193800.00000000028D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.383264544.00000000028DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHW_H265dec6 vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.383926836.00000000028D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqwindows.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.378196120.0000000002A2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382151499.00000000028D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382220665.00000000028DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.381196191.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefr_plugin.dll( vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.379470944.00000000028DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.383352636.00000000028DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.380699809.00000000028D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.381116835.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHME_Vide.dllH vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.381444648.00000000030FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382799277.00000000030FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.382907422.00000000028DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.395560847.00000000030F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHME_Video_H264D.dllN vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.379719123.00000000028D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevccorlib140.DLL^ vs IdeaShareKeyInstaller.exe
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.375307380.00000000030FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs IdeaShareKeyInstaller.exe
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile read: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeJump to behavior
Source: IdeaShareKeyInstaller.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\IdeaShareKeyInstaller.exe C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq running
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn /f
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /xml C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml /tn IdeaShareServiceAt20230526130440
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Windows\system32\config\systemprofile\AppData\Local\IdeaShareKey\IdeaShareService.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Source: unknownProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
Source: unknownProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
Source: unknownProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq runningJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn /fJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /xml C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml /tn IdeaShareServiceAt20230526130440Jump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;IdeaShareService.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKeyJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\nsf94EB.tmpJump to behavior
Source: classification engineClassification label: mal48.evad.winEXE@30/122@0/0
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C34B0 CoCreateInstance,11_2_011C34B0
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile read: C:\Users\desktop.iniJump to behavior
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS DBVersionTab( VERSION_KEY VARCHAR(20) NOT NULL PRIMARY KEY, VERSION_VALUE VARCHAR(20));
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ConnectRecordTab( IPADDRESS VARCHAR(64) NOT NULL PRIMARY KEY ON CONFLICT REPLACE, NAME VARCHAR(50) NOT NULL, RESERVED_INT1 INTEGER NOT NULL DEFAULT(0), RESERVED_INT2 INTEGER NOT NULL DEFAULT(0), RESERVED_INT3 INTEGER NOT NULL DEFAULT(0), RESERVED_STR1 VARCHAR(1024), RESERVED_STR2 VARCHAR(1024), RESERVED_STR3 VARCHAR(1024));INSERT OR REPLACE INTO ConnectRecordTab( IPADDRESS , NAME , RESERVED_INT1, RESERVED_INT2, RESERVED_INT3, RESERVED_STR1, RESERVED_STR2, RESERVED_STR3) VALUES ( ?, ?, ?, ?, ?, ?, ?, ? );UPDATE ConnectRecordTab SET NAME = ? ecs::ecsdata::UpdateConnectRecordCommand::ComposeSQLunknown type : WHERE IPADDRESS = ?ecs::ecsdata::UpdateConnectRecordCommand::BindDELETE FROM ConnectRecordTab WHERE IPADDRESS = ?ecs::ecsdata::RemoveConnectRecordCommand::ComposeSQL;ecs::ecsdata::RemoveConnectRecordCommand::Bindecs::ecsdata::RemoveConnectRecordCommand::RemoveByIPAddresscmd.changedSELECT * FROM ConnectRecordTabecs::ecsdata::ConnectRecordQuery::ComposeSQL ORDER BY rowid DESC;ecs::ecsdata::ConnectRecordQuery::BindT
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ConnectRecordTab( IPADDRESS VARCHAR(64) NOT NULL PRIMARY KEY ON CONFLICT REPLACE, NAME VARCHAR(50) NOT NULL, RESERVED_INT1 INTEGER NOT NULL DEFAULT(0), RESERVED_INT2 INTEGER NOT NULL DEFAULT(0), RESERVED_INT3 INTEGER NOT NULL DEFAULT(0), RESERVED_STR1 VARCHAR(1024), RESERVED_STR2 VARCHAR(1024), RESERVED_STR3 VARCHAR(1024));
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT OR REPLACE INTO ConnectRecordTab( IPADDRESS , NAME , RESERVED_INT1, RESERVED_INT2, RESERVED_INT3, RESERVED_STR1, RESERVED_STR2, RESERVED_STR3) VALUES ( ?, ?, ?, ?, ?, ?, ?, ? );
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT OR REPLACE INTO DBVersionTab( VERSION_KEY, VERSION_VALUE) VALUES ( ?, ? );
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C26B0 GetLastError,FormatMessageW,LocalFree,11_2_011C26B0
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C9D50 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,#316,#4815,#280,#1506,11_2_011C9D50
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_01
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeMutant created: \Sessions\1\BaseNamedObjects\I
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:912:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_01
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile written: C:\Users\user\AppData\Local\IdeaShareKey\APConfig.iniJump to behavior
Source: IdeaShareKeyInstaller.exeStatic file information: File size 23716040 > 1048576
Source: IdeaShareKeyInstaller.exeStatic PE information: certificate valid
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecscommon.pdb44$GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382694885.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Work\Projects\Protocol_SpeedDown_AntiPulseLosePacket\src\service\build-win32\out\Release\rtp.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400600363.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_httptrans.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379193800.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378812758.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_video.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\trunk\platform\securec\make\windows\securec\Release\securec.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400816502.00000000030F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381835390.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsdata.pdb--#GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380699809.00000000028D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.375307380.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecscommon.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391603952.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_dns.pdb--" source: IdeaShareKeyInstaller.exe, 00000000.00000003.402634591.00000000030F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380850018.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\build\LOG_2_2_0_SCCEnc_CMC\code\current\publish\build\VS2017\Release\h265EncDll.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.392537309.0000000003288000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_xml.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.404832548.00000000030F5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383000586.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_mediaservice.pdb88! source: IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\V2R8_H263Enc_WIN32_Vs2015\code\current\publish\Demo\Build\Vs2015\Release\HME_Video_H263E.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.394946980.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379470944.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_commonlib.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.360183579.0000000002D18000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.370656624.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc110u.i386.pdbWT& source: IdeaShareKeyInstaller.exe, 00000000.00000003.368820894.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380591258.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\BaseFrame\lib_vc9\ctk.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391032334.00000000030FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mfc110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380163936.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\hwuc.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_commonlib.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402422954.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.380766046.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382332768.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_video.pdb&& source: IdeaShareKeyInstaller.exe, 00000000.00000003.402141513.00000000030FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vccorlib140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.375307380.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsframework.pdb**# source: IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382578796.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\component\build-win32\out\Release\tup_dns.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402634591.00000000030F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110.i386.pdb0 source: IdeaShareKeyInstaller.exe, 00000000.00000003.374933296.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vccorlib140.i386.pdbGCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.377544846.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\TUP_Trunk_VersionCompile\code\current\tupci\service\faultreport\bin\release\fr_plugin.pdb$0 source: IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379719123.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\V2R8_H263Dec_WIN32_Vs2015\code\current\publish\Demo\Build\Vs2015\Release\HME_Video_H263D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.394690833.00000000030F8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\mfc110u.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.368820894.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383926836.00000000028D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsframework.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391910127.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382053407.00000000028D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382907422.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382151499.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_login.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -O2 -DL_ENDIAN -DOPENSSL_PIC -D_FORTIFY_SOURCE=2 source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.000000000325A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382799277.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\target\ideasharekey\bin\Release\IdeaShareKey.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.385688768.0000000003261000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\LOG_1_2_0_SCCDec_CMC\code\current\publish\Build\VS2015\HW_H265dec_Win32D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.396995984.00000000030F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-downlevel-kernel32-l2-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383264544.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\tr6Bugfix_nico\service\build-win32\out\Release\tup_exception.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381196191.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.375798038.00000000028DA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\AirPresence\desktop\Windows\AirPresenceMonitor\Release\IdeaShareService.pdb source: IdeaShareService.exe, 00000019.00000000.447529528.00000000011CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378928716.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: API-MS-Win-Eventing-Provider-L1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383352636.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\hwuc.pdbVV)GCTL source: IdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -O2 -DL_ENDIAN -DOPENSSL_PIC -D_FORTIFY_SOURCE=2OpenSSL 1.1.1f 31 Mar 2020in order to bep, build date is removeplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "D:\share_lin\030606_codehub_win32\open_src_build\openssl\release\lib\engines-1_1"not available source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.000000000325A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbQ source: IdeaShareKeyInstaller.exe, 00000000.00000003.360183579.0000000002D18000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libssl-1_1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.383493651.00000000028D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381757085.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdbUGP source: IdeaShareKeyInstaller.exe, 00000000.00000003.377107158.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\MFCM140U.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374720041.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\TUP_Trunk_VersionCompile\code\current\tupci\service\faultreport\bin\release\fr_plugin.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.392115844.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\build\LOG_iMedia_Video1_2_0_H264Dec\code\current\publish\Build\Vs2015\HME_Video_H264D\Release\HME_Video_H264D.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.395560847.00000000030F1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\MFCM140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374567471.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\app code\airpresence_2\desktop\SDK\OpenSourceCode\ACE\include\lib\ACE.pdb^ source: IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.374933296.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\ServiceComponent\lib_vc9\Release\ecsdata.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.391757771.00000000030F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\windows-bainyi\0927\HMEV2012\build\vc2015\Release\HME_Video.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.373146232.00000000028D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\0306_codehub\src\service\build-win32\out\Release\tup_login.pdb==" source: IdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr110.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.376314713.00000000028D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\code\windows-bainyi\0927\HMEV2012\build\vc2015\Release\HME_Video.pdbD source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\target\ideasharekey\bin\Release\IdeaShareKey.pdbII." source: IdeaShareKeyInstaller.exe, 00000000.00000003.385688768.0000000003261000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\app code\airpresence_2\desktop\SDK\OpenSourceCode\ACE\include\lib\ACE.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.388827825.00000000030F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.382220665.00000000028DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.378611056.00000000028DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libssl-1_1.pdbAA source: IdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381444648.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.381116835.00000000028D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379308667.00000000028DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.379938356.00000000028D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TSDK_CodeHub\202109011027\src\service\build-win32\out\Release\tup_call_mediaservice.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.401492865.00000000030F4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\tr6Bugfix_nico\service\build-win32\out\Release\tup_exception.pdb,," source: IdeaShareKeyInstaller.exe, 00000000.00000003.402876050.00000000030FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\AirPresence\desktop\Windows\AirPresenceMonitor\Release\IdeaShareService.pdb991GCTL source: IdeaShareService.exe, 00000019.00000000.447529528.00000000011CD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: mfc110.i386.pdbP) source: IdeaShareKeyInstaller.exe, 00000000.00000003.367217273.00000000028D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.370656624.00000000028D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\share_lin\030606_codehub_win32\open_src_build\openssl\libcrypto-1_1.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.398238612.00000000032A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\component\workspace\IdeaHub_Component_IdeaShare\AirPresence\desktop\SDK\BaseFrame\lib_vc9\ctk.pdbaa# source: IdeaShareKeyInstaller.exe, 00000000.00000003.391032334.00000000030FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: IdeaShareKeyInstaller.exe, 00000000.00000003.365225488.00000000028DE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CB8A6 push ecx; ret 11_2_011CB8B9
Source: HME_Video_H264D.dll.0.drStatic PE information: section name: .rodata
Source: HME_Video_H264E.dll.0.drStatic PE information: section name: .rodata
Source: zlib.dll.0.drStatic PE information: section name: .00cfg
Source: HME_Video_Srtp_ALG.dll.0.drStatic PE information: section name: .00cfg
Source: ideasharesdk.dll.0.drStatic PE information: section name: .00cfg
Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: mfc140.dll.0.drStatic PE information: section name: .didat
Source: mfc140u.dll.0.drStatic PE information: section name: .didat
Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
Source: msvcp140.dll.0.drStatic PE information: section name: .didat
Source: vccorlib140.dll.0.drStatic PE information: section name: minATL
Source: vcruntime140.dll.0.drStatic PE information: section name: _RDATA
Source: dbghelp.dll.0.drStatic PE information: section name: .didat
Source: dbghelp.dll.0.drStatic PE information: section name: .mrdata
Source: dbgcore.dll.0.drStatic PE information: section name: .mrdata
Source: qwindows.dll.0.drStatic PE information: section name: .qtmetad
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C22D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_011C22D0
Source: ucrtbase.dll.0.drStatic PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]
Source: initial sampleStatic PE information: section name: .text entropy: 6.823101947927201
Source: initial sampleStatic PE information: section name: .text entropy: 6.9169969425576285
Source: initial sampleStatic PE information: section name: .text entropy: 6.9113720938783825
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\nsv954A.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ecsframework.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\zlib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_msg.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\vccorlib140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_mediaservice.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_xml.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\nsv954A.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_dns.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ctk.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_os_adapter.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ecsdata.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_air_client.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_publiclib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HW_H265dec_Win32D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\hwuc.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\dbghelp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264E.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\securec.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_commonlib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_video.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_Srtp_ALG.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\nsv954A.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ecscommon.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263E.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\rtp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\fr_plugin.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_httptrans.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\Temp\nsv954A.tmp\FindProcDLL.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\msvcp140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\h265EncDll.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\dbgcore.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ideasharesdk.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\mfc140u.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ucrtbase.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\ACE.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\tup_https_clt.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeFile created: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dllJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn /f
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IdeaShareKeyJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IdeaShareKeyJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C5D60 IsIconic,11_2_011C5D60
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C22D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_011C22D0
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ecsframework.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\zlib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_msg.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\vccorlib140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_mediaservice.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libcrypto-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\uninst.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_xml.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_dns.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ctk.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_os_adapter.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ecsdata.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_air_client.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HW_H265dec_Win32D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_publiclib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263D.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\hwuc.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264E.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\securec.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_commonlib.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exeJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_call_video.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_Srtp_ALG.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ecscommon.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263E.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\rtp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\fr_plugin.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_httptrans.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\libssl-1_1.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\h265EncDll.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ideasharesdk.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\ACE.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\tup_https_clt.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C11B0 hid_enumerate,hid_init,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,malloc,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,calloc,calloc,strncpy_s,_wcsdup,_wcsdup,_wcsdup,strstr,strtol,CloseHandle,free,SetupDiDestroyDeviceInfoList,11_2_011C11B0
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess information queried: ProcessInformationJump to behavior
Source: IdeaShareKeyInstaller.exe, 00000000.00000002.412809253.0000000000409000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %d,%d,%d,%d,%d,%dkernel32.dllGetProductInfovmware%u,%u,%uc:\%d,%d,%d,%u~MHzHARDWARE\DESCRIPTION\System\CentralProcessor\0\%u,%u,%u,%u,%s
Source: IdeaShareKeyInstaller.exe, 00000000.00000002.412809253.0000000000409000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vmware
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@L
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CBFCB IsDebuggerPresent,OutputDebugStringW,11_2_011CBFCB
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C22D0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_011C22D0
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C62D0 SetUnhandledExceptionFilter,#286,#10472,WTSRegisterSessionNotification,#286,11_2_011C62D0
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CB7AD SetUnhandledExceptionFilter,11_2_011CB7AD
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CB61A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_011CB61A
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CAE8E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_011CAE8E

HIPS / PFW / Operating System Protection Evasion

barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: C:\Windows\SysWOW64\dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: C:\Windows\SysWOW64\dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: C:\Windows\SysWOW64\dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: C:\Windows\SysWOW64\dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: C:\Windows\SysWOW64\dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq runningJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq runningJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM FaultReport.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "taskkill" /F /T /IM IdeaShareKey.exeJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn /fJump to behavior
Source: C:\Users\user\Desktop\IdeaShareKeyInstaller.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /xml C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml /tn IdeaShareServiceAt20230526130440Jump to behavior
Source: IdeaShareKeyInstaller.exe, 00000000.00000003.393786681.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndplayCWmpProgmanPlayWndBaseQiyiWMPXLUEFramehme_engine::H265E_log..\..\open_src\src\video_coding\codecs\h265\h265_soft_coenc\h265_soft_encoder.ccBDUIDialogH265 SoftEnc_LogH265EncodingThreadhme_engine::H265SoftEncoder::Releasevsprintf_s failedH265 SoftEnc_Log : %s H265E_Create Failedhme_engine::H265SoftEncoder::InitEncodeH265E_Delete Failed! Return Code:0x%xhme_engine::H265SoftEncoder::ResetH265E_GetVersion Failed! Return Code:0x%xHME_H265E_SetParams Failed! Return Code:0x%xinst->maxBitrate:%d,inst->startBitrate:%dh265 enc release failed!EncodingProcesshme_engine::H265SoftEncoder::EncodingProcess_bTransformSkipOn %d,_bSkipStaticFrameOn %d,_iTemporallayerNum:%dhme_engine::H265SoftEncoder::EncodeH265E_SetParams fail! iImgWidth[%d] > iImgHeight[%d]iInitQP %d iMaxQP %dsame frame HME_H265E_CreatestInArgs.stforegroundWindow
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011C11B0 hid_enumerate,hid_init,SetupDiGetClassDevsA,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailA,malloc,SetupDiGetDeviceInterfaceDetailA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,calloc,calloc,strncpy_s,_wcsdup,_wcsdup,_wcsdup,strstr,strtol,CloseHandle,free,SetupDiDestroyDeviceInfoList,11_2_011C11B0
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CB9BC cpuid 11_2_011CB9BC
Source: C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exeCode function: 11_2_011CB509 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_011CB509

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		1
Scheduled Task/Job		12
Process Injection		1
Masquerading		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Scheduled Task/Job		1
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Query Registry		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
Native API		1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		12
Process Injection		Security Account Manager11
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)2
DLL Search Order Hijacking		1
DLL Side-Loading		2
Obfuscated Files or Information		NTDS3
Process Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon Script2
DLL Search Order Hijacking		1
Software Packing		LSA Secrets1
Application Window Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Timestomp		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading		DCSync23
System Information Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
DLL Search Order Hijacking		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 876179 Sample: IdeaShareKeyInstaller.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 48 6 IdeaShareKeyInstaller.exe 4 147 2->6         started        10 IdeaShareService.exe 2->10         started        12 IdeaShareService.exe 2->12         started        14 2 other processes 2->14 file3 39 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->39 dropped 41 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 6->41 dropped 43 C:\Users\user\AppData\Local\...\System.dll, PE32 6->43 dropped 45 110 other files (none is malicious) 6->45 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 6->49 16 taskkill.exe 1 6->16         started        19 taskkill.exe 1 6->19         started        21 taskkill.exe 1 6->21         started        23 7 other processes 6->23 signatures4 process5 signatures6 47 DLL side loading technique detected 16->47 25 conhost.exe 16->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        process7

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exe0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exe0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\dbgcore.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\dbghelp.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfc140u.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dll0%ReversingLabs
C:\Users\user\AppData\Local\IdeaShareKey\ucrtbase.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.phreedom.org/md5)0%URL Reputationsafe
http://www.phreedom.org/md5)08:270%URL Reputationsafe
https://%s/Ws/SmcExternal2.asmx0%Avira URL Cloudsafe
http://www.color.org)0%Avira URL Cloudsafe
https://%s/getClientParam.action?client=%s&registe=%u0%Avira URL Cloudsafe
http://%s/Ws/SmcExternal2.asmx0%Avira URL Cloudsafe
https://%u.%u.%u.%u:%u%s0%Avira URL Cloudsafe
https://curCA.zipcurCA.tgz/newCA.tgz:8544/eua/rest/cert/downloadstup_http_download_file0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.phreedom.org/md5)IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogiIdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpfalse
    		high
    http://www.phreedom.org/md5)08:27IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.aiim.org/pdfa/ns/id/IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://www.openssl.org/HIdeaShareKeyInstaller.exe, 00000000.00000003.400345936.00000000030F6000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://%s/getClientParam.action?client=%s&registe=%uIdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://%s/Ws/SmcExternal2.asmxIdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		low
        http://nsis.sf.net/NSIS_ErrorErrorIdeaShareKeyInstaller.exe, 00000000.00000003.406551623.00000000030F1000.00000004.00000020.00020000.00000000.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000000.355313023.0000000000409000.00000002.00000001.01000000.00000003.sdmp, IdeaShareKeyInstaller.exe, 00000000.00000002.412809253.0000000000409000.00000002.00000001.01000000.00000003.sdmpfalse
          		high
          https://%s/Ws/SmcExternal2.asmxIdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low
          https://%u.%u.%u.%u:%u%sIdeaShareKeyInstaller.exe, 00000000.00000003.404028040.00000000030F2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low
          http://www.color.org)IdeaShareKeyInstaller.exe, 00000000.00000003.362279958.00000000028D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		low
          http://bugreports.qt.io/IdeaShareKeyInstaller.exe, 00000000.00000003.363946159.00000000028D3000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://curCA.zipcurCA.tgz/newCA.tgz:8544/eua/rest/cert/downloadstup_http_download_fileIdeaShareKeyInstaller.exe, 00000000.00000003.397323334.00000000030FB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://curl.haxx.se/docs/http-cookies.htmlIdeaShareKeyInstaller.exe, 00000000.00000003.403541817.00000000030FC000.00000004.00000020.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:876179
              Start date and time:2023-05-26 13:03:23 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 13m 35s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:31
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:IdeaShareKeyInstaller.exe
              Detection:MAL
              Classification:mal48.evad.winEXE@30/122@0/0
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 99.8% (good quality ratio 77.6%)
              • Quality average: 56.6%
              • Quality standard deviation: 37.9%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 14
              • Number of non-executed functions: 59
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, consent.exe, WMIADAP.exe, conhost.exe, svchost.exe
              • Execution Graph export aborted for target IdeaShareKeyInstaller.exe, PID 6132 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:04:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run IdeaShareKey "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              13:04:42Task SchedulerRun new task: IdeaShareServiceAt20230526130440 path: %LOCALAPPDATA%\IdeaShareKey\IdeaShareService.exe
              13:04:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run IdeaShareKey "C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              13:04:50API Interceptor1x Sleep call for process: dllhost.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\IdeaShareKey\ACE.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1306192
              Entropy (8bit):6.665518931955342
              Encrypted:false
              SSDEEP:24576:V+HuCXLBjKQSzYfoWHob6+/F4NrrXgUfuEPO:cHXcZbOlrXgUfzO
              MD5:1C10E6567A3157549AE19CD6067FDCD6
              SHA1:2DF2FB74221B55540E169BDC8135D3A99D9321FD
              SHA-256:CE797AECFAB749DA3E20A34AA4BA599956BD12FA642F22D461580CC97D7ECE46
              SHA-512:624DBDD3821558DBF4A6026767C12122A5D55C317BAE9A9DD5496D09CBE2CD635E98418DF6231023F06AADDEC48267CC09969425D5CB1E792E486BDF048928C4
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:#..~B..~B..~B..w:..jB..,*..wB..,*..rB..,*..eB..,*..xB...$..oB..~B...C...+..IC...+...B...+k..B..~B...B...+...B..Rich~B..................PE..L......]...........!................k`....................................................@.............................................................P0... ..........p...........................@...@............................................text............................... ..`.rdata..6...........................@..@.data....L.......>..................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\APConfig.ini

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:Generic INItialization configuration [CONNECTION]
              Category:dropped
              Size (bytes):986
              Entropy (8bit):6.253157387259237
              Encrypted:false
              SSDEEP:24:+vw+s7vvh6hqsldg/dLUSvI0ZWP0EK7Fa6UKHzCahzy:+vw17vhqldg/dnvIQWP07Fa6UAWahy
              MD5:6E4E26BB0851A091106C715556648461
              SHA1:F46C4B319C33CFE21896E6AC24154FAC8F96D2EB
              SHA-256:A5E2D74BF94E9400A692EF3EB31F216263DC881FE0BD26F20E879B8C969FB13F
              SHA-512:7F28FDE9D50C6A9624FA8DD5E8393373B8FB0ECAF5BAFF751E762D369F98D686A1AA492522EC5DABB3649908A49B875095DCD20AC1D20644903FA03F33221340
              Malicious:false
              Preview:;..............!!!!!!!!!!!!!!!!!!!!..[SYSTEM]..close-button-action=0..;.............. 1:..... 2..........hide-window-after-share=1..default-language=0..;......................APP.... 1:.... 0:........defalut-codelen = 0;..;.......0:6-8. 1:14. ....0....[CONNECTION]..multicast-ip-type=0..;..ip.... 0:IPv4 1:IPv6....multicast-ipv4-address=224.8.8.1..;..ipv4.......multicast-ipv6-address=ff16::1..;..ipv6.......broadcast-ip-type=0..;..ip.... 0:IPv4 1:IPv6....broadcast-ipv4-address=255.255.255.255..;..ipv4.......tcp-port=4999..;....TE....TCP........https-port=1444..;....TE....HTTPS........group-port=13333..;..........search-max-terminal-num=100..;...............search-over-time=3000..;..........(....)....default-bandwidth=4096..;..........default-pcmute=1..;......PC....................[EUA]..eua-address=..eua-port=....[MultiScreen]..screenchoice=0..[IdeaShareServiceTask]..TaskName=IdeaShareServiceAt20230526130440..

              C:\Users\user\AppData\Local\IdeaShareKey\DumpTypeConfig.json

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:JSON data
              Category:dropped
              Size (bytes):48
              Entropy (8bit):4.305255793112395
              Encrypted:false
              SSDEEP:3:3HGolnmGoERHFtRyvY:3HGo8GoeHfRJ
              MD5:7F9084CDC8D6543FB2BA540554E2DD50
              SHA1:A51FBF9A97C31AF9D7B65571F18A17556F12B968
              SHA-256:A2F48DFD7A9EC678CA0B750AA4BB939578B66427D2B866D2326A2A606092F9C2
              SHA-512:17424310D9CFECABCAD34C5DE114614E202D7B8AABA8B857BAB19C5C234F95C65AA056EA8B96EF9A9FD876FB449C3523A7DF647BBB6C9150D9F47CA49D4F0265
              Malicious:false
              Preview:{.. "DumpType": 208,.. "DumpProcess" : true..}

              C:\Users\user\AppData\Local\IdeaShareKey\EUAConfig.ini

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:Generic INItialization configuration [EUA]
              Category:dropped
              Size (bytes):254
              Entropy (8bit):5.235090828572348
              Encrypted:false
              SSDEEP:6:Br5ArDLT93AW4KROGLlARKMWaNDUmuyO5EYRXXI+dVT:hgJ3+KSsMkmuHEf0
              MD5:A07D996417082554A2802A01B6397B00
              SHA1:A628F4C21EC347B1DB52F207E28D7A131E0FD0AD
              SHA-256:74E5AB84E3CA74F707062FD8DB7AF77D1E039B0A683879D662E1566D23F07ABD
              SHA-512:3926D4ABC85FB059F7FA0B3100488B5392560B42B76BC32E77271B37794D086A638F0E36B010890160A29B7BB0AD282B7D97C7D60A8D4598F0ABF455EE9AB643
              Malicious:false
              Preview:;..............!!!!!!!!!!!!!!!!!!!!..;SMC2.0 eua-version=2.0 ..SMC3.0 eua-version=3.0 / eua-version=..[SYSTEM]..upgrade-url=https://www.huaweicloud.com/product/ideahub/ideashare.html..[EUA]..eua-address=..eua-port=..eua-unicode=..eua-version=........

              C:\Users\user\AppData\Local\IdeaShareKey\FaultReport.exe

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1072720
              Entropy (8bit):6.376676027211651
              Encrypted:false
              SSDEEP:24576:gNbx+L03ycomJPzJnCdTDlFmDDr5MkIhtjd9g:g3acomJPzNIlFmvr2kWp9g
              MD5:2D039B24C1F9BEBEE01BA988FC1B8BC8
              SHA1:5212C9542ADE50E8E49872410077EDC924C994E4
              SHA-256:7B0F6A3221A8071D94F1526501698352CDFF942B543561BED462A1AD4E565610
              SHA-512:0DB9689DC6C691336665E3222733DAB5504C7B0F2A6629E4BBFF089D26A09463FE230A39FBD979B39EE90B9053C2A55025B1CF42610718B17CB308A6E2866118
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................w.k......h......n.....V......V..............~......y.......i......l....Rich...........PE..L.....[................. .......... D.......0....@..........................p......q<....@.................................\...|.......(2..............P0......l....9..................................@............0..t............................text............ .................. ..`.rdata...8...0...:...$..............@..@.data....(...p.......^..............@....rsrc...(2.......4...r..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4326480
              Entropy (8bit):6.375224351213715
              Encrypted:false
              SSDEEP:49152:bnBML8ymWfjTbvykohRC6+JYIkkduOZBZojQ+8XOEG63nq2eTC9OgT4yQ8y2ogKM:9MqWfzrCRF+lZ0Ro
              MD5:A67B045D2024FA2E387F5946E1D18822
              SHA1:32B8EE59C3E45D73C54B41D955F5B07E9B2C5073
              SHA-256:881CD77023E4F1435D0FC5F849786FFAC9E52CEEF5E0737CCEC6F90014EB1BE6
              SHA-512:6057495ED21952064F995D817A04978E43F353561ED1DA3DC20896183F4B2043942553F50A675125E38A2E29004012CA9EE33091CFE4CBAA7E69276111F3CF02
              Malicious:false
              Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$...........;x{.;x{.;x{... x{...x{....x{..!~.9x{...:x{..&x.%x{..&~.Nx{..&...x{...?x{.&z.9x{.&...x{...!x{.;x{.zx{..w&.9x{.T...:x{.2...8x{.;xz.$y{.....:x{.%*..:x{.&r..x{.&{.:x{.&..:x{.;x..:x{.&y.:x{.Rich;x{.........PE..L...$.Qa...........!..... #..t!..............0#...............................D.......B...@...........................>.D.....>.T.....B...............A.P0....B.\.....=.p...................|.=..... .=.@............0#.h............................text...r.#...... #................. ..`.rdata......0#......$#.............@..@.data........>.......>.............@....gfids..l.....B.......?.............@..@.tls..........B.......?.............@..._RDATA..0.....B.......?.............@..@.rsrc.........B.......?.............@..@.reloc..\.....B.......?.............@..B................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263D.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):216656
              Entropy (8bit):6.7506717898617925
              Encrypted:false
              SSDEEP:3072:AIUwa4EgKgsIBnbf7buNgzgR4R775rMtmlC57YmnLVrRghJwMZwkK1MYzYUVsGhG:y4EgH6ulMYlWBLVrRZ5zZb/s
              MD5:E3CEC23B09090E7F628934EB026C02DA
              SHA1:370BFA3688815281429A06F51584E14E27F015DE
              SHA-256:433D8DC7EC375FB3BD0AA325C48D7DCB377CBD1F578F3538484625309179BB33
              SHA-512:C2A1FB34771E465D99B08A52E2DA2B587B847CBAE69EBF324072F4044CA0A2B0CDB04BE5277FE07BD59766CAC41611F1DA315162CFE64ACB9CC76D08E4F1F759
              Malicious:false
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................Y.......[......Z............................;...................'......'......".W.......?.....'......Rich............................PE..L.....aZ...........!.....Z...........u.......p............................................@.................................T...(....P..p...............P0...`..h.......p...............................@............p...............................text....K.......L.................. ..`.rotext......`.......P.............. ..`.rdata.......p.......^..............@..@.data...@...........................@....rodata.(....0......................@..@.gfids.......@......................@..@.rsrc...p....P......................@..@.reloc..h....`......................@..B................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H263E.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):244816
              Entropy (8bit):6.7801240880524825
              Encrypted:false
              SSDEEP:6144:x4EgujdkrYgiZfHRomD29qz4NYhAOoly2+:x4Eg8f1Jh6kz6Yh+Ex
              MD5:503351F71198FB7337D99E41A9EC9469
              SHA1:5021CEEE10C7CAF37A66ECB31DAED28F1A102C41
              SHA-256:441B20CE4E5E703E71CF789C823D4C0374417F3CF4F9972F1CD872B8AFE1B76C
              SHA-512:AEEE0D5D78236CDA456E0B43BC31A020491A0F2FC5BDD0E909F44B36A1B91366D8031518B2A4C5A6D14F97D3BF67CC396868F44294E856CF76E5BB2385AD78A3
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..,?..?..?...EB.....E@.K...EA.%.....~-.....~).....~0..6. .<..?..k..?..8.....~".....~>....L.>..?.$.>.....~>..Rich?..........PE..L...`.aZ...........!................................................................Y<....@......................... o.......o..(.......p...............P0..........0g..p............................g..@............................................text... ........................... ..`.rdata..............................@..@.data...h............d..............@....gfids...............p..............@..@.rsrc...p............r..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264D.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):339536
              Entropy (8bit):6.837077073322368
              Encrypted:false
              SSDEEP:6144:T4YD/qJsJrmEaJEr0LkooGDcO3+5150dXNw:sYD/qJsJSyr0IooGb32CdXS
              MD5:98D0A3067F1460C1F6CE16BFEAC119EE
              SHA1:819B46AC818070516160ABB8081338FEE83EC5CD
              SHA-256:9DDAD8EB9E1F2AEA03E97CAA9624D043645197794F90DDEA028931AEFDCB1135
              SHA-512:88D55A57EB6ECD832EF4FFB8A2EB3E80CC61F7EC6C86F3346413CD48ECA1F0C47025F22EE42F5F15E6067B71005CA8EBCB2751341C1D95B83E2A38F96DDF1E69
              Malicious:false
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.!...r...r...rh..r...rh..r...rh..r...r.H.s...r.H.s...r.H.s...r.nor...r...r...r...r...rKH.s...rKH.s...rNH.r...r..kr...rKH.s...rRich...r........................PE..L...s,.[...........!.................*....... ...............................`............@.........................@.......H...(....0..x...............P0...@......0...p...............................@............ ...............................text............................... ..`.rdata..".... ......................@..@.data...X...........................@....rodata.x...........................@..@.gfids....... ......................@..@.rsrc...x....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_H264E.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):572496
              Entropy (8bit):6.813870196889395
              Encrypted:false
              SSDEEP:6144:pBEAOOeOOkf5/eb2Dkj8/GHo1jfS6z6vgrTdfEu7A+v+6NXKzf1rhAOpdYiivYUe:Jf5/Oyt/GHo1jfS6ZxxUbDZrhjdYzYf
              MD5:33153833517326E90F122E8187A1783D
              SHA1:4F193D9B0B031D6187209F6EB1379DFBF8F7B098
              SHA-256:ACED84436E2DDBF8AF9A6B5DBE87FE12BD521147383A16644E78E5416BED6EB0
              SHA-512:9539B6E81A75C679ED734254EAEA734220DC8CA67E7A9185230C6F68076D87D617E3F9EB25A0F6EC83420E19CF63EBB56E370095449F68927DC9A78FB9BCFBB3
              Malicious:false
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......d.]. .3. .3. .3..K.1.3..K..V.3..K..:.3...0.3.3...6.6.3...7./.3.)...#.3. .2.}.3. .3.4.3...;...3...3.!.3....!.3. ..!.3...1.!.3.Rich .3.........................PE..L....).[...........!.....8...h.......R.......P............................................@..........................X..P...@Z..(.......p...............P0.......*...Q..p...........................pQ..@............P..$............................text...`........................... ..`.rodata...... ...0.................. ..`.rdata.......P.......<..............@..@.data.... ...p.......N..............@....gfids...............X..............@..@.rsrc...p............Z..............@..@.reloc...*.......,...`..............@..B........................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HME_Video_Srtp_ALG.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):110672
              Entropy (8bit):6.1350045814779826
              Encrypted:false
              SSDEEP:1536:dp9S0SXWxThxm4Dii/vLUn/qf6kaMqqU+NV26sDjkZ4eDgVBr8:P9MW1hYiXLUnSYMqqDLSjkZ4esVe
              MD5:5FF5C83B14F5A889BADA319A5BB358C9
              SHA1:01D16B137BF5C2F7CCD6A9A3081B193C4E5C0112
              SHA-256:7EDBE4A8B56DC93AEF55E6FC7773A7969891FB7AE5C7E2B58E912AD6E7F79460
              SHA-512:247AF0225333BFE5495C153E962EFB060C89C1808C980606AFC22830324188C6ADE711F1C1F30AEFE946494F4CE0345D8CFFE4E7138D0AAA7B98E87377723923
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h{.n,..=,..=,..=%b{= ..=.D.<...=.D.</..=.D.<'..=.D.<'..=..#=)..=,..=...=.D.<?..=.D.<-..=.D.=-..=.D.<-..=Rich,..=........PE..L...<.J`...........!................s.....................................................@.........................p`......L...........<...............P0......p....U..8............................V..@...............L............................text...>........................... ..`.rdata...^.......`..................@..@.data...P....p.......\..............@....idata...............^..............@..@.gfids..%............j..............@..@.00cfg...............l..............@..@.rsrc...<............n..............@..@.reloc..M............t..............@..B........................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\HW_H265dec_Win32D.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):425040
              Entropy (8bit):6.780509562078731
              Encrypted:false
              SSDEEP:6144:cc7XlftWAILyubX2T0Kmd/xaksZCJtidQjdQjaYTG46Uo9HuPbE5uW6ES:BjWAIt2Tgx3YTGzOPbE5uW6v
              MD5:12ADB346824A97E1A36E4C679F8BEC68
              SHA1:14948C5065F48041F47E943A653EA2BF69BF5EE3
              SHA-256:66F2636A7D5CE1302F946B3B22C9ADB14EDFFF0AA1DF5A74E7366D738B5AFB47
              SHA-512:8147BF9A4053BDF2D6C39EBBF677BBC3770CE0C107296F396536E29203D3035277A3B631AA084480F21DA43A6175AC59054DB60FCB0A85ACE07A436574A4E95C
              Malicious:false
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........v.Z............?.b.....?.`.....?.a......I.......I.......I......V.X......................I.......I.......Il..............I......Rich............................PE..L....\.\...........!.....$...0...............@...........................................@..........................(.......)..(....p...............L..P0...........!..p...........................p!..@............@..$............................text...7#.......$.................. ..`.rdata..&....@.......(..............@..@.data........@......................@....gfids.......`.......$..............@..@.rsrc........p.......&..............@..@.reloc........... ...,..............@..B................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareKey.exe

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):2133352
              Entropy (8bit):6.05899363891946
              Encrypted:false
              SSDEEP:12288:wHqmIYaT78j5ybM8vSagD6en57GGLGWV9LaDKSSsJ8JTgGL2tSMH77YQaJ3QZixq:bsD6IZfLibWJTgXt97IJgUq
              MD5:30B853E3808705B98AE4C7F92670DA58
              SHA1:9B94C1D8F9BAEA96AEC0B65BE8803DE1F5BE9B34
              SHA-256:F2D6AA073D9A05843D7AAEDAE9BE83E737836E0A781439015E70B458F321B4DC
              SHA-512:83B1552CA2B90F7D00D8B0386E45C334E7070FF486D97B3666E26FF62B7DC33A6E1EA27C0C0F89FD543F162435BC0C260F242863AE20D65A60E68AB044558627
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........6B..W,_.W,_.W,_./._.W,_.?(^.W,_.?/^.W,_.?)^.W,_.?-^.W,_.<+^.W,_z>)^.W,_w>-^.W,_A>-^.W,_z>-^.W,_.<-^.W,_.W-_.T,_w>)^.W,_w>._.W,_.W._.W,_w>.^.W,_Rich.W,_........PE..L....._a.................$...T......r........@....@........................... .....*. ...@.................................|........................v .h..... .... ...8...........................X...@...............|............................text...&".......$.................. ..`.rdata..<r...@...t...(..............@..@.data...............................@....idata..H...........................@..@.tls................................@....00cfg..............................@..@.rsrc...............................@..@.reloc........ .....................@..B................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):467304
              Entropy (8bit):2.6884804650060365
              Encrypted:false
              SSDEEP:3072:Yj+K5m4AWLJppB08rbggromrWrxYMyf+Rr:YaKLLimrCxYMHr
              MD5:4C43F81A16703A0539A95CCCB064585F
              SHA1:C19E07D0CBB8BA66E4DD86010B42A55338100B24
              SHA-256:17F9772138062770DE8BF6F22270A2B9E63AC4BB83369AAC40BC391447FC2EEF
              SHA-512:0B45DD3A2AA3EE53922C3A02D45B4AD83D9EC4208F908B455F989F9247F9E61292E328EF1E0869FFF6967B31858EA2CEA11AB12BDA5AA70D52A7B3A8F6198D7F
              Malicious:false
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................6................................................./.......................Z.....2..........Rich....................PE..L...2&Sa.....................N....................@..........................0.......v....@............................. ... ........@..................h.... ...... ...T...........................x...@...............0............................text............................... ..`.rdata..@W.......X..................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):2752
              Entropy (8bit):3.5425978089708146
              Encrypted:false
              SSDEEP:48:yei1q9eQn1ab9f9V9Lvara+iniudupRCRfMufAuRa7T5XHPsV8iRrp+++:tpnkpBGdinigVMll7dHFA+
              MD5:59A14E32BD5B5C0FB0FD95D259C8B290
              SHA1:86D422B0CD2AAFE63C09C54063B739EE57DDA49E
              SHA-256:8193F1847C8849A5FB567F74CFAA8EAAA5418B99132465F2B6E65DF56B3BFA09
              SHA-512:9CF9FF9A3DDE24085937ABAAD7F75BA8CD5C6A6F6D2C31C1EE0DBA0E5C940A005F404B8EE4C9DE5CE38B969ECDD107E6E98CA0E29039053DC54D024A7F00B451
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>. . . . ..... . . . .<.U.R.I.>.\.I.d.e.a.S.h.a.r.e.S.e.r.v.i.c.e.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>. . . . . ..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... . .<./.P.r.i.n.c.i.p.a.l.s.>..... . .<.S.e.t.t.i.n.g.s.>..... . . . .<.M.u.l.t.i.p.l.e.I.n.s.t.a.n.c.e.s.P.o.l.i.c.y.>.I.g.n.o.r.e.N.e.w.<./.M.u.l.t.i.p.

              C:\Users\user\AppData\Local\IdeaShareKey\Log\IdeaShareService.log

              Download File
              Process:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:modified
              Size (bytes):1534
              Entropy (8bit):3.1885529270410067
              Encrypted:false
              SSDEEP:24:Q+Md0I+d8ortdGDd6DAsAI+dF44O4odFWdF6oqd7I+dLIt:rMz+aort8Dk+PPFoPWP6oqq+Kt
              MD5:88C284B7CF3256E6964D8326563C920A
              SHA1:10427ACBA1747AE26FBDE7AED3EF1ABC0BA318A5
              SHA-256:EDC0C98E73A5BAB7154878A6D33E261CEE8B94EEE2326502CBA373F14C6A0093
              SHA-512:0DFE4220F75C8280922BAD7FA852DE7BB981740441C3D95D3F63CFF27A985ED70BE199A164ACFE4AE9F6062F951597A47E19937620ADB6E8D777C20556CDF21B
              Malicious:false
              Preview:..[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.0.:.2.1.1.].I.n.f.o.:.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.I.d.e.a.S.h.a.r.e.S.e.r.v.i.c.e. .S.t.a.r.t.!.!.!.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.0.:.2.5.8.].I.n.f.o.:.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.D.i.a.l.o.g. .I.n.i.t. .S.t.a.r.t.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.0.:.2.5.8.].I.n.f.o.:.C.h.e.c.k. .I.d.e.a.S.h.a.r.e.K.e.y. .D.e.v.i.c.e.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.2.:.9.4.0.].I.n.f.o.:.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.I.d.e.a.S.h.a.r.e.S.e.r.v.i.c.e. .S.t.a.r.t.!.!.!.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.5.:.6.1.7.].W.a.r.n.:.n.o.t. .G.e.t. .L.o.g.i.c.a.l. .D.r.i.v.e.s.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.5.:.6.1.7.].I.n.f.o.:.N.o.t. .f.o.u.n.d. .D.e.v.i.c.e.......[.2.0.2.3.-. .5.-.2.6.].-.[.1.3.:. .4.:.4.5.:.6.1.7.].I.n.f.o.

              C:\Users\user\AppData\Local\IdeaShareKey\Qt5Core.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5298536
              Entropy (8bit):6.852481117447856
              Encrypted:false
              SSDEEP:98304:p3QkIHj14FdDhqJsv6tWKFdu9CjzHveRnZyxEdm0:pgdnJsv6tWKFdu9CjzHeb
              MD5:4BB1FC81E4B6149749B6E84EF12712D6
              SHA1:FB0143E6EA6128D7FA7B2E1731D0232D6A40689F
              SHA-256:19BE47FA14A6F1B103171FB2B9B830F631215BB522A8803795DBB72C9E8E4A8F
              SHA-512:9505ED82E68C37717C2EA4E2107ECDED41004946ABD562A03FB92F187E4855D86CF3A319FC323492865C4D0EA8A9A5110737CB662266F360FEC7993CA84C876C
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........V..8].8].8]...].8]..9\.8]A".].8]..=\.8]..<\.8]..;\.8]..<\.8]..>\.8]..9\.8].9]..8]E.<\.8]E.=\$.8]E.8\.8]E..].8]..].8]E.:\.8]Rich.8]........PE..L...2.}^...........!......'..").......%.......(....g.........................PQ......dQ...@...........................G.@...0.N.......O...............P.h.....O......PE.T....................QE......QE.@.............(.X............................text.....'.......'................. ..`.rdata....&...(...&...'.............@..@.data...|.....O..J....N.............@....rsrc.........O......8O.............@..@.reloc........O......>O.............@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\Qt5Gui.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5978984
              Entropy (8bit):6.780270903027489
              Encrypted:false
              SSDEEP:98304:f8oNJzx4w24LwWotu+PNlwL9PmEZ23Cex:pBbUuCPwNj2C0
              MD5:D8B7393009A6743FFCFB9D3A138FC114
              SHA1:5467D025F650D80949393DAF58601B47D41A25FA
              SHA-256:48846110574CFA870918E08471A180981D934DB1AAA92B4832CC567D0630A28E
              SHA-512:1AE4580ECEE6E992501C963B9406A2A0A927CA48AB0A3E7B8FDC247EC21AA74EDA9818224D72C3088893418FE8E5044E857B347D056B77DC5D4F73F5BF0EACDA
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......?.f.{...{...{...r...m...)...q...)...w...)...c...)..........y... ...z... ...v...{...<......k.............z......z...{..z......z...Rich{...........................PE..L.....}^...........!....."7..d$.....b.7......@7...............................[.......[...@..........................n=.......V.h.....Y..............$[.h.....Y......<.T.....................<.....8.<.@............@7..............................text.... 7......"7................. ..`.rdata...O ..@7..P ..&7.............@..@.data....c....W......vW.............@....rsrc.........Y......tX.............@..@.reloc.......Y......zX.............@..B................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\Qt5Network.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1115496
              Entropy (8bit):6.66916261306281
              Encrypted:false
              SSDEEP:24576:ZNfY4/b8d22Gmou3ZjRkjZgUPiV69DrOMxpqDc0EGQVzKa4:xAd22GrziVaSDckZ
              MD5:80D7021426B78E3E7527265841FC22A7
              SHA1:2E81B7E0F3D717F80284E3A43038997D66616042
              SHA-256:169BE38BE0BC90018DFF8EF05FE004DD04A6D0B3ABE294FC67B42466E5F2E6DD
              SHA-512:A2AF4D9ACE035C51E5CF846DB3955895422E65AE6A6D7D523493AC3AE6BC28ABA87A272BB50B16FC5FFF438723A911E31DED0EEFBDB4EFF7416D7C5E121C64CA
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........U.}...}...}....E..}.......}.......}.......}.......}.......}.......}..+....}...}..M~..+...7}..+....}..+.)..}...}A..}..+....}..Rich.}..........................PE..L.....}^...........!.........>.....................d.........................@......s%....@.............................Ta...=..@....0..................h....@..|......T..........................H...@............................................text...?........................... ..`.rdata..............................@..@.data....9..........................@....rsrc........0......................@..@.reloc..|....@......................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\Qt5Widgets.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4596072
              Entropy (8bit):6.819919859208047
              Encrypted:false
              SSDEEP:98304:O1CmFlF05UMNO1ulAjhDfTbz7quDp+bXa6gYzdkSPD1UZlH6uV75uDdHBclxooG0:Yf59iJ5i
              MD5:2EBDB8799EB13D879A57CC20894EFDFF
              SHA1:8D54AC978DBBCA41742DADFD29DE360EC7E60450
              SHA-256:0CC9C3B945B35EFAB0DBB5706ED285B0C5233E6D36B2261AAA2FB7BFCBA0CD4E
              SHA-512:E580DBFF9CA35A1DDCFD879C35229212732D4E912D0F47430DB7F7C0166FBDDA895170ADF89F4EA2D81F393A71BDB4681E812B8F7B3636C7C8A3357927AEF309
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......I|...............eK....._u......_u......_u......_u......Vu......Vu......t..........;...t.....t......t'.......O.....t......Rich............................PE..L...;.}^...........!.....&,..........',......@,....e.........................PF.......G...@.........................0.7..#..4.?.@.....B...............F.h.....B..z....6.T.....................6.......6.@............@,..4...........................text....$,......&,................. ..`.rdata..d....@,......*,.............@..@.data........@B..h... B.............@....rsrc.........B.......B.............@..@.reloc...z....B..|....B.............@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\QtSingleApp.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):37888
              Entropy (8bit):6.1073547240575285
              Encrypted:false
              SSDEEP:768:RJiXhlJ0/q2aqiquV3aHaxGtpA510VxjqjCij9yKqTws:RJivOC9FxG4rsxjq3j9yKqss
              MD5:ABA7C077EFE89A0006FCD643A2C5EC62
              SHA1:531EB0A0941A19159921909BFE20FA47F34C0457
              SHA-256:B214C4FD356E0699900C40EBE22A757E6C6334E8C96F72791ACD27545FFC45A8
              SHA-512:1280CCF34D6B31CAAC2D5F5EAEEDB45E8D8F364E378EC79CCF63072CC40D5ADBB38016D934C8A193606FA6D00F7A7CC4C844DE4E94B06203DA6F954A19076139
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........T.f.T.f.T.f.]...P.f...g.V.f...c.F.f...b.^.f...e.U.f.@.g.V.f...g.S.f.T.g..f...c.W.f...f.U.f....U.f...d.U.f.RichT.f.................PE..L.....O`...........!.....D...N.......?.......`............................................@..........................w.......|..................................0....j..T...........................hj..@............`...............................text....C.......D.................. ..`.rdata...:...`...<...H..............@..@.data...|...........................@....rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-debug-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.807322537395992
              Encrypted:false
              SSDEEP:192:43W1hWJn744tk0icWU9F6MZVGl4ogvekMEbceCayowG:UW1hWF/u2WuFRZk4VvDMCYa0G
              MD5:86AD4CED5FA23308A3F1F2864DC46A0C
              SHA1:8F83EABAC8720C741A1FE826A5444C20C4F2BF97
              SHA-256:A17BE9DFB1193EC6E03F86FAC682F845AC4B7318E7F2AB26FAB81F7BFD0704B7
              SHA-512:8E24C32C1237EB52FEBA46071ADAB77D943C590C466410CB26645744524C73CD3D666DC844A149CFA096F5780E7227B47602E1C04E99B272E8F2C2B0D9CF23E6
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L....~.............!......................... ...............................0.......E....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....~..........9...T...T........~..........d................~......................RSDS..' .I_^..lR..l.....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................~......P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-errorhandling-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.887791584852844
              Encrypted:false
              SSDEEP:192:OnmxD3jW1hWJw744tk0icWU9F6MZVGl4ogvekMEbceC4WXqxixB:On4W1hW6/u2WuFRZk4VvDMCY4WXqixB
              MD5:461ECB89ACC6B7AFB8CD3C7A531279EE
              SHA1:2E9409369E14D747D4D5027B1B6CCDC46B009B65
              SHA-256:8BCBB0599A08986D8A6B91AC6504AA7E1CADFA800E543199896358E5936117D1
              SHA-512:84FDA003E18F640548BECBD024A0FF30E90AE7BC39F523EABB33EB05A7E75FEA6F38E53E919D8C3B147A1D377E1E4693B84DD696BC39815104F0B5D0A2068BC3
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L....<b............!......................... ...............................0.......[....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....<b.........A...T...T........<b.........d................<b.....................RSDS....>.....j..C......api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............<b.....n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):12136
              Entropy (8bit):6.669096938301602
              Encrypted:false
              SSDEEP:192:2d5RDYPvVX8rFTsxW1hWJM744tk0icWU9F6MZVGl4ogvekMEbceCKmi:66PvVX7W1hW6/u2WuFRZk4VvDMCYKmi
              MD5:F2902CBE3338B160EAA9EC197C85D3F4
              SHA1:933B6D48897043B7C17039DFE1F25577A67500E5
              SHA-256:206A6B4A28643F29A04FE8726CFD28949652C1FEDB7BE817C2D2339DBC7BB6B5
              SHA-512:BC0099CC0BE317047DF5ADBAF2B25561B10C8A9514DDDEF1B0A648274357F32FF2EC328ABA8290E91706BE02CC245662859CA6B4FE4B3C9F1093DE315FED03A3
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...s.(............!.........................0...............................@......X.....@..........................................0..................h...............T............................................................................text............................... ..`.rsrc........0......................@..@....s.(.........8...T...T.......s.(.........d...............s.(.....................RSDS..c."....]3.9.O.....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02........s.(.............K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l1-2-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.848685532385122
              Encrypted:false
              SSDEEP:192:Z1WIghWGwnY744tk0icWU9F6MZVGl4ogvekMEbceCVO:XWPhWs/u2WuFRZk4VvDMCYVO
              MD5:43ECE6A90EDAADD2FF48AB8C8C6774D4
              SHA1:5D36019F3A938E7EB8C346A663353FAA5B1F4C0F
              SHA-256:7D977159F753E6B4FE7A82D2DDFC83BF58659E0E24E460977C6FEFB872DFDAF0
              SHA-512:32D8C2321C8C1925FB3055536F273ADD085385343288A038FF6D66C80F25FF5D7A0C4373D53729DB0D7ABEA56445545F201DA6D6D3DCAA88362754D0B30AB392
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0......M.....@.............................L............ ..................h...............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-file-l2-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.984013967829882
              Encrypted:false
              SSDEEP:192:1ZwWIghWGwk744tk0icWU9F6MZVGl4ogvekMEbceCdS6qd:IWPhWI/u2WuFRZk4VvDMCYdRqd
              MD5:5DD19F00D3DBFE2A6E951D02DA187E57
              SHA1:06A9C8A9AE826950814E86812C1B9FB42D7C7382
              SHA-256:57E1AB78D04F211A130934903C3D1309AC2AC6FD12CF027D70E5A041319F02C8
              SHA-512:5F30BE97126DA6174730650177D3431D244F8E720F61056D58A2CC3004AF9014C95702C4DDC8296AEFB001F5F426C583B2FBCFE71925EC875C80217373AD6402
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..|...........!......................... ...............................0............@.......................................... ..................h...............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..|........8...T...T.......4..|........d...............4..|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-handle-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.837987798459471
              Encrypted:false
              SSDEEP:192:TW1hWJZ744tk0icWU9F6MZVGl4ogvekMEbceCGyDap0YZ/cGC:TW1hWD/u2WuFRZk4VvDMCYGRVUGC
              MD5:D6B1A1E8D8B199A853F1FD76B54670C4
              SHA1:22DE0F484DA80675E4C28F2678B034F5230240EB
              SHA-256:0DDDC1FADEB2BC447314D0EDFE4E5C091F246497229EDD66BEE096EF062620A2
              SHA-512:9618A224ED5B05348898C9F1E8AEBC27BDED6256A4BF7EDA9CD2651B68D3B198218A72F42D2B5AB9AE60C94D7068BC7A82DD9F4D2C113CED7D91220F37F5C49C
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...c..c...........!......................... ...............................0............@............................._............ ..................h...............T............................................................................text..._........................... ..`.rsrc........ ......................@..@....c..c........:...T...T.......c..c........d...............c..c....................RSDS..:..z][....08d.....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02....................c..c....Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-heap-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):7.018650924251849
              Encrypted:false
              SSDEEP:192:FEleW1hWJSB744tk0icWU9F6MZVGl4ogvekMEbceCllDQj:FEleW1hWwR/u2WuFRZk4VvDMCYllMj
              MD5:2BE904BCB606F729840BE69EE40E44B2
              SHA1:A904312EF84915BBBA051EF40A09887FD706CEE0
              SHA-256:0DB2FC25B2879C11E19C69759C25FB1775AB696789A7A5B3552AC9DF7F7FA904
              SHA-512:404791D83EB7E725D385B2DC6FFD768AED9634F3B4549CF38D5FBDC37997FFABF75F24BC49E474C1DDE5B60BD0658ED86D5C1B814C10449B9B95E9AB7FC33126
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...l7.............!......................... ...............................0......a.....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@....l7..........8...T...T.......l7..........d...............l7......................RSDS..3.+.!u..m.m.......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........l7..........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-interlocked-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.797947539384126
              Encrypted:false
              SSDEEP:192:p5iYsFqW1hWJw744tk0icWU9F6MZVGl4ogvekMEbceCkOr:p5iYsFqW1hWW/u2WuFRZk4VvDMCYk0
              MD5:4C2142996B21E2644879E5203624EC59
              SHA1:B38B0719A3CF609855072FF422C5F96C2282BD00
              SHA-256:13A8C7CF80A6B8DFE4E90095EE836E5AAA632DE2213A499A39FC46C31BD698FB
              SHA-512:B9D59FCB4AE261F3BC856E8726F7A5044CC4F5BDDDD8FFC7BF5A92983871BC49771F06AFE2D9821CD538376DC13E6C7C2A74B029709B8E570BC14AFE32095A19
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...`H.............!......................... ...............................0............@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@....`H..........?...T...T.......`H..........d...............`H......................RSDSR..*: H..*.2\.......api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................`H......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-io-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.659206533560419
              Encrypted:false
              SSDEEP:192:wWBhWzH744tk0icWU9F6MZVGl4ogvekMEbceC5U0Gt:wWBhWP/u2WuFRZk4VvDMCY5Ul
              MD5:2B3B17466A3E0E028093835CF6757986
              SHA1:563755352589B2EE15F7DBD920E93846A4F9671D
              SHA-256:FF711920AAC91746EE6241D3CC6466D213ACC1AFE31F89409C02228E125BF66E
              SHA-512:5941877A6B006884F5DB5A57D69394AE17A936D75037ABD661F9CA48EE6D0729AA37C8868460B30C1601B826F9097790D139F21932697A3665994CA14BE543DC
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.w.w..._.v...C.u...\.v...A.v.Richw.........PE..L....K.T...........!......................... ...............................0.......:....@.......................................... ..................h...............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-libraryloader-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.765413150281784
              Encrypted:false
              SSDEEP:192:dvmgdKvuBL3BZL8W1hWJMy744tk0icWU9F6MZVGl4ogvekMEbceCajNer3:d+g4vuBL3BmW1hW1/u2WuFRZk4VvDMC6
              MD5:06007617BEB4F1690309E88F7E0735FB
              SHA1:38B7BC000A138D611FD61191BEDDC42D46138D70
              SHA-256:648D13605052E86F9D580FC02F51CF71922F9E86ED994454666F5E7916FABBB6
              SHA-512:416F3735611DFFB144E124EB8AC4112A99823A18B49D28A8B4FB0E07CB58C6B6F665BC4AE28BBD6853A6568B14A884BD105C6B52905ED8BAD465B17D6F24120E
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L....A.............!......................... ...............................0......c4....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....A..........A...T...T........A..........d................A......................RSDS6..7....].8D........api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............A......................(...........G...z...............-...\...................=...j...................(...I...k...............7...`...................O...r...............*...Y.......................=...^.......................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10088
              Entropy (8bit):6.6051372332267775
              Encrypted:false
              SSDEEP:192:zIgZaSs8zF3xd3nHM0uWohWPM744tk0icWU9F6MZVGl4ogvekMEbceC1y0:zIDSsYF3xd3nHM0uWohWc/u2WuFRZk4i
              MD5:F190B9E47B75AB76C211F9AA2B977760
              SHA1:701AA08D014DFF8991B753D30C10A03C8604F510
              SHA-256:FA691EB187ABA98605765E79D5A61ABA568F8B4E3018D4398A148517DC4A315C
              SHA-512:719C0432144D81124BDD9A920880BE0A33CE19648D79D44C96DCB0A694C0E6ADE43D7E9841A34B542ED5A4C4BE4BEBEB562BA97DCEAA73DF15278A3B513D4A3B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......Q...........!......................... ....@..........................0............@.............................u............ ..................h............................................................................................text...e........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localization-l1-2-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11112
              Entropy (8bit):6.827717959439512
              Encrypted:false
              SSDEEP:192:DuZOMw3zdp3bwjGjue9/0jCRrndbVWIghWGwO744tk0icWU9F6MZVGl4ogvekME4:4OMw3zdp3bwjGjue9/0jCRrndbVWPhW3
              MD5:46D931081C0627A149943DC3C8E1FFE7
              SHA1:F4846083ABD9F37E25B731C65AC177D4AE4E2DB3
              SHA-256:EE8B5A0881DFBB72E8C63A3FFD30D3E62D1467F9693AB743D117612B2B11AB02
              SHA-512:6ED4BE78F479C36DF0B75BFF7CC243AFAD4B61790DAC4D39EEEE1FBB34F4EC7B1E5D8F8D02C2966579B76157A62DFC5440FC331E1D14DF70ABE72A5E472C877B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0......].....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-localregistry-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10088
              Entropy (8bit):6.494013779954252
              Encrypted:false
              SSDEEP:192:ct6SHWohWXg744tk0icWU9F6MZVGl4ogvekMEbceC0qH5:3SHWohW4/u2WuFRZk4VvDMCY0qH5
              MD5:AE360771ADA3A11A2BA30AB4FEEBF76F
              SHA1:88A4E2F97536C9A0247B875EDC17C1A689BD6A71
              SHA-256:4F630CABF2E601AE368A694C47057C5A4A9A809E7C155745193FC93883F1D4D9
              SHA-512:11262BC5B5C6EC888E3E71EF633B4707F30B211632073B2BC9B2A837A56D11B675EBCA510878BA6FF0D7C2F16C13498AAE8D8C16F23BD9D63C70655FB5E20F50
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......Q...........!......................... ...............................@...........@.............................[............ ..................h....0.......................................................................................text...K........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-memory-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.828381437265535
              Encrypted:false
              SSDEEP:192:/btW1hWJU744tk0icWU9F6MZVGl4ogvekMEbceCqgbU:/btW1hWi/u2WuFRZk4VvDMCYqgbU
              MD5:F1F85A25C7ABC45D24B64B891815B510
              SHA1:5D467A2EF9F05FE140910EF304EA211B71FC58D3
              SHA-256:96292248376742BECFA5130C07F81CCCED8B75291CE55CA8C56AFC3967021ADC
              SHA-512:EEE46B07F9F7B582D29DE29618A2159F8F12F2B303722C74A395F8C6EC7DC303568F4F3B28636AB4DE4818748A9D73A68442CDD7D46B67F3497E10C20A3AB3FD
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L.....@p...........!......................... ...............................0......."....@.............................l............ ..................h...............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......@p........:...T...T.........@p........d.................@p....................RSDS..?O.....Z..n....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................@p....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-misc-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10088
              Entropy (8bit):6.350968002370562
              Encrypted:false
              SSDEEP:192:4s0D2rWohWXe744tk0icWU9F6MZVGl4ogvekMEbceCRHdG2W:PWohWC/u2WuFRZk4VvDMCYRHsP
              MD5:59E238940F143B1519F9FD4F873A8D23
              SHA1:28B6B3F7ED3551F27F4735BE612A0E26CBECB318
              SHA-256:E258403032B863626B8979DD5CE87BD6D84C61D8F0796457CE9FB83026E5BE80
              SHA-512:B674D66BF4B3E6978611EAC978C91A8113BD4B4407C5EEDFCA80AE3637D2B87B51702F5C0D36FB0A3052F7627DBDE7B2562794E7C4208165F25B48196B8917E9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......Q...........!......................... ...............................@............@.............................n............ ..................h....0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processenvironment-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.7750746850469294
              Encrypted:false
              SSDEEP:192:vHW1hWJa744tk0icWU9F6MZVGl4ogvekMEbceC/PJy:vHW1hWo/u2WuFRZk4VvDMCY/PJy
              MD5:338D8312971776E15DBEAE1DD411379E
              SHA1:A56972C6AD98D91AF383D450EAA39FC3DC96CA3B
              SHA-256:827C37AD66CEE66564E09915183BF28B394A82408577CD95DA0AD28B9A80CD38
              SHA-512:6FAB24A333C8709D969C16F6A8B937439E9B633357D1D62C08BDB4D2037A384B54267502E19E4CA62538B96C238885A981EDA0CA24DE82E94337AAF034587899
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L..................!......................... ...............................0............@.............................G............ ..................h...............T............................................................................text...G........................... ..`.rsrc........ ......................@..@................F...T...T...................d.......................................RSDSW.........$.~).....api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02................................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10600
              Entropy (8bit):6.839787316810637
              Encrypted:false
              SSDEEP:192:ZLfk1JzX9cKSIdW1hWJv744tk0icWU9F6MZVGl4ogvekMEbceCuKR5o:pfk1JzNcKSIdW1hWR/u2WuFRZk4VvDMU
              MD5:8376C584A28430235AF597B4CA3CA0DE
              SHA1:65AE54E058DC79EB11B47F67E226783CE1B36CE1
              SHA-256:5AF602F4DD90F4C6EDA49EE73E0D33D002A696FA7550C67117F962E02F9B061A
              SHA-512:118D608CFA7AC6FE1E70E2144B02F7782ED387E5560F490603C386A1BE777C0C112E8C2BEF5E699DA35529F1E140D79BA25CE36E8216EFD1E2D09DE5DFB794C5
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L....P.............!......................... ...............................0............@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....P..........B...T...T........P..........d................P......................RSDS...&^Z.....5.n~.....api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............P..............1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-processthreads-l1-1-1.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.874778036355501
              Encrypted:false
              SSDEEP:192:0NADfIeRWIghWGw7744tk0icWU9F6MZVGl4ogvekMEbceCIv525:0NADfIeRWPhWr/u2WuFRZk4VvDMCYIvu
              MD5:10BF9BA5ED56387B19BAC5828372FEE7
              SHA1:48A6CB59F92788CB779DA29154ED6A61DC04A8EA
              SHA-256:78321B589DE714CE936A056279778BB02AD3008D48E91F597B8906F85197AF92
              SHA-512:BC634453E954F968C6FBBAB05161906107454DCAA9FA541D9888381D56D581FC16E5D10E871E3C815455237B052F14B88E7A4695F1F76B70C5E0BF9723456277
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0.......w....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-profile-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8040
              Entropy (8bit):7.047105665145192
              Encrypted:false
              SSDEEP:192:xiW1hWJIi744tk0icWU9F6MZVGl4ogvekMEbceC6pwfb+q:xiW1hWR/u2WuFRZk4VvDMCY6Xq
              MD5:045D0A8EC27B42B52CCC4468B3DD9896
              SHA1:B9DC492BE2DA2F7F582696CFEA2958C6B4995B33
              SHA-256:9A5BA3BC8FE04C0D69E29D3F0F63271CD82D4991CF6EA7B956E266A175530C30
              SHA-512:6A3D14AE4EFFC490343B1ED92432021D289B7D48CEBCC4492CAE495414E55F1869C3A09B95D4B6B1BEFE990B232266C2314B93DD98184D7B8A0B2A4CDC939A9D
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L....-.............!......................... ...............................0............@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....-..........;...T...T........-..........d................-......................RSDS....M.h=.N...`....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................-......<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-rtlsupport-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8040
              Entropy (8bit):7.047594552109745
              Encrypted:false
              SSDEEP:192:Q6uGZW1hWJO744tk0icWU9F6MZVGl4ogvekMEbceCCsDW:Q6uGZW1hW8/u2WuFRZk4VvDMCYCEW
              MD5:C41A2341F5D3570636268E0757FA34C8
              SHA1:EEF3D2D3DBD5F2F5765CD5BDAEAD24D8595A7B63
              SHA-256:275FB34B1ECF18E9177FDC257785E9F251F65C3E5118232B2FA241460AF1F052
              SHA-512:C6490062944F7A973958ED0E89D82592F0AA73200C3108AB21713639B292FFEEED960F867D272CAE7DBCA174885FF7B6CD1FF596805A453356B062BB61E0831A
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L.....?............!......................... ...............................0............@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@......?.........>...T...T.........?.........d.................?.....................RSDSMmC{Sj.6..m.........api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..................?.....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-string-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.909683481057144
              Encrypted:false
              SSDEEP:192:syMvlW1hWJ8744tk0icWU9F6MZVGl4ogvekMEbceCRuil:syMvlW1hWe/u2WuFRZk4VvDMCYRuil
              MD5:037780DA6EA1272C1E6F0BB6E9C79277
              SHA1:AA31CF5CA1EF374EA60B92126283F96D65825F95
              SHA-256:3F9F4C5901196CD60F38F794AC3CC4AC999B6A208FD81CA927F102710D135A0D
              SHA-512:1AED234EBFAD3F88D942B37C15C71322B98D3137DB451B283F13AFAFA328FE5B056FD82983A513BCAC44B0495F157015928796574C9ECFAE63759DD2D8D18A73
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...?%.............!......................... ...............................0............@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@....?%..........:...T...T.......?%..........d...............?%......................RSDSv..v0.M..-.~UP....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................?%......x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10600
              Entropy (8bit):6.72682923520993
              Encrypted:false
              SSDEEP:192:6dv3V0dfpkXc2MAvVaoK5W1hWJ9f744tk0icWU9F6MZVGl4ogvekMEbceCMaZag3:6dv3V0dfpkXc0vVa7W1hW7T/u2WuFRZs
              MD5:05004028CC37056DD1494845DB22A7B7
              SHA1:2466C474B8958BD21670518AD1C96FB7A8008075
              SHA-256:432985B0FFC5DB8180F7E33EA2362244424622AFC24A924A3E9E851F5A993FF5
              SHA-512:A0FAF124F4657D255764BF99AACC47CDE4B54FF0A9583953D805BDC16CC15D1870F7BBDCE3A9AC3FB47A76FD2A44BCE69A39FFFCC044E9F5F5D2C126831684FE
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L.....^P...........!......................... ...............................0.......u....@.............................V............ ..................h...............T............................................................................text...V........................... ..`.rsrc........ ......................@..@......^P........9...T...T.........^P........d.................^P....................RSDSu.J@z..Hd/..!+.d....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02......................^P............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-synch-l1-2-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.929250597299494
              Encrypted:false
              SSDEEP:192:Cu+ANY2tZ3gWIghWGwd744tk0icWU9F6MZVGl4ogvekMEbceCcEICn:ntZ3gWPhWp/u2WuFRZk4VvDMCYcE9n
              MD5:531B792880D9F8961EF9AF63D2BE6FE1
              SHA1:789F8FB5E2F6C0400B9A3EE5F17D1F3E95D17D7A
              SHA-256:AD310E1633B908D62F1F8AAE92E2AFB9A86C5A71AA6FABF306CDAA2DC78E0989
              SHA-512:6D8B8DE046865889AAF723359F94D8F65EE175196D2E47A3BAC9EDCB1AEF5E63F19972B794A0AFCFACA288B57BF712337D29CC77513DA8B3D5C1C718C1CA9DCD
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...X*uY...........!......................... ...............................0............@.............................v............ ..................h...............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....X*uY........9...T...T.......X*uY........d...............X*uY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-sysinfo-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.78780327042544
              Encrypted:false
              SSDEEP:192:OrLv12KIMFAW1hWJE744tk0icWU9F6MZVGl4ogvekMEbceCNYnP:OrLN2NW1hWu/u2WuFRZk4VvDMCYNC
              MD5:F2D73704D46DE29BE97CF3717C441F50
              SHA1:BCC0A82C4D46F5731C5C574C981D9F2C18565628
              SHA-256:77043C1A00F4B5D4F5C62B54B47AE19B1C34AC90BBAFA8C209219791A83C4152
              SHA-512:975AAD9289A540D194AE5FB4919050C5F5624C65CC0F0208770F7F39DE085AE2819952C0F7CE6DCDAC84CED9A3593813AFC9285D3B4A84A093A89E01F86F808D
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...k-.\...........!......................... ...............................0............@.............................E............ ..................h...............T............................................................................text...E........................... ..`.rsrc........ ......................@..@....k-.\........;...T...T.......k-.\........d...............k-.\....................RSDSo......j..f....B....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02....................k-.\....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-timezone-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):7.016631615696383
              Encrypted:false
              SSDEEP:192:rWIghWGwD744tk0icWU9F6MZVGl4ogvekMEbceC58uTkhp:rWPhWz/u2WuFRZk4VvDMCY59kX
              MD5:348CD4903DC8EF567FEC88B5F8B77F0E
              SHA1:8E880F38A6CDC36694DC757B53725BA643A17DE0
              SHA-256:0E1A391AE36D0D1F7E8C930A48AC8F6EA3350DF6CDA0E54E37FE6BB98D8D3BFE
              SHA-512:25F071AF12A04FE85EA158A460FBD2F3E19AEB191523142F78A3C02AA5B099373BF4FB86F2F6C892B259D607599BDAEBBDBCA278E2BD616750BD6A75B7DBDE45
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......".....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-core-util-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.82220257938724
              Encrypted:false
              SSDEEP:192:EnjW1hWJU744tk0icWU9F6MZVGl4ogvekMEbceC29A:EjW1hWS/u2WuFRZk4VvDMCY2K
              MD5:21EC3DB15B7A90E6072D04F9956BA31C
              SHA1:2FF9553CBE3827CCF5E8D8EFF0E0EDC09FCE0D16
              SHA-256:A926890895E5380809ACA6EAC88EEC1E8D90D827B6BA4BD17FEBEA9FDDC4AE69
              SHA-512:876E2B91365E1E6E48A41C046FCE89AAEF7453DD6C9A1C1FB84E8DF1B35E64EFA6B0CDCC2E69DB71AA231BE9F0CB3D154E18EA9B193F40A7EC28D6A78442CE30
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L..................!......................... ...............................0......;.....@.............................9............ ..................h...............T............................................................................text...)........................... ..`.rsrc........ ......................@..@................8...T...T...................d.......................................RSDS..k...5...U.|O5....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02................J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-conio-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.82292361499687
              Encrypted:false
              SSDEEP:192:JWIghWGwx744tk0icWU9F6MZVGl4ogvekMEbceC9aJIaE:JWPhWF/u2WuFRZk4VvDMCY9a0
              MD5:28C9BEE76895EFCD300F752CD777FEA0
              SHA1:DDFEA66D097B70339E1D378C615AE06C093468AB
              SHA-256:D0FC3756D3B2A3E304991582EEABE30C7068C30D5B2E924FD0518ED86397D19E
              SHA-512:299AA4902CECCF650BAD00CC2F294C81B5A137439E3D9558AB008A6505CA217E5EB56BD27CFFFC6C28F87CAB0F6A4D250298245AF4EF2A327B2A76A2EFF0A4F2
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0......B=....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-convert-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):12648
              Entropy (8bit):6.511977985882006
              Encrypted:false
              SSDEEP:192:wpdkKBcydWIghWGwf744tk0icWU9F6MZVGl4ogvekMEbceCzo:0uydWPhWv/u2WuFRZk4VvDMCYzo
              MD5:674E89541C1CC113261C3BFE845ED41F
              SHA1:DB7E92E7AD166001658B4624B7B2817ADC97CCCD
              SHA-256:79C102CEDAF63CB7915CE88CDD0819267E759B97C20A62089B92AA1573CA1FC7
              SHA-512:78BEA075F23361FA5A22B75CF63C9AE54612EAFCDABBBAFD0357A238E5AB4358F20F38AA667E0401A0BCAF0A48E642698CB2B6334DDC10B3660C1DC88222E8EC
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@......A.....@..........................................0..................h...............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-environment-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.779909769465169
              Encrypted:false
              SSDEEP:192:EWIghWGwV744tk0icWU9F6MZVGl4ogvekMEbceCS0dCm:EWPhWZ/u2WuFRZk4VvDMCYS0db
              MD5:9F1C384F335A302418710DBB8FF9195F
              SHA1:BED8F65BB984750C378505254A3A99EF9763C3E2
              SHA-256:C6594CD39B96390EB97860B8715E0B2248578C59938A2BD89A1BE118F564B312
              SHA-512:AEDC5A64152F7669C3602B5B543687263FAF7D56BE0FC8C7DD9D7E48917B6573AF4DF74B31D5F9FF7EF1515813DC0B1D04A76292994BFFA09ECA378195B402E3
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......^C....@............................."............ ..................h...............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-filesystem-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):10600
              Entropy (8bit):6.815260948052972
              Encrypted:false
              SSDEEP:192:F77q6nWlC0i5C1WIghWGwr744tk0icWU9F6MZVGl4ogvekMEbceCUkJTXJ:pq6nWm5C1WPhWL/u2WuFRZk4VvDMCYU4
              MD5:FD26D001F789C73280DB0B43EBE5B296
              SHA1:CF3B87A3CB94CD59D0E30CC62584A3240B410581
              SHA-256:26923E3E205E9E88587EBF1880D96CE55BD1090DB7FAA3BAB7A80C1D9C87E6CE
              SHA-512:6FD4846078D5D340017C9943FFEE94477097F4AE129F3D580678316881DDA55535927D259CC31BBD4C192DA03B97D8DC94519C81BF87FF9A1BA4935C88CC708C
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......n.....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-heap-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.734341451717679
              Encrypted:false
              SSDEEP:192:bY3vY17aFBR4WIghWGwX744tk0icWU9F6MZVGl4ogvekMEbceCLDq/+kh:bY3e9WPhW//u2WuFRZk4VvDMCYLDS+S
              MD5:2D6AA88CD42D4CF28D20F8143874E6ED
              SHA1:F36B4CCB1A08AEB1B601022D3157C93E7B81C038
              SHA-256:AA14E72891F972DF15948A9CE975C392BF4964687778E032AC9ABBD519C8493F
              SHA-512:2D5A3FD637B46194FCC04608CC55A9A8DB44C8AA9BF84B34B8E155F0BCEED5209853CB573B548603D72F328E8285C9088F416C162ED83365F0D1EDF6F107E034
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0......q.....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-locale-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.912452724430786
              Encrypted:false
              SSDEEP:192:cWIghWGwry744tk0icWU9F6MZVGl4ogvekMEbceCkPTRdm:cWPhW/m/u2WuFRZk4VvDMCYkPT6
              MD5:B171DED7253FE180A4B314E343E63697
              SHA1:190AEFF916C3A76501418077A0236CFBC4ADB039
              SHA-256:9652A74DDF2EB9F4E9A8EAE6A54FDD6282FADEE165D150AA182ADAD1BE1C6489
              SHA-512:5C426FF1F92B9BDC81C827CB25F78C75FA9ECA62B1A640EA1D8ECF9DDF42D70C9F2E203863D8A5F891A528E76427704997DDDE0E95F2A6CBB2C4847D992797D4
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...|..O...........!......................... ...............................0.......+....@.............................e............ ..................h...............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................|..O........9...d...d.......|..O........d...............|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-math-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):19304
              Entropy (8bit):6.1800293377315
              Encrypted:false
              SSDEEP:384:eOTEmbM4Oe5grykfIgTmLyWPhWT/u2WuFRZk4VvDMCYbC:uEMq5grxfInb12Tg4tDF
              MD5:34EC21AC35C664E6D5BCAE0B79767368
              SHA1:410FE5FDFA108DE013090F85EC86A5A9452BBDB3
              SHA-256:B9788E4060C80A1CE3AE845D3443A38B155A42E650AFF42AF98B2E93362EA5EB
              SHA-512:D6E29CA8DA1D70CD03F3B959C8EDB4ECE1ADD53B12D62E21CD8C4D86A2A6C03DBD2781F0B6E74FE1813DBBFEC58A7A546FDAC3A5A9B0A8A6EBF025A0F772A6A4
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P......n.....@..............................+...........@...............4..h...............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-multibyte-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):16744
              Entropy (8bit):6.171874624951984
              Encrypted:false
              SSDEEP:384:kXy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWB/u2WuFRZk4VvDMCYRgMVCV3:kXZKrZPmIHJI64z2Tg4tDdB
              MD5:EEA50F530D1ED619D47A67B729581412
              SHA1:C73628A3DDED87F6C1DF6283EC2F5AD2D9FD54AF
              SHA-256:12EB7C4AC34E3BD0D0B0933A51AA08ECB3664EC05B5AC1BD1EFA7A89DECA07B4
              SHA-512:0EEA221B5F5A00FCE7AF7EF77CDAFCB73207D34C6831B84D7F8A84C2CB532E5E48890BC18186419658DBF6D79AE3EAE682ACB67C977536A10179B72AFBE3A043
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..h...............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-private-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):63336
              Entropy (8bit):5.455178439951802
              Encrypted:false
              SSDEEP:1536:J0DjXDe5c4bFE2Jy2cvxXWpD9d3334BkZnVPLXBuL:YjDe5c4bFE2Jy2cvxXWpD9d3334BkZn8
              MD5:E681A50108F93C915D3A7F06341E8E05
              SHA1:414503738573313733D0ABBA1737DBBCE293F054
              SHA-256:5B698E14AE0FD5C1FB56125EF0E23F59C8C8A50565F75A67E541E67B9EA1826E
              SHA-512:B7805800A69B33CB40AE1965E39734B280E9FC9779496CF57261BB743B80BBB0F7D2F5261F568DF6AE30E98E6430ECF84C932BDF301A92A89698FE3B0F3A524D
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.PE..L...2..............!................................................................4;....@.............................................................h...............T............................................................................text............................... ..`.rsrc...............................@..@v...................2...........:...d...d.......2...........d...............2.......................RSDSTrXT..{...b.........api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02....................2........>..............8...d#...5...>...?..-?..U?...?...?...?...@..L@...@...@...@..!A..RA...A...A...A...B..BB...B...B...C..>C..vC...C...C...C...D..>D..wD...D...E..[E...E...E...E..'F..]F...F...F...F..8G..kG...G..

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-process-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9576
              Entropy (8bit):6.7618528259191235
              Encrypted:false
              SSDEEP:192:YRQqjd7dWIghWGw6744tk0icWU9F6MZVGl4ogvekMEbceCJKbC:YKcWPhWi/u2WuFRZk4VvDMCYJyC
              MD5:6E9BEEADB1C3F03648829974CC884509
              SHA1:2E61B3EB58373CF904A8F7BCC049345A6E1AC9E6
              SHA-256:0E95DA4D92C0F2E59733FF5B3679DE5BCDB9824E9111608E4D6DD2312AD9B65A
              SHA-512:F325676631373ADBE1036F997A2DB3607FD17154A014CF5619523AE908F54C43DCD57FC265A555764ADB6ED508012EC8932E961359150C9CD7BF39539DAEEED8
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0............@.............................x............ ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-runtime-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):13160
              Entropy (8bit):6.551362181960196
              Encrypted:false
              SSDEEP:192:70CjfhrpIhhf4AN5/jijWIghWGwA744tk0icWU9F6MZVGl4ogvekMEbceCt3/i:7b7hrKwWPhWc/u2WuFRZk4VvDMCYt3/i
              MD5:381BE5F54D942EA3A6C0F4BCA1C1E3F4
              SHA1:8E0005A94AA0BB0719859F3637C7225DA582A653
              SHA-256:9D938D92C42B5FAEA799659417E859473C64C45059283140A0117EC556830A60
              SHA-512:E44EDD2B1F0718ED7D5F0454D2B3298D9C2F938DB6607F8240416899A9F963F38A5955E34D2C065EAF1A66A5CB75337D54A47210F13B9CC8B50AF8322E255A2C
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......t....@..........................................0..................h...............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-stdio-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):14696
              Entropy (8bit):6.442308517376209
              Encrypted:false
              SSDEEP:192:tPnLpHquWYFxEpahjWIghWGwN744tk0icWU9F6MZVGl4ogvekMEbceC6nhP/6j:FZpFVhjWPhWJ/u2WuFRZk4VvDMCY6nhw
              MD5:19B9EF6B90166C2A0FE5E5D18EFC2119
              SHA1:C2D714A1A16B81584CBB9011AF0A731266041EE5
              SHA-256:362B0783E622AFAA36403CF0EEFB9D3BA8C73AA3193D4D13075682FB778C35C2
              SHA-512:94E9D9A4618AA0328132278A92CED8500597DEC3958A37CC00610551A1B0F61BDBD641CD103962ADEDC7F2BAD5EDEBDB7D14653CB837DF79937F7333E99B4D34
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......P....@.............................a............0..............."..h...............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-string-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):14696
              Entropy (8bit):6.413223558342021
              Encrypted:false
              SSDEEP:384:diFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWi/u2WuFRZk4VvDMCYt8Po:d6S5yguNvZ5VQgx3SbwA71IkFvY2Tg4E
              MD5:8946CB2F22ADCDD09155C8EECE321037
              SHA1:6DB949F83FB9461063C018E857589BFF7BD75453
              SHA-256:38E0B9D51BB87378DBCE522EB7810B94E4DB463A88DDEA0D16C57B611848E60F
              SHA-512:90930BD6BCC8E34A519D9070EE6F7E34F533D640DA0EA39C5834928D32491059471E8FB7E841411B873A96483D6A687A50A1EA544836012C187D012786CA0491
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@............@..........................................0..............."..h...............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-time-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11112
              Entropy (8bit):6.672983574571931
              Encrypted:false
              SSDEEP:192:8QSWb6VJDyWIghWGwn744tk0icWU9F6MZVGl4ogvekMEbceCNEgM:8QSWWVgWPhWP/u2WuFRZk4VvDMCYNQ
              MD5:ED4919904759439B646E1E03AF262EAC
              SHA1:C90BA976D78F866908AF778FFC7AE25FF9425C75
              SHA-256:51110EC0761B641E75F1E29C24B3689DA363C10C28ED2FC81852DD94165A4376
              SHA-512:7848183288E7BB0309D74241E595D4D90E9300DF95ADBEA6B183F1C15A3D5EC8020B750B5B90B142A704A3E49CC56445CE38562942D0BA3737EE478CD5E7BED8
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0.......+....@.......................................... ..................h...............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-crt-utility-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9064
              Entropy (8bit):6.898154682787428
              Encrypted:false
              SSDEEP:192:cfHQdu3WIghWGwl2744tk0icWU9F6MZVGl4ogvekMEbceC1PNH4Z:cfBWPhW5q/u2WuFRZk4VvDMCY1PR4Z
              MD5:1F2DD1CC0E87A404590DACC38218161D
              SHA1:D16E2DB04E7EDF80FEEA8A12BEFB43C9ABB2146D
              SHA-256:986D7F0685F2D74CB4F698F17824AF2AF8A7E68AAE64489E5CC12A1D806E8979
              SHA-512:3970E007E7528FF6354F07C73EC69F865FCE781AEE9D3FF3C0430C3D9B22D4DF1EC00A3C14A9DB0C1A7C7416ABADBED1808CED72E0D667D8C96B03EB5C5B7BE5
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0............@.............................^............ ..................h...............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-downlevel-kernel32-l2-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11624
              Entropy (8bit):6.629669041618242
              Encrypted:false
              SSDEEP:192:LEnLL1CbqHCJFY4bmWphWDH744tk0icWU9F6MZVGl4ogvekMEbceCU4:LEL8qHCJkWphWP/u2WuFRZk4VvDMCYU4
              MD5:D907B13A13DB8B6F58EB4716171D0A3E
              SHA1:3372265606E2902274D20AE4BA6A8FAF1233E938
              SHA-256:04540FC89D6C3EA557D6DC52A9EE39903EEF24C00CAD93382312A8AD40673EEC
              SHA-512:E1CA900C97DFE5AF8236A5FCF85D9B50A265C0E29353BF58D77F45AC3B9DCC71A49787A073A13546499E4047A099BFA03B864F6824CF5D5098FFCA44C33EFD6B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.PE..L.....A............!......................... ...............................0.......>....@.........................p................ ..................h...............T............................................................................text...x........................... ..`.rsrc........ ......................@..@......A.........A...T...T.........A.........x.................A.........$...........RSDS..I1./'....NM......api-ms-win-downlevel-kernel32-l2-1-0.pdb............T....rdata..T........rdata$zzzdbg...4...<....text$mn....p........edata... ..`....rsrc$01....` .......rsrc$02.... .....I1./'....NM....Z..n/6A.t...A.3....3....3....3..3....3..(.3....3.. .......3....3................A.....R.......y...y.......|...`...4...4...9...9...>...C...4...>...>...>...F...K...P...U...P...4...Z...>...>...]...

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-eventing-provider-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):8552
              Entropy (8bit):6.985297852249055
              Encrypted:false
              SSDEEP:192:S/k+sF1SGs/nWphWDR744tk0icWU9F6MZVGl4ogvekMEbceC5v/:SM++CWphWd/u2WuFRZk4VvDMCY5v/
              MD5:E7D33C7B62DB5C9605354A83A12CD40E
              SHA1:23A67338E62A48D68DC98D8104478284996BEBDC
              SHA-256:50041495891624CFE7237AF6BA7F4A4DFC3AEE665F7295362DBE45AEBCBBA546
              SHA-512:109053C7E8188FBD2AD5E12DBBF3CFB26400C4E2AC5454FD240456B85765824A82F8A20AABD88FF08D507E8177379D7E65D87B90B88BF786074FE012E1A1A24D
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.PE..L...px.............!......................... ...............................0......c.....@......................... ...\............ ..................h...............T............................................................................text...|........................... ..`.rsrc........ ......................@..@....px..........@...T...T.......px..........d...............px..........$...........RSDS.V....].S&....\j....API-MS-Win-Eventing-Provider-L1-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ...\....edata... ..`....rsrc$01....` .......rsrc$02.... ....V....].S&....\j.T..k.s.5...px..........px......................H...p...............C...o...................3...`...............a..................."...M.......................api-ms-win-eventing-provider-l1-1-0.dll.EventActivityIdContr

              C:\Users\user\AppData\Local\IdeaShareKey\api-ms-win-security-base-l1-1-0.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):14184
              Entropy (8bit):6.614988974610919
              Encrypted:false
              SSDEEP:384:PgegRaB87W74EsL10c5VG5xWphW9/u2WuFRZk4VvDMCYmhI:PgeMa4W74Es5FGuD2Tg4tDxI
              MD5:B779CF7DE36CE3403C2DB3ECDDA04AD9
              SHA1:A22A15F074ECF866FE506D7409D2F7E52235CDA2
              SHA-256:1279A054A4379822A00C01E3F73E8C2D49C56BC281BF0D4E41755F509847AB70
              SHA-512:B2D8C09A0B30F1178694F6CC74C169646D0810264851453A8B603DD426DB539FB7C2200E20EC95EDCD0009059FF4EAF2A8AA32B77ED9771B4C70944CE8061E0C
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.PE..L..................!.........................0...............................@............@......................... ...I............0............... ..h...............T............................................................................text...i........................... ..`.rsrc........0......................@..@................<...T...T...................d...........................$...........RSDS.Jn...`............api-ms-win-security-base-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg... ...I....edata...0..`....rsrc$01....`0.......rsrc$02.... ....Jn...`........<....*,...................................a...a...H.......P...B...q...........&...}.......)...\...............3...\...~...............>...o...............M...............1...t....... ...R...x.............../...V...w.......

              C:\Users\user\AppData\Local\IdeaShareKey\concrt140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):233320
              Entropy (8bit):6.639971066679949
              Encrypted:false
              SSDEEP:6144:uVtg4bkcTc3uYSw5ejegvGw9xEPOL8an39bkH1r12z/WK398:uI4xL+wsQ8anK1Azrq
              MD5:C1C5248B307B81997DDB3DE51A033FCA
              SHA1:7F015DB75334C0593AD4AEECE466C5492994D7B0
              SHA-256:E608C7BE5C061E053CAD7B695D50990982FDB0EFB53460262DFF0D6520398323
              SHA-512:F2BBA261A23890EBA4FA636415F513202BDE2135F91F857B35655B7813FEDBAE9F436FE6571A7F470A66721E906B2BC878EBBB10458085B78B6AAB79FBC7AF6B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<...].,.].,.].,B.I,.].,.%.,.].,.].,.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z..-.].,z.},.].,z..-.].,Rich.].,................PE..L.....U.........."!.........p......0........ ............................................@A.............................K..0R.......p...............x..h........)...'..8...........................((..@............P..,............................text...L........................... ..`.data........ ...,..................@....idata..`....P.......8..............@..@.rsrc........p.......J..............@..@.reloc...).......*...N..............@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ctk.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):763472
              Entropy (8bit):6.488661421415057
              Encrypted:false
              SSDEEP:12288:bg0t134n44iXmBlIcSc9a0qu95z40HE3cGex:bg0t134n4vslIcScU0dFkN0
              MD5:633CAA1C300A2801DF64CC8E0C78FA42
              SHA1:69E04EAC22EF1B51C297D90FAE38E14A6F4AE6E6
              SHA-256:1A22302646545AC053431BC0609068CB9ACF90DEA82D7495C037F29F92B12BD3
              SHA-512:942E9A37F15938295F0022D3169DBF4A07359618CDF22C559289A8828A66195DB56316BCC73036D8AEAD4B454DF6FB296DAA2D1D1FAF29BB7D494940533198AA
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... K..d*..d*..d*..mR*.p*...L..l*..6B..o*..6B..h*..6B..s*..6B..b*...C..g*..d*..Y+...C..Z*...C..e*...CF.e*...C..e*..Richd*..........PE..L....._a...........!.....j..........."....................................................@..........................5.........|.... ...............v..P0...0.....0...T...................(...........@...............<............................text...gi.......j.................. ..`.rdata...u.......v...n..............@..@.data...............................@....rsrc........ ......................@..@.reloc......0......................@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\dbgcore.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):144232
              Entropy (8bit):6.539247038216602
              Encrypted:false
              SSDEEP:3072:MmaQASh0NdONoQOxTcdmz3QCAalrN3qnKs31pD4AlR3AqXDzePXsE03:jASh0NdO3CA6Z3qKw12AlR3AqXG903
              MD5:DAA2CF898745C0A54AEACAA009F80CB5
              SHA1:F8E8C9A8396532ABCA2C7006001B76C41BD67E8A
              SHA-256:C190B37B14959861D71089D796AB30B6832B41F2202C5A38BD9AD596128025DC
              SHA-512:D215FF830EB8CA733BA08B7B53E25A7480CE3C6C86A259EB8E42977BEAF7F70B19B94173F6EEC0094CD14624D02119BA4F6D95D9F8BC3DB4F0EAB474133E4B27
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........rIf.!If.!If.!].. Kf.!@.j!lf.!If.!.b.!].. Nf.!].. Bf.!].. Hf.!].. Yf.!].. Yf.!]..!Hf.!]..!Hf.!].. Hf.!RichIf.!........................PE..L...W.RS...........!.........F...............................................`............@A............................q............0..................h....@..$...0[..T...........................8...@............................................text............................... ..`.data...............................@....idata..b...........................@..@.mrdata.<...........................@..@.rsrc........0......................@..@.reloc..$....@......................@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\dbghelp.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1506152
              Entropy (8bit):6.561928277157185
              Encrypted:false
              SSDEEP:24576:rmRJbFmBRDhOQnPR20KEpbhnO0At4lukzUdyqkvOz/D4/2Up+gM0OtA3+CpIc2Io:CdF1QnPU0Ke/M7+2kjGttCpHGyr3Fcac
              MD5:558CDAEDB9A620804713A012BAB53925
              SHA1:8D711E9A2BDB8F782E1D5BD788F07877A05C976B
              SHA-256:28C1A16629F4BED8C9CB49C1903D6631B0B904757CE82333F5A149765B8A088A
              SHA-512:90F3FAE26640E0EF284E57B5D375E2A8C7966C63936312DDC8670BF1E8CB373DB887AF5CE16EFD5116B9A56B0EC0E2E93E27EDE3B8E8283127BDE2EFE0724EA9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3.t.`.t.`.t.`[..a.t.`[..a.t.`...a.t.`...`.t.`.t.`.p.`...a.t.`...a.t.`...a.t.`...a.t.`..q`.t.`...a.t.`..s`.t.`...a.t.`Rich.t.`........PE..L.....~...........!.........*.......\.......@......................................-.....@A.........................".......4..X.......H...............h............f..T...............................@............0.......!..`....................text....-.......................... ..`.data........@...x...2..............@....idata..l....0... ..................@..@.didat.......P......................@....mrdata.\....`......................@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ecscommon.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):84560
              Entropy (8bit):6.756069673594986
              Encrypted:false
              SSDEEP:1536:2fYVoVbSXVp6cfP4M6LxvsTInNf3frk3z5Q88MNiCjKjVBT:2DVmpcRsGBkDaSNFjKjVp
              MD5:24625FE7D79F640B268929328CB3715D
              SHA1:92212AD81710C1FA663668B771A74C1C6A3998FF
              SHA-256:643629F241EE37BDC885AA7B601C652ABEA9E5FC66432C2B56BBD38BADC64C3B
              SHA-512:55038FBC382CDD148A2D2C313D1E03BF5EE4D46C97B9974E101EA1A566F94B92FFA1079385EA5A177FB1DDA31978B6AF14860D5A6E8C7E42A0AFFA39EF42C62C
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.,...,...,...%.a.>...~...(...~... ...~...4...~...*.......*......./...,...9.......&.......*.......-.......-.......-...Rich,...........................PE..L....._a...........!.........r...............................................P............@.............................L...<...,....0..................P0...@..........p................... ...........@............................................text............................... ..`.rdata..>W.......X..................@..@.data........ ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ecsdata.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):116304
              Entropy (8bit):6.677438670861377
              Encrypted:false
              SSDEEP:1536:sLgeURS91XzZBGtkzo7oQVtbRfL84mg8H0O4J6C8o7STmrjrVBO:svn/cj84mg8+R7STmrjrVE
              MD5:B866257E2D5AC2B1AF5AAC737FFF3BDF
              SHA1:BB78BF3DEC6BCB47EAF11FDC61F29C3B932611FA
              SHA-256:63AC2564C376298FD3A5852BF85962A9DF20CB8D1EEBA786A77CA613696161F8
              SHA-512:4EBE9CCC98C3CCF6681FD2AF1327F5796A68875BA1DE9FDFC8DDE9A8F2B8317E24F8F371232C66EC67F190F40A436D8298505B5A19EEE9E827A9FEAF744E9A22
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o.....S...S...S.v)S...S.f.R...S.f.R...S.f.R...S.f.R...S.n.R...S/g.R...S/g.R...S...SA..S/g.R...S/g.R...S/gES...S/g.R...SRich...S................PE..L...!._a...........!.................................................................i....@.........................`....M..(e..........................P0..............p...........................`...@............................................text............................... ..`.rdata.............................@..@.data...t............t..............@....rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ecsframework.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):118352
              Entropy (8bit):6.652855823872858
              Encrypted:false
              SSDEEP:1536:/1/6e0/vIJao/YUy4KBxL1eyGsu1yg2dXUbVi1IZ5/5Xn8E1U1eD+fWcgm/VBN:Y2IxLIL1idXdar/5XE1eMWcH/Vr
              MD5:86902F7D1B0A075961FAF817E5A1F323
              SHA1:7C89796A026657F3F88CACEB34D840ADD7BD2941
              SHA-256:35D2AF9060C9440359995E542AEECB97F20D5EEC3AF1627E0BA0AD33AAEAF82E
              SHA-512:D2F89710C44832E41FFCFD2C47138105812C5B4A17A108793FC0D86DA428BB8156C9CDDEA53C70431473EB071EA475B736C1F8DCC63FE1725763597889A67BDC
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`6...e...e...e..e...e...d...e...d...e...d...e...d...e...d...eH..d...eE..d...e...e...eE..d...eE..d...eE..e...eE..d...eRich...e........................PE..L... ._a...........!................Z................................................j....@..........................J.......a..........................P0......P...."..T...................."......X"..@............................................text............................... ..`.rdata..V...........................@..@.data................|..............@....rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\fr_config.ini

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:Generic INItialization configuration [CONFIGPATH]
              Category:dropped
              Size (bytes):3670
              Entropy (8bit):6.120070866180341
              Encrypted:false
              SSDEEP:96:/HrPqr0lHrerb7Po9KOgR7vipdG+fGplNQ0CftHA72e:WA2fydffGpDVitg7n
              MD5:62CCCFC9B665A7349615B3BE5A985383
              SHA1:19459D13B355A39B80D7C3A2F249C696FB14E25C
              SHA-256:F7BC365261E75E964F376DFD5B8C5CEF2AF59E45C94B2179B135622048A55193
              SHA-512:B08A6DD5785C90B7BF1E8BDEDDE31F9FBE9EF7AC9ECBCEA642CCCF4512E09ECDFA3735272DF633E7FB40B4FCEAAE3D54F568DF6FB6F685C807FEE6BECCD7F613
              Malicious:false
              Preview:..;---------------------...............Section--------------------..[LOGPATH]..; ....................................; ............... .. ... FR.EXE .............; ................................%windir%..................+..........; .................path = MyTest\..; ........................%windir%\Zapotec.log..path=fr_exception\fr_fun.log..path=fr_exception\fr_trace.log..path=log\..; .........................[CONFIGPATH]..; ............... .. ... FR.EXE .............; ................................%windir%..................+........; ......................%userprofile%..%windir%....; .....................................%windir%\XDICT.INI....; .................path = MyTest\..;path=%windir%\win.ini..; ...........................;---------------------..........Section------------------------..; ....Section...........0..........1..........;---------------------------------------------------

              C:\Users\user\AppData\Local\IdeaShareKey\fr_lang.ini

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:ISO-8859 text, with CRLF line terminators
              Category:dropped
              Size (bytes):12142
              Entropy (8bit):6.107666131324222
              Encrypted:false
              SSDEEP:192:g4XYpRWgUw+gaNgCVb/8vXGBTjexxPi5r8iY5lwQ6la5aWMYdj9PjeiU9ICLn:GpRWgU3b/vrYOQ6MaWdj9P6iU9lT
              MD5:6D8FB45D8B1E43FA53CEE2EEDECCFB05
              SHA1:FB163C949A73B646D3785E6C815C1AF6779A159E
              SHA-256:8E0C60E4991482F7EB53DD19F07D8CFF725354E2E9DCCC62B4D02D8F56A4B8D1
              SHA-512:E1E0B5E74162E42E7EA835E78D80CDEFF9811511D887D0119C8A90B29EA4D317CA684197505F54E4645D49C9CEF6FCDBC908E26A6AE21497495F7A1B46C3557A
              Malicious:false
              Preview:[zh_CN]..; Audio...........IDS_AUDIO_ADAPTER_OPEN=........IDS_AUDIO_ADAPTER_CLOSE=.......IDS_AUDIO_DEVICE_INFO=/***************************** ........ ***************************/..IDS_AUDIO_DEVICE_NAME=.......:..IDS_AUDIO_DEVICE_MANUFACTURER=......:..IDS_AUDIO_DRIVER_VERSION = ............:..IDS_AUDIO_DEVICE_SITUATION=......:..IDS_AUDIO_VOLUM=.........:..IDS_AUDIO_VOLUM_ZERO=..........:..IDS_YES=....IDS_NO=....IDS_AUDIO_MICROPHONE_VOLUM=...........:..IDS_AUDIO_MICROPHONE_VOLUM_ZERO=............:....; Network...........IDS_NETWORK_TCP_PORT_ZERO=......TCP.........IDS_NETWORK_UDP_PORT_ZERO=......UDP.........IDS_NETWORK_PROTOCAL_TYPE=.........IDS_NETWORK_LOCAL_ADDR=........IDS_NETWORK_REMOT_ADDR=.......IDS_NETWORK_PORT_STATUS=.......IDS_NETWORK_INFORMATION=/***************************** ........... ***************************/..IDS_NETWORK_INTERFACE_DESC=..........:..IDS_NETWORK_MAC_ADDR=MAC ...:..IDS_NETWORK_DNS_NAME=DNS........:

              C:\Users\user\AppData\Local\IdeaShareKey\fr_plugin.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):380496
              Entropy (8bit):6.273969763669411
              Encrypted:false
              SSDEEP:6144:cbEYPX45mcXvAm72tcCtYlzEbzNS/gBlOtDodcNay+j7F:8BQYcfAm72tcCtYm8/g7ceZ
              MD5:B421A76547807ACC79ED2C2615791BDD
              SHA1:822E285C02D5A4AE60A09D40D382DA5236A192CE
              SHA-256:E600A65EEB937576E37F5849299E64C4D5A96C10583544C9898423D944FB8569
              SHA-512:20F0132FA4A9BA295D2E5D4105BA70B1982F10E408AD98E00A0599F0ACE2E94C0B8AC447C0C3C2589F0AD46DD97FCCFD40D40AFB24684E56C4C4720365F304FE
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&..H...H...H.-....H......H......H..d%...H......H..d3...H...I..H......H......H......H......H.Rich..H.........................PE..L...w.[...........!................}H...............................................Y....@........................../..S...H........P.. =..............P0.......@.. ...................................@...............L............................text...l........................... ..`.rdata..S_.......`..................@..@.data........0......................@....rsrc... =...P...>..................@..@.reloc...D.......F...X..............@..B................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\h265EncDll.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1782352
              Entropy (8bit):6.5353249142156855
              Encrypted:false
              SSDEEP:49152:E6+a83O6BDUpEeMTB4aX8cfZMPaJxV6bD9ibaTHpzHvxwuY8DGPKDEed384YN7aJ:4Lcauiyqu0+9lwHu
              MD5:A2499C31A3CE2201F93E5FE20135C4BA
              SHA1:9B4F1504DE1ED84EA23E8D8D6F80BD0FB1FA5586
              SHA-256:C4F5D764C44095F9AEE5B92C156B9F50DF788635259B00ADE026507F14503514
              SHA-512:CFFDB8898306B14DE0F9A509DD77F5CA59E890A5F54FA9D3C2CA0CE22BCB965EC38B97BF1C53BAE4676AFB1A20CEACFBB36E273B069743CB65FC2AC574A8EE25
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..8..Q8..Q8..Q1.TQ2..Q...P:..Q...P2..Q...P3..Q...P3..Q...P;..Q8..Q}..Q8..Q/..Q...P...Q...P9..Q..8Q9..Q...P9..QRich8..Q................PE..L....O.]...........!.....P..........m^.......p............................................@.........................P................ ..................P0...0..`i......p...........................p...@............p...............................rodata............................ ..`.text.............................. ..`.rdata..~)...p...*...T..............@..@.data...pa...........~..............@..._RDATA..............................@..@.rsrc........ ......................@..@.reloc..`i...0...j..................@..B................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\hwuc.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):649808
              Entropy (8bit):6.687571741025146
              Encrypted:false
              SSDEEP:6144:gqZS7KSZyKhuJn88RXENedMEZbMbJsTdlVcBE8/ShewrGFXJNPo9Y4FJIk1Xjs45:g5/juWNy2rVYLFOk1Xw47r+4qOQZvQX
              MD5:4DD63FC0B8C7E122AE6F8B21490BD92B
              SHA1:0EFCA41C7F87AD201F147DCD26459198A3C8B233
              SHA-256:DD097AF4B9A33B3B4E8C8A4EBC25CF344A62CCBDB55AA7C4999AF0ACB840D61A
              SHA-512:112AB5C40375D87F4C84003303C8BB894AF3F8E5F7DEC3640F274634DF63D8890748310E112845CDB725862C4DAB8F9FE05633B99CF1E9EFBBB7F1C8D0003627
              Malicious:false
              Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........R7&.3Yu.3Yu.3Yu.K.u.3Yu.U^t.3Yu.[Xt.3Yua..u.3Yu.[\t.3Yu.[]t.3Yu.[Zt.3YuhZQt.3YuhmXt.3YueZXt.3YuhZXt.3Yu.UXt.3Yu.3Xu.1YuhZ]t.3YuhZ\t.3YuhZYt.3YuhZ.u.3YuhZ[t.3YuRich.3Yu........................PE..L....._a...........!.........$......<................................................r....@..........................>..H'..He..D....@..................P0...P..... x..T....................y......xx..@............................................text............................... ..`.rdata..j...........................@..@.data....b.......L..................@....rsrc........@......................@..@.reloc......P......................@..B........................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ideasharesdk.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):479312
              Entropy (8bit):5.755790119297246
              Encrypted:false
              SSDEEP:6144:k27h53VAW4c4FhGw8I6HkbcpetYZPFvUGj7spG/H:9hNVAW4hMaazqGP
              MD5:6FDF57E2FE8CE3DA29B172A51F97A79E
              SHA1:4E565830C405DE1418EF8D3B31C59252AF9680C6
              SHA-256:BD7472BF1666750F9313200933E38134A1AC5B89FEAC91DB9E595D03751B4B27
              SHA-512:706C88C1B83182E115ABCADA60765545D53FF615B1CF26CE52626A837914084B2705055D186F685B2E595083427A135FF792D3E35FAAAAEF553B9FE5DC8B670C
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.t.Ps'.Ps'.Ps'.(.'.Ps'.8p&.Ps'.8w&.Ps'.8v&.Ps'.8r&.Ps'.;r&.Ps'"9r&.Ps'/9r&.Ps'.Pr'.Qs'/9v&.Ps'/9s&.Ps'/9.'.Ps'/9q&.Ps'Rich.Ps'........................PE..L...D._a...........!.........R.......#..............................................J<....@.........................P...~...T........ ..<............ ..P0...0...F...e..8....................j.......f..@...............T............................text............................... ..`.rdata...:.......<..................@..@.data...Lr...0...`..................@....idata...E.......F...~..............@..@.tls................................@....00cfg..............................@..@.rsrc...<.... ......................@..@.reloc...O...0...P..................@..B........................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\language.txt

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):4
              Entropy (8bit):1.5
              Encrypted:false
              SSDEEP:3:MWWn:MWWn
              MD5:E17184BCB70DCF3942C54E0B537FFC6D
              SHA1:E0F05ED4FD4FFB1AF17B55948173BFE2900CEFB4
              SHA-256:F8B7291025863577C250B562E8AA0D7A70387BC67029915CD5C2DFDA40A9E055
              SHA-512:7CDF804C2F5BCA9F9A2E44408B5FC1EF7CCBEF9D8B929AA38958B0E3673B8AD1C5EC3F8600EA81003C54071E1316FF13C091A6D1D05B7C121C72B01E2DAF8869
              Malicious:false
              Preview:1033

              C:\Users\user\AppData\Local\IdeaShareKey\libcrypto-1_1.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):2118736
              Entropy (8bit):6.163592861974243
              Encrypted:false
              SSDEEP:49152:O9ZoCGzGFxHGwvtWU89su1CPwDv3uFh+qi+:IZ/9mAWU8l1CPwDv3uFh+2
              MD5:BAD35B9E18ADEB8E7ACEE0B2F7884F9A
              SHA1:1879856BA7F3B2F7342E94DFFC292255E5BD9EDD
              SHA-256:DCEC8FDCF2DE254BB77D3704CCE25B9571618AD9E274B34CB4E293815ED51CA3
              SHA-512:4591E1626DA0E4D117F43A4AB0769BE5ED03D335D3D6DB2DBEA67CBFECECC6FC7A6BE3F3B3E6A720D999C2B9B817012610FBBA1B04FF7761F0DBEC05F9FD662D
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a.#j%.M9%.M9%.M9,..91.M9..L8'.M9..N8/.M9..H8/.M9..I8..M9.H.9..M9%.L9..M9..I8Z.M9..M8$.M9..9$.M9..O8$.M9Rich%.M9........................PE..L...}.E`...........!................h......................................... ......@!...@............................hg...u..T.......|............$ .P0..........`...8...............................@............p...............................text............................... ..`.rdata..H...........................@..@.data....Y..........................@....idata..J....p......................@..@.gfids..%............,..............@..@.00cfg..............................@..@.rsrc...|............0..............@..@.reloc...............8..............@..B........................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\libipsi_crypto.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):686440
              Entropy (8bit):6.381411525632177
              Encrypted:false
              SSDEEP:12288:vGrf/vB5Xp3OmO7wXbU3Z+W0CF1MV+Qt+BR+:vWvBzzO7wSEQUr4B8
              MD5:BFA6205254C112F6F3389FD1F697119D
              SHA1:86FCAFA2C100297298FC3DC3AB04CC898B4D2C1F
              SHA-256:E582B9FF37724709AC198B6CAEDF8AEF835C2E2FCCBE75EFC2196C014FC5A9FC
              SHA-512:9DB55BE85E643A421804220DC24ADB525DCECA146CB04C3B20A9A9820EB14C94595A6D103D374AA8ABDF5ED4B8A5403662628291349C86BDA224B4D27CA8294B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.+..sx..sx..sx.i.x..sxOqry..sxOqpy..sxOqvy..sxOqwy..sx..x..sxgpry..sx..rx..sxgp{y..sxgpsy..sxgp.x..sxgpqy..sxRich..sx........PE..L....%%\...........!.........|............................................................@..........................i...6..........@...............b..h....P..8T...f...............................f..@............................................text............................... ..`.rdata..............................@..@.data...........v..................@....rsrc........@......................@..@.reloc..8T...P...V..................@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\libipsi_osal.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):31080
              Entropy (8bit):6.522300868283526
              Encrypted:false
              SSDEEP:768:r+NncKII7m+L9pcMfxzJgV+hDXMtLmYHaGe0Os2Tg4tDgU9:SNpOcFBm0
              MD5:FFF865474DE0E8CDBA1F951A8EE28789
              SHA1:57853D2CAF1EC578F4D832A7CC395B2CA0EDE2F6
              SHA-256:C289468DB334C8772D7B6EBF379964B26357712DB487E202927BA0604FFC898D
              SHA-512:039E6FB42029D82790D582EFC7A683060435A37BE0119B36FD188BB37D39F5A166841F887723324F9E4A301A60899DE46983D7610233BA771A8C0478DBEEB503
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........i..:..:..:..:..:r..;..:r..;..:r..;..:r..;..:<d.:..:..:...:Z..;..:Z..;...:Z..:...:Z..;...:Rich..:........................PE..L....%%\...........!.....8...(.......=.......P......................................K.....@..........................V..d....c.......................b..h...........0S..............................PS..@............P...............................text...#7.......8.................. ..`.rdata.......P.......<..............@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\libipsi_pse.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):885096
              Entropy (8bit):6.497572549746118
              Encrypted:false
              SSDEEP:12288:pqKHhbgTEO93++OEzbb7Lwk0rotwCud4FZADxj1oGbXBMi/XJ5bF7eSdRh9V7nfN:R1Zc+KbAkERoGBnfXPHSDrWkGOQGlrkD
              MD5:E1C5D9A4A651291FA30684A7ADD22579
              SHA1:945AB0106B22A36A7ABE1647CE4F3F7F05795F34
              SHA-256:F291C7BC848ADB4A30CE990D9539A41D845E45421AA709F01CEF63B898FAF209
              SHA-512:B828C23CF47D3BACC6E2093735033DA7A0C4F3C628A7798C8BF4EB175D93383F1A29BA5010A72446311D5361A34A5C256F07A691CA93EC323531509F80A6593F
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........SZ._24._24._24.VJ..Y24..R5.]24..R7.]24..R1.U24..R0.T24.....]24..S5.X24._25..24..S0..24..S4.^24..S.^24..S6.^24.Rich_24.........PE..L....%%\...........!.........r.......................................................8....@.............................H...........................j..h.... ..(x..P...............................p...@............................................text............................... ..`.rdata..............................@..@.data...t>.......<..................@....rsrc...............................@..@.reloc..(x... ...z..................@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\libipsi_ssl.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):704872
              Entropy (8bit):6.47289040454708
              Encrypted:false
              SSDEEP:12288:EVxeUqzjoyrJ4y2YVuq7sn98U4JNCikALSUXdyWqSRAVgBsVEXXcUyoa6U:EndwBJ/2YVKn90zX5e5QcUCL
              MD5:8DE46DDC209F8965A085AD2AF78DD559
              SHA1:ED4F5FC7AD5D5B25BD03B2A8854F5B028A7F5C08
              SHA-256:217EFF2DF882B76239BDD12C3AB69044AEF884186348F206F53719092CD929D8
              SHA-512:1BC7DC2E14C6C0E234451BB5F265F48B06C153AA520D9591AE7F6280BEA1B9A523FFD6553DA95DBE961C3440E14E26671152E2AA78F49001BEEA918A5B9DB130
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*...D...D...D.......D..E...D."5....D..G...D..A...D..@...D.m.E...D...E...D.m.@..D.m.D...D.m.....D.m.F...D.Rich..D.........................PE..L....h.\...........!.....H...x......8P.......`......................................L.....@.........................0s...2..............................h.......`Z...o...............................p..@............`...............................text....F.......H.................. ..`.rdata..\`...`...b...L..............@..@.data...............................@....gfids...............J..............@..@.rsrc................L..............@..@.reloc..`Z.......\...N..............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\libssl-1_1.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):506960
              Entropy (8bit):5.818853596983871
              Encrypted:false
              SSDEEP:12288:8jt6zvCJGO1phi2h6wbAbWWz5rruaqeol2JeL0xU2lvzZe9P:8ja2snjqhixU2lvzZe9P
              MD5:E3F5AC6D77CCAD6AA833A9E94A839EDE
              SHA1:CCB4B8AAB190D47F3BBE3621B6ABE503BB3021E0
              SHA-256:79A162A034010A7A473F988EC051F4AF7399920C43130D27DBE7DCEFB51CB1CA
              SHA-512:3111C76721E59881A96C42067BC577B48146D2A42B730706A35409DEEA03D35AACC6A05E8291AFCB8E3540182B272AFA243C4FC412B3D7835F964134F71155D6
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c..1c...c..b...cS.ic...c..b...c..b...c..b...c..b...c...cl..c..b...c..b...c..]c...c..b...cRich...c........................PE..L.....E`...........!.....`...................p...........................................@..............................N...*..........s...............P0.......3...z..8............................z..@............ ...............................text...o_.......`.................. ..`.rdata...f...p...h...d..............@..@.data....;.......6..................@....idata..3A... ...B..................@..@.gfids..%....p.......D..............@..@.00cfg...............F..............@..@.rsrc...s............H..............@..@.reloc...:.......<...P..............@..B................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\log_config.ini

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF, CR line terminators
              Category:dropped
              Size (bytes):356
              Entropy (8bit):3.468942392814782
              Encrypted:false
              SSDEEP:6:QrFS8UdP8l9m4ml9xWMAhAAl9PTQ2l9t9il9vmSdP8l9PsfHDNrA2TQ11lgrA2Tw:Qgv09mh9QMAhv9Pn9tg9vld89PsPhrmb
              MD5:68B28B4DE497B213619D7854E89E9497
              SHA1:CCAFDC0515A83C0E27B216712BD05AF6E8F4A6AC
              SHA-256:1BC5B7EC18DBB36933B12F1AD86D97F49E19DF468C561091253AB3DFB86D5FA8
              SHA-512:A88281D1BBBD90E1CB95FC0998AB2364AE12BC90633C6725B3F2863BFE727E1DB5BA47938914C84C08E20806479874953BAE94DDB703A34520B7FA0A498FF73C
              Malicious:false
              Preview:..;..e._.~+R....;.A.L.E.R.T. . .=. .1.0.0.,.....;.C.R.I.T. . . .=. .2.0.0.,.....;.E.R.R.O.R. . .=. .3.0.0.,. .....;.W.A.R.N. . . .=. .4.0.0.,.....;.N.O.T.I.C.E. .=. .5.0.0.,.....;.I.N.F.O. . . .=. .6.0.0.,.....;.D.E.B.U.G. . .=. .7.0.0.,.....;.N.O.T.S.E.T. .=. .8.0.0.....[.S.e.r.v.i.c.e.]...l.o.g.l.e.v.e.l.=.6.0.0...[.G.U.I.]...l.o.g.l.e.v.e.l.=.6.0.0...

              C:\Users\user\AppData\Local\IdeaShareKey\mfc110.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4411240
              Entropy (8bit):7.065642613116238
              Encrypted:false
              SSDEEP:98304:311W/N/BknZf4OJX9t+NaeR2dURRUyFLOAkGkzdnEVomFHKnP+g9:3ucyFLOyomFHKnPh
              MD5:DFE37438750449245F558144974EDE06
              SHA1:CFFAF042F43E96923B5FA4EFB88DAAB8E83393E9
              SHA-256:9C43F3F4156B90BAE1597A6A249B4EDEB629482F910038FD2172125BC1745AAF
              SHA-512:D8382D86A919BF57D4CE185330ACA5804E882785F8567F961E5AD054A92F72592EF0026A90DDE113DA320B2E1192CAE696E990619A15F157787C960CBBDF7DC9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uv..1..1..1...`w.0...`u.3...`t.9...`v.<......3......;......<......?..1..1...`s.".............0......0......0..Rich1..........PE..L......Q.........."!.....6)..T........$......P)...............................C......|C...@.........................@g(.[....P*.......*..............8C.h....P@.h.......................................@...........|^*......X(......................text....5)......6)................. ..`.data........P)......:).............@....idata..~Q...P*..R....).............@..@.rsrc.........*......2*.............@..@.reloc...l...P@..n....?.............@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\mfc110u.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4446568
              Entropy (8bit):7.070043206175241
              Encrypted:false
              SSDEEP:98304:Dra1QTpsfQ//4/IzLPQ6EOmh0U+0d7fFLOAkGkzdnEVomFHKnPQg+P:D50j+0hFLOyomFHKnPQg+P
              MD5:BD56515BE170D64B880F2DF6D4CEF453
              SHA1:A505B7AE8E788C9C4821995E1BE80642F7E3C422
              SHA-256:986BB4ABBA3F7CBE3439D1332572AC8FAA17B2F3EEDF7B7C50023137382CC7EA
              SHA-512:FA86D19A220C52D62108FDB9E902FC6B1B26305F982529C36E9DFA91C575A46B9C95A1CFAFFC88AC464EC257B03F4DDEEA63D9D253EA7D5C38E43170F0151365
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uv..1...1...1....`t.0....`v.3....`w.9....`u.<.......3.......;.......<.......?...1........`p."..............0.......0.......0...Rich1...........PE..L...(..Q.........."!......).........@.........)...............................C......_D...@................................X.*......@+...............C.h.....@.....d.).8...............................@.............*.X.....)......................text.....).......)................. ..`.data.........*.......).............@....idata...O....*..P....*.............@....rsrc........@+......"+.............@..@.reloc........@.......@.............@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\mfc140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4746600
              Entropy (8bit):7.054863961502151
              Encrypted:false
              SSDEEP:98304:+0BSmTN0O3xKBHfR2NJU0Fri7YZ2FLOAkGkzdnEVomFHKnPzkT:dlA5RaU0Fri7YZ2FLOyomFHKnPzkT
              MD5:670E529FE7DA60D01F3A8800A280C6A6
              SHA1:5FAF707A8F36CBF3A76E5EFECA521C753A0AA180
              SHA-256:0B81C2C57A18E56DF5CCB1EEA07E62C13152816B495F2AA7AEFEC037FA195C4C
              SHA-512:19A213369A875BDE35919A09FD3783EB6F0FE819F6F6A81A8F2B5FF16ACB3E2FC6D1D36EC3104CC035E0D464D3728EA764B8F1391198383ADD4DB0476EFF8946
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c..c..c..4...c..4.y.c..4.x.c.....c......c......c......c......c..4.c.c..c..g.......b......c....s.c......c..Rich.c..................PE..L.....0].........."!.....6...X......0.*......P................................H.....I.H...@A........................Pc-......=/......./..............VH.h....@E.....@@..8...........................@4..@............0/......T-......................text...C5.......6.................. ..`.data........P.......:..............@....idata..vT...0/..V..................@..@.didat......../......2/.............@....rsrc........./......6/.............@..@.reloc.......@E.......D.............@..B........................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\mfc140u.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):5041512
              Entropy (8bit):6.868096553287344
              Encrypted:false
              SSDEEP:98304:H4iE2PQUbOxTla877f2EYmPCHLy1ZqLEFwaBS5z6IFLOAkGkzdnEVomFHKnPv1aI:YF2oUyxo8nxCHLLE7BS5zfFLOyomFHKX
              MD5:C88EE0ACFC089ED05A822361A8DF55EA
              SHA1:A83E311015EB8D0CB28A3B82B01B4A3E0FBAFAA7
              SHA-256:CC83D44EE23F5F44429A2B523DF6505432F6AE79A3233ADEBE234A3FB7B1BB8A
              SHA-512:43F06AE3B0008115A92F6271B21F2BC69900771B6DDAFC8A8DD76CB70494C0D8A6002F9314841701253526F793D99AA7011B3188305D9A8349CA6EC23D809F22
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........c..c..c..<.w.c..<.q.c..<.p.c.....c......c......c......c......c..<.k.c..c..{`.......b......c....{.c......c..Rich.c..........PE..L.....0].........."!.....z2..^.......d....................................... M.......M...@A............................L...|.3.......3...............L.h.....I.......2.8...........................ha..@.............3.x...Xz2......................text...tx2......z2................. ..`.data...@.....2......~2.............@....idata...S....3..T...Z3.............@..@.didat........3.......3.............@....rsrc.........3.......3.............@..@.reloc........I......JI.............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\mfcm140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):82280
              Entropy (8bit):6.3353023306928895
              Encrypted:false
              SSDEEP:1536:ZJLMNkxLlY4XSeko0OIvoNXb5zLxK9nhhsZG5n0S9MhAb7IBN:ZJXLl5Se+kNXb5zLxK9nhhss0qMm7IX
              MD5:E9B833A49608F17E628DA7916EDE6A3C
              SHA1:58F67085899A3032A5CC3C4EE066E270E0EDACEA
              SHA-256:4DAD4B14FED7DB1F5652E8C7448AA5128987FAD3AEFC8333FEDAB2F650FCF3EB
              SHA-512:782A12AA0CF07F82B959808E6412B24B50B5D6A4A1B15A4FDBF1FA99F4F2173F8F88A8C00490161046EA5E72C9F8B4E5F164EE0689992D0C46257988725B9B68
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..E.............o........e.....G.......G.......G.........e......o..............G...6...G.......G.......G.......Rich............................PE..L.....0].........."!.....B..........RP.......`...............................p.......k....@..........................,......@-.......P...............*..h....`..8....e..8........................... e..@............`..$............c..H............text....@.......B.................. ..`.rdata..r....`.......F..............@..@.data...\....@......................@....rsrc........P....... ..............@..@.reloc..8....`.......$..............@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\mfcm140u.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):82280
              Entropy (8bit):6.336819654689569
              Encrypted:false
              SSDEEP:1536:ZIHM1IsY9Y4XSmbhvoteMhf8G3DTzLxK9nhhsZGQv4gE+ubh3Bna:ZIOY95SmVQtekr3DTzLxK9nhhsf4gE3q
              MD5:6294658E01A8CDB666C25F944F3AB309
              SHA1:EF0E6EDEDE7701678070D1482D34DABBED562B3D
              SHA-256:BAE2E69AACE99768E160A5EFD5438C13CC2F751BAEB34A5E8DCF5917D77B33C4
              SHA-512:16FE56645A49FF63F59DAA58BFA3C9EBA28D746144A0D20100090F19576AC96B0AA9EBF704534568B011CD9F3238E8103E2CA4616E7F912A797DEA03E51E8B91
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..E.............o........e.....G.......G.......G.........e......o..............G...6...G.......G.......G.......Rich............................PE..L.....0].........."!.....B..........RP.......`...............................p......'6....@..........................,......@-.......P...............*..h....`..8....e..8........................... e..@............`..$............c..H............text....@.......B.................. ..`.rdata..r....`.......F..............@..@.data...\....@......................@....rsrc........P....... ..............@..@.reloc..8....`.......$..............@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\msvcp110.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):525160
              Entropy (8bit):6.028639794493234
              Encrypted:false
              SSDEEP:12288:7qULIc5nb9rywgfyhUgiW6QR7t5sA3Ooc8sHkC2eRxU/:1LHnhryLfBA3Ooc8sHkC2eRxU/
              MD5:C05390EDA8A91A5620B690C87CD38C51
              SHA1:F9F4B60E5E7322E5AC4AC1ED494619B7ACDF9780
              SHA-256:9E6040347E946DCDC4C514B7DC54DA71D8EF3F2068F50FC743BC84937B879CF2
              SHA-512:0709EC82D06C26CFBA68DC3B607E1E7F5634DEF55CB744663C602B811FE32585905C875DBAF29ECE600498BCF3D5602EA9A8637622BD0BE270BE65CE0753108F
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7.>...........:.L....:.J....:.H.....:.I.....:.T....:.M....:.N....:.K....Rich...........PE..L......P.........."!.........................0...............................P............@.........................`N..$.......<.......................h........D...................................K..@...............D............................text............................... ..`.data....`...0...2..................@....idata...............N..............@..@.rsrc................j..............@..@.reloc...}.......~...n..............@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\msvcp140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):429416
              Entropy (8bit):6.615729295233097
              Encrypted:false
              SSDEEP:12288:iAoA7hbarg71r4RzfxjJhUgiW6QR7t5s03Ooc8dHkC2esq0JY:iAoAN3r0Bm03Ooc8dHkC2eT0JY
              MD5:195BB153285AC6C01A8EA97046E9C741
              SHA1:E672E7E33FE94D07B14E203C468E634FE21CC7FC
              SHA-256:02BB7B7482F186E4AB29BB3482FC64DF1CFD77BF2113A4230912A2439FCFFF76
              SHA-512:E8797B9A202C8C80EB1FE49DC12D251DE18E2DF874E45EBA3B5E1589C86D610E2E1ACAB76F1BED959FBB858D3EE62A2715E903B90EB40D4BFBED2C17CAA1B395
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.C.4...4...4..t.I..4...L...4..Lm...4...4...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm...4..Lm}..4..Lm...4..Rich.4..........................PE..L.....U.........."!................ ........ ......................................F.....@A.........................A.......R..,....................v..h........:..0g..8............................)..@............P......P>..@....................text..."........................... ..`.data....'... ......................@....idata..2....P......................@..@.didat..4....p.......4..............@....rsrc................6..............@..@.reloc...:.......<...:..............@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\msvcr100.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):770408
              Entropy (8bit):6.909293518342905
              Encrypted:false
              SSDEEP:12288:nQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hP:QmCy3VQs9MtLjTgfa3kon9FaOdEh
              MD5:003953639FF3E89D449CD3ACA162D977
              SHA1:DF17A51E5C676532AF6A8C2A18447232F0507D01
              SHA-256:6FAD45A23BE054A89F95203D1A61BCE1B191F386CDA8E4A7477B8ED0AC211D6C
              SHA-512:E46D39073C32315C425908842568C3B9D6116C36DADBB5CDBA07251FC77999B59F85920D9ED059D7B50129166F062A31F8DFD6CB307819F1E49BA7D531151E57
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x......................................@..........................I......D...(.......................h....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\msvcr110.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):865640
              Entropy (8bit):6.907564550247982
              Encrypted:false
              SSDEEP:12288:FmCyHcMpK7QdgD+9Tr8r3FmJciMgLFWkA8qTWu+FVlofpJCjNdr12iqwZeQ:FmCyHNIQdTryVmCipIkqTWu+FN
              MD5:AA55CAC7DEA173F3588A5C1A45FA34E3
              SHA1:2AE69D1B660E4C6E10C0E9EC7D56B58D6894EB23
              SHA-256:F03CCC107E4D9CF9B6BFD34CF53B1FE6686FF4C7ADC283377CB878C8A6191611
              SHA-512:B0C4D3CECDABF8ECF8EE5D6E89C0F5D58089C96AC4B3358B8B5405A022816AD46403E0FCEF2381C67027DBB430A0827AD5BC72828B97F19C9663C88E025E42F9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x._'<.1t<.1t<.1t<.0t..1t...t?.1t.+.t..1t.+.t].1t.+.t..1t.+.t..1t.+.t=.1t.+.t=.1t.+.t=.1tRich<.1t................PE..L......P.........."!.....`..........<........@...............................`............@.........................`...........(.......................h........S..0n..8...........................0...@............................................text....^.......`.................. ..`.data....\...p...N...d..............@....idata..............................@....rsrc...............................@..@.reloc...S.......T..................@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\platforms\qwindows.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1221992
              Entropy (8bit):6.832955399743319
              Encrypted:false
              SSDEEP:12288:1YCQWyni5LoUmhY4or3D8kSqjPfmK7UpOVpYAlCRegIe5ZpzNAoKu15XSxDyfEWu:SniF3z39xPePpOkaXze5ZtN4bZa0n
              MD5:2F98DC4484F115FE227246844464CD04
              SHA1:0A49DA60F63FB476B2A3CAED2A5B7BA686A7D2FA
              SHA-256:31BF06D063B23A0AD606354D7D77416AF5713CE877F6A7E7BC658DD09DB02BB2
              SHA-512:32D64143CEE92FE6CAB366493DDFFB034EA71DF2B7CE584238DEB56E54886083676A50C6FBF28E871F926081E8C8AFD72B7FEB8EF24C50E16A4C034939D5433E
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..Ak...k...j...k...j..k...j..k...j..k...j..k...j..kN..j..kN..j..k...j...k..kg..kN..j...kN..j..kN.-k..kN..j..kRich..k................PE..L.....}^...........!.....\...j.......[.......p...........................................@..........................w..x...(x....... ..H...............h....0..<....9..T....................:......H:..@............p...............................text....Z.......\.................. ..`.rdata...?...p...@...`..............@..@.data....X..........................@....qtmetad............................@..P.rsrc...H.... ......................@..@.reloc..<....0......................@..B................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\rtp.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):107600
              Entropy (8bit):6.714402999473523
              Encrypted:false
              SSDEEP:1536:TfpY458f9IIbr1DIutsJxvOm2fo5AtqN52UgB3ATF3pkbueRKEtgVBJ:rpYM8f9XPSDxvmQ52UI3cfgKcgV3
              MD5:D60080362C25CC73DC5D260D2DA61F4F
              SHA1:F4F50A38C2E038F6FBA9109E99CEE19C98981187
              SHA-256:06ABAD066B4CADD68827FDC4CADE48DEED161C8F9EEC5BA870B2E1AAF927B1B9
              SHA-512:B42031F7937702A239F3BEBD4462F62F35F39918FE7DAFC84ED2D06BFF34B6A12DB352E3C50D8B6C938EF8F2B27180D4E996AB19E871A8DC13ED06C3FB938199
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.)B..G...G...G.......G.B.F...G.B.B...G.B.C...G.B.D...G.u.F...G...F...G...F...G...F.@.G...C...G...G...G......G...E...G.Rich..G.........................PE..L....`8a...........!.....&...j......q&.......@............................................@..........................a......(o.......................t..P0..........P]..T............................]..@............@..d............................text...8$.......&.................. ..`.rdata..T8...@...:...*..............@..@.data....!...........d..............@....rsrc................f..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\securec.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):160336
              Entropy (8bit):6.692815830319358
              Encrypted:false
              SSDEEP:3072:JBufNHLZ8pmgFUEBkZNWUV9Ynb2N/ktIUxs3aO0Pjy6VK:7+j8HyEBkXWUV9YnypkKNR2K
              MD5:0E8DF991E24520405B0CF1266B3128B7
              SHA1:75EF94E3B5B2C0F4617090B4AB3689081B8109DD
              SHA-256:0DA66721A1DD63F12A8DC8DE833DAB54C767610F3D86D9944187516822930AC3
              SHA-512:728669D250E503F1C88776F50E4D7DF9BC4AD926C2E90A1CCCA0494C126FD1D5E3F8DD82B53D2A685C207C8AE313CF7C182A0198FDAF3DA26CFF121D91B1D237
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I."...LS..LS..LS.Z.S..LS.Z.Sq.LS.Z.S..LS6.OR..LS6.IR..LS6.HR..LS...S..LS..MS[.LS..DR*.LS..LR..LS...S..LS...S..LS..NR..LSRich..LS........PE..L....N.\...........!................................................................m....@.........................."..$...4%..(....`...............B..P0...p..H...p...p...............................@............................................text............................... ..`.rdata..2k.......l..................@..@.data........0......................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..H....p......................@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_air_client.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):468560
              Entropy (8bit):6.76603570394093
              Encrypted:false
              SSDEEP:6144:/uAv9WWpduh5Xwp4TSSOm1vOMghyOqbaJ989nLgMB041048OyaJxDBzW:GQ9m5XhZ1rbsYgMB041jHq
              MD5:6BA9EB5A513291388F0901F50F1EED8C
              SHA1:1438DA149C7F4827674E3A31B03AF66095C129B3
              SHA-256:4CCD623C590554573DE6C5B06F7019ABEA8DE0795FEEE80145ADB6702532225E
              SHA-512:8B127A019AE8BE066E0A49DE8819CFDC475F1ABAF381A6E609A49A54578BC780962A40A144BCD456C62CB9F617B895FA8ACAA322EA6849932577385ABC39816C
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.,./.BP/.BP/.BP..AQ*.BP..FQ#.BP..CQ+.BP..GQ6.BP&..P?.BP..CQ;.BP..CQ,.BP/.CPc.BP..GQ5.BP..BQ..BP...P..BP..@Q..BPRich/.BP........PE..L...b.Qa...........!.........x......H...............................................T.....@..........................L.......S..........................P0... ...w......T...................d...........@............................................text...z........................... ..`.rdata..............................@..@.data....j...........f..............@....gfids..H............x..............@..@.tls.................z..............@....rsrc................|..............@..@.reloc...w... ...x...~..............@..B........................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_call_mediaservice.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):818256
              Entropy (8bit):6.6244892470176975
              Encrypted:false
              SSDEEP:12288:yI2VVfM1br77SZGs4siBIdYe3oI25DKS5aS/eOVZhA12kFRKcToB:yIMWImRsSmwo12kGkI
              MD5:0B7A4FCA9D8B2BA07D4DA191E0CC81C8
              SHA1:2C36295916DB3E6B39D49CB052ECF9BE21818226
              SHA-256:A89F045B27FD474C1A910B533BE30E9E05AE2E34530B50E89E05280C87FF87DA
              SHA-512:92A40519D118441F879D28E17FA348E9B22789E1DDB38554FC99CEFCA6FCA544C1C4C2372F19F5824EB290C171272ADDC9B4022AAC36888525D95E8E6D17911D
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.|.B./.B./.B./.....B./.....B./.....B./.....B./.:@/.B./w....B./r....B./.B./.B./w....B./w....B./r.,/.B./w....B./Rich.B./................PE..L....u/a...........!.................i....................................................@.........................Pn......8........................L..P0......`...@...T...............................@............................................text............................... ..`.rdata..............................@..@.data................|..............@....gfids..L...........................@..@.rsrc...............................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_call_video.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):614480
              Entropy (8bit):6.5528530608516995
              Encrypted:false
              SSDEEP:12288:QDLkydCjYp+CtPYnMtoiaQg3wMn2ZsiJBQVzvIv5RDw3wrt/TzW8Jeg9ltPWV/KA:QDoydoYYCtPYnM6IBeyhL96/akLGPDeN
              MD5:12F211F54813AF5B95D6EA7C6621EA60
              SHA1:F560922F5B8B81E47DBBC9A930ADFA6E515DB194
              SHA-256:2ADB4E4DF908674B974E679EB7A2572F4D5977E57AB49D995C39C8E74305A55F
              SHA-512:C6823BB51190D00329FFC03FE36FBC11FFC4049E54AE5BF11D9572AE6AD24D5E2AD63F24CEBA3A7EDC9CB120D1712C72F7BEDDB04D131B1C5AA4879E632E2079
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1\`.b\`.b\`.bg>.cZ`.bg>.cO`.bg>.cW`.bg>.cX`.bU.~bD`.b.>.cZ`.b.>.cY`.b\`.bJa.b.>.cT`.b.>.c]`.b.>.b]`.b.>.c]`.bRich\`.b........PE..L....u/a...........!................................................................l....@.............................t...t........0...............0..P0...@...t......T...................T...........@............................................text.............................. ..`.rdata..............................@..@.data....3..........................@....tls................................@....gfids..T.... ......................@..@.rsrc........0......................@..@.reloc...t...@...v..................@..B........................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_commonlib.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):53328
              Entropy (8bit):6.837119250420988
              Encrypted:false
              SSDEEP:768:9lYIpY/2MeXA7ptByuGJkhffeWrrMqzJjWk1l55Tg4tDsao/:9SR/2NA93y1JkhbrrMqzZVBu
              MD5:1E043B4A56286C8160165FD0A93BE85C
              SHA1:13FCC75636DCA7F72E8B45F17989BA159F8D5F5F
              SHA-256:EFD5475A8F577704809AEB00A7A1B8E7C30E8D3CAADC46F8EF22976BD7517AD6
              SHA-512:BB469A1E8246D78681CAD39C2D2851568DEA5177D6336C7039977903E20234022787C22AD017D646974E4A142DA2B68466956CD3499765274D4F04D260F965DA
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.E...+...+...+.$.*...+.$.(...+.$.....+.$./...+.......+...*...+...*.c.+.../...+...+...+......+...)...+.Rich..+.........PE..L...Y.E`...........!.....\...D......]a.......p......................................fK....@......................... ...................................P0..............T...........................h...@............p...............................text....[.......\.................. ..`.rdata.../...p...0...`..............@..@.data... ...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_dns.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):241744
              Entropy (8bit):6.591637517861468
              Encrypted:false
              SSDEEP:3072:9JM2lLN1b6EXdDmeguaGH0GYCiOvBWaGZ8q0lRAMnsASItbNLGrCh+Q4V8:P9lLf6QIePaJGJi2WaGKqkRAdAlr+78
              MD5:D45AA7DE9CC0C15F8CE730B9E787E3DE
              SHA1:C91FD8A572CE9B660D6EE32466977FABD2C4D51C
              SHA-256:85E963DEC05076C2E6246178949027882DA1434AFC51CE6817750912BC9EB6F8
              SHA-512:75EA97E65ECD3A3D8DBCA8B918AC79D351A87D76D689FC18F30357CB2859659C9E668781FA347A2C2B6997B9225D05EE91FD08987CB7499FDCFFEC7BDF09B68E
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<......8......9......+......7..5...(......9..<.........?......4......=....{.=......=..Rich<..................PE..L...Y.E`...........!................................................................\.....@..........................O.......R..,.......................P0......|#......T...........................(...@............................................text............................... ..`.rdata.............................@..@.data........p.......P..............@....gfids..H............V..............@..@.tls.................X..............@....rsrc................Z..............@..@.reloc..|#.......$...\..............@..B................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_exception.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):195944
              Entropy (8bit):6.4602584715718505
              Encrypted:false
              SSDEEP:3072:EBoch29ovPXDafSZQ3+vc1ULZdNUxf8DuV0OwWkOooyZV:EB3hsovgSZQ3+dLZdNof8u0OdkOo33
              MD5:7A21B8DC1020EAC8C5BC142DC9B0832F
              SHA1:669B4DE62523C40E27458A385528A18378335586
              SHA-256:EA09431C18D363F8E7888E75CF4BAFB09F4C14528A3967D48D077D553860AD5F
              SHA-512:30C35F4AEF56CA37AE11CC7B359F3634FAA727146880CCB0F940148FD0134006870F076AD901363C12B5DAAEBA004586A9FF54DEC4DFAA97E7123B1AE23F44D4
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<..<..<..b..<..b..<..b..<..b..<..DH..<.mb..<.hb..<..<.s<.hb..<.hb..<.mb$..<.hb..<.Rich.<.................PE..L...&..]...........!.....@..........(........P...............................@......!e....@......................... ...................................h.... .......g..T...................Dh.......g..@............P..`............................text...O>.......@.................. ..`.rdata..jr...P...t...D..............@..@.data...............................@....gfids..H...........................@..@.tls................................@....rsrc...............................@..@.reloc....... ... ..................@..B................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_https_clt.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):182864
              Entropy (8bit):6.669877776550339
              Encrypted:false
              SSDEEP:3072:zgx7r9oksLlkOxXcNTiEO/1uyZlSOd/LA49syQKIMIJ9tiydIV5:zg5RoksLlXSNGEONj3ndTA4S0IMMi95
              MD5:3D75D81E21E5F6AB316024C714867469
              SHA1:30D971070A6B6A1D404A3ED5D248E5C27D468AA1
              SHA-256:893434D739B35011E5706A9B5C9216170300094CB816B874B24F4D178812867E
              SHA-512:FA4D062D11FCE09EE1F7660733B6AB59279570820BB1DF87621A235E49E113DF4438B478F854A7623B6177D858A62FA14661A88F794D7B2BE7B8D8151BAEE08C
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..2n.van.van.vaU.w`l.vaU.u`l.vaU.s`x.vaU.r`e.va..w`l.va..s`m.va..w`g.vag..ab.van.wa..va..r`{.va..v`o.va...ao.va..t`o.vaRichn.va........PE..L...:.`...........!................C...............................................D.....@.........................._......xn..........................P0......X....U..T...........................XU..@............................................text............................... ..`.rdata.............................@..@.data...h/...........l..............@....gfids..L............v..............@..@.rsrc................x..............@..@.reloc..X........ ...z..............@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_httptrans.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):683600
              Entropy (8bit):6.687578093766771
              Encrypted:false
              SSDEEP:12288:SWIiL6wnVBUnq8tlwtvJ/+0b/JYZv1R183292bPMG52EdC3l81lx3t/jac5:JIiewVBUqaRS3GeTjC3Kx1+q
              MD5:506F74CD03661E9A6FEC10CBAE0D1099
              SHA1:F9D5449F6213F5457B49ED05ED28BBB85ED99752
              SHA-256:EBA682B51F79B110D6184F1828D2BA7A2E233C1FE8D52E3FEACBB4252AE094B1
              SHA-512:33D180BD375654EB0E9488E337B0EB80D4FDAFCCD27518D2429AD7044F47117E7F8B66C2AB610813F79D8F1F2B68556DEACD81AFBBFF93B64822CCAB994EFF56
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0Fw.Q($.Q($.Q($..)%.Q(${..$.Q($..+%.Q($..-%.Q($..,%.Q($w.)%.Q($r.)%.Q($.Q)$<P($.).$.Q($r.,%.Q($r.-%.Q($r.(%.Q($w..$.Q($r.*%.Q($Rich.Q($........PE..L.....E`...........!.....&..........~........@.......................................;....@.............................4............................>..P0... ..$w...G..T...................dH.......H..@............@...............................text....$.......&.................. ..`.rdata..n....@.......*..............@..@.data...............................@....tls................................@....gfids..H...........................@..@.rsrc...............................@..@.reloc..$w... ...x..................@..B........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_login.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):653672
              Entropy (8bit):6.604111959125523
              Encrypted:false
              SSDEEP:12288:8647rz2MUfQtNOYG31oW3EgmuFS8mJ47Tje6M:8tGfQt7TWUgmueJGJM
              MD5:7D0C83154ED515B3792C0F31C511EEE3
              SHA1:2F6EF336065266234CD160BA9B7C7E42A892CE63
              SHA-256:102AACEFD28D3235CBBB98CF645265E0B54217A395D90C22A4F532724F9DCC41
              SHA-512:0E43C2A58ABF172FAD4CD3CFAFF9C15190C4102A5EC1BA5AC51596EEBE781D7B64563028E0D453A572F06049E554C980983F14FA8793BF89F16CD9F9A0ECA24E
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..I..VI..VI..VrN.WM..VrN.WL..VrN.W^..VrN.WB..V.N.WM..V@hFV[..V.N.WF..VI..V...V.N.WR..V.N.WH..V.N*VH..V.N.WH..VRichI..V........................PE..L.....E`...........!.................-...............................................!....@.................................H(.......@..................h....P.........T...........................8...@...............<............................text............................... ..`.rdata..............................@..@.data........P.......0..............@....gfids..H.... .......:..............@..@.tls.........0.......<..............@....rsrc........@.......>..............@..@.reloc.......P.......@..............@..B........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_msg.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):55888
              Entropy (8bit):6.807240193296814
              Encrypted:false
              SSDEEP:768:4sICWEMjBicBs1vmQGhQ/3p0igGHvrN1I97glkjO/jyJjWk1l55Tg4tDA3s:4lpvjBru5/5XtrN1G7Qky/j8VBIs
              MD5:E71ACCE05F7F9781FC93AEBE3F2E8F51
              SHA1:D76DB5741B13ED5B29AB6058B55514D6282DA858
              SHA-256:2015FEEBF30E1CD7326388C270761E1F5D57F0EF8B71F603E54D37DB9C90B1BE
              SHA-512:7E4B098E4ABBE96F3F3B26E7B0D5A5AEDBA50BD8AAFDA6287A5767236918575ADE62B7A6B66D206E76309659D4AF235A183C0B28A762C104EEF798785C87C303
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..jT..jT..jT..4U..jT..4W..jT..4Q..jT..4P..jT.....jT.@4U..jT..jU..jT.@4P..jT.@4T..jT.E4...jT.@4V..jT.Rich.jT.........PE..L...-.E`...........!.....z...0......................................................"*....@.............................................................P0..............................................@............................................text....y.......z.................. ..`.rdata...............~..............@..@.data...d...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_os_adapter.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):73296
              Entropy (8bit):6.828646403490432
              Encrypted:false
              SSDEEP:768:jps5iyu1QK9FONjGG0YxPoATSG9sOcsN5kcFN6wVoqwTZbunjWk1l55Tg4tDqmB:dVEUG9J1SNOcK5kcFNlirTZqzVB1
              MD5:6A0A375894E20CC87CF8126266A0E018
              SHA1:115FE5F5320F90C79B6FE6C2F606B2A09F117042
              SHA-256:2D25E5CD19B7A0E811B8E37F17038A9C11AF333AABEED283043F170ACA7DDEAB
              SHA-512:10CD5E51185225EE31032C717B378C1B31453D5D7CAF8CDB8BC36C83D870E08ED72D575246FB68C852358D0040261482E4514D1DCE23DC011F559EAD37D24E75
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..j..4..j..4..j..4..j..4..L..4..&j..4..4...4..#j..4..#j..4..&j..4..#j..4..Rich.4..................PE..L...).E`...........!.................................................................\....@.....................................T....`..................P0...p.........................................@...............T............................text...;........................... ..`.rdata...?.......@..................@..@.data....S..........................@....gfids.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_publiclib.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):27216
              Entropy (8bit):6.8615090209699625
              Encrypted:false
              SSDEEP:384:DeNVN5DDmZHkOTkSwHGS06PCD5F4RSsMQ39/K/uVGBk1l6itb5WuFRZk4VvDMClM:GnNmZHkI90jWk1l55Tg4tDSj
              MD5:7812845ECF014B07E408B6426C411E14
              SHA1:DE1C7551F45F7FE3F802913DF241553B7D8431DF
              SHA-256:2F97599A805EE87D78AB6FE2757AAD8D87296904E9BB7285B6EA6883F5C99B53
              SHA-512:18A2223AA035BC87B2041DD38E8CF099C44CFB156579A4676487A7B49A74F47B6B29761BB7A2D40FE5D38E73D8C67F7938674FB5E4FFC8DE84A584E6B6B5FF71
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\E@.2.@.2.@.2.{.3.B.2.{.1.A.2.{.7.J.2.{.6.K.2.I...F.2..3.E.2.@.3.t.2..6.H.2..2.A.2....A.2..0.A.2.Rich@.2.........PE..L...+.E`...........!......... ...............0......................................-.....@.........................P:.......=..d....p...............:..P0......`....7.............................. 7..@............0..|............................text...T........................... ..`.rdata.......0......................@..@.data........P......................@....gfids.......`.......4..............@..@.rsrc........p.......6..............@..@.reloc..`............8..............@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_rtp.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):92520
              Entropy (8bit):6.62687713929208
              Encrypted:false
              SSDEEP:1536:SvAiRjKZX7j2N3oO9DXluP3uEYmLPkw+Vw8GS5ynBt:NiRWh+7lDEYsK5Yz
              MD5:CF975AC5A37D9061BAD7EAC902170DA3
              SHA1:B286909A3A48997FFA883AEB01974ECF5AB5BB68
              SHA-256:2ABBC2D36BB7D7CFFE54E7E7700528F39FBF2CA6BCBF920DCE9E6649C258052D
              SHA-512:BE99756174A0935EEFC821E02EF900F3555C9E0D25C191D7055F2D53AD7C64862C59A6A312FA10ECAB9383877673558DFCA07B01B4C6DD12F253C32C392156C5
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................................o......j.................o......o......j.x....o......Rich...........................PE..L.....S^...........!.........h............... ......................................)3....@..........................?..d....M.......................R..h...........p;..T............................;..@............ ..d............................text...^........................... ..`.rdata...7... ...8..................@..@.data....!...`.......B..............@....gfids...............D..............@..@.rsrc................F..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\tup_xml.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):45136
              Entropy (8bit):6.9038631874875955
              Encrypted:false
              SSDEEP:768:7AnkAtEeeRybvfALTqqE5GkQvc5QvSrjWk1l55Tg4tD//z:HAtEV+AHqDGkQvc5QvSfVB9b
              MD5:D158B176BDD386CA5F34944E03B77235
              SHA1:C56D2D4EF6C0CE6C816D920C5646348CC613856E
              SHA-256:0D42EE462B808A580E4788D8BC17CEE99443D1318C0F72CA40C7F7920DDDBBF7
              SHA-512:D06AA9D671AFB6DEB719821541E45129C19F90A7609A51348B6CAFB849AFBC68AACDB33467892383FD8F83CD366934639E63DCA66CAFA001501463F922DC258E
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,.s.M. .M. .M. ...!.M. ...!.M. ...!.M. ...!.M. .52 .M. c..!.M. f..!.M. .M. .M. c..!.M. c..!.M. f.^ .M. c..!.M. Rich.M. ................PE..L...S.E`...........!.....^... ......._.......p............................................@.........................pv.......|..........................P0..........`r..T............................r..@............p...............................text....].......^.................. ..`.rdata..l....p.......b..............@..@.data................v..............@....gfids...............x..............@..@.rsrc................z..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\ucrtbase.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1132392
              Entropy (8bit):6.795912971471886
              Encrypted:false
              SSDEEP:24576:+ZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbKA:OBmF2lIeaAPgbr
              MD5:EFB5BABAF171AF9F46A1E40D1EFAFE92
              SHA1:DD796F9CBF2B1D222909998418CC669D4BE07A37
              SHA-256:10C62C90A87070721E34B15BAE02E8DB034A162506DB52CAD55CE7225B573879
              SHA-512:A212AA3AF52907651A27212A2361C56F93D6EE80E33D2FEAF9264D444E431798B54EF613177EF78EEAF3BB665A2265C33ECB079D328434E51311768EAD92CAA0
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p.......G....@A........................`................................0..h.......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\uninst.exe

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):133680
              Entropy (8bit):5.517899615001
              Encrypted:false
              SSDEEP:1536:tRH1LWEIde8252So6BtQ2NH++vCIDiJvz+29L27Fmd3WdcyruKpM8uuc5B5DarX3:t5Ide35h80e+vCIeJBd3Wqj50wVS
              MD5:173F373AA396ACC97B2DFDE4FDC545D5
              SHA1:8C18B44DDE08AE5D23693772E9495A4C24338602
              SHA-256:9A536500A1493FDE71D3162FDC34AC74A852471784F547D67234E3629ABAAE74
              SHA-512:40ECC96AAA250164BA12ABD1A11F2C8E5F6BB365FEF790F04DCB23081CECE2C0BE2D36DFD9F2FCF700166F45261BD4BA0943299A3FB213EB9AF1190E3070CC55
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mu]..&]..&]..&..\&_..&..^&J..&]..&...&z\n&P..&z\.&\..&z\{&\..&Rich]..&........................PE..L...,.R.................x.......B...8............@..........................0.......................................................... ...............P0..............................................................8............................text....w.......x.................. ..`.rdata..d/.......0...|..............@..@.data....~..........................@....ndata.......@...........................rsrc... ...........................@..@........................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\vccorlib140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):256872
              Entropy (8bit):6.519478937526173
              Encrypted:false
              SSDEEP:3072:LmtsEDFI3gMogf+wReEwFFm7xMZLaP6VrjZHwcrP3nYCYhd:CtsExI3MgPRAMMZLaP6Vrjqhd
              MD5:7DEADD78A906B03E7868DBC24A00398F
              SHA1:DCC39B2E3F867E66F8096470E32938B14A6ACFFB
              SHA-256:FC80EE8D18FC9021A3A25CA012D94A6A36169CC50D08CB60A1842E094E649C3A
              SHA-512:77CCDBA099E14B02B863188DDCE22ABE43DEF44AFBD538EFB2028C4C79CAC9593A710BDD7AC0E16CC4B54C7826CB8B4DC5DBD68A36E0A095072A296A87E0F254
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sd.F...F...F...Oj..H...K..B...K..B...K..^...K..J......A...F...5...K..W...K..G...K..G...K..G...RichF...........................PE..L..._.U.........."!.....,...................@............................... ............@A.............................=..............................h.......xQ...D..8...........................HE..@............................................text....*.......,.................. ..`.data....=...@...:...0..............@....idata...............j..............@..@minATL...............|..............@..@.rsrc................~..............@..@.reloc..xQ.......R..................@..B........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\vcruntime140.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):73576
              Entropy (8bit):6.689591816501345
              Encrypted:false
              SSDEEP:1536:9BYGvQ2+Ub54AE6ZkJrIriwx0AKGsu0g1kq1ecbRMKlB6XB0vg:9B7vQ2+a54AE0sAKxQ1ecbRMKlyuo
              MD5:A6C323B39DEBEBBF9843A8B161556794
              SHA1:72CA5DEB42AE7DF6561E51544A72EE3D36E2B87A
              SHA-256:C494C57B087E9DA17979297FFFCF3D5916C536FC539ED52BB0EEF9155FDE5996
              SHA-512:BF9B233EC06D2193B8ECC0E2984398285AB787E3595EE9DAC814F38F3E61FC53BF780C28A94ABE203C2BCAEABA27D1C1AE3549B8917A4C56A86F819E751C74EB
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L...rKZW.........."!........."...............................................P......A.....@A........................P................0..................h....@..p.......8...............................@............................................text...d........................... ..`.data...d...........................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\IdeaShareKey\zlib.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):112720
              Entropy (8bit):6.029635995175913
              Encrypted:false
              SSDEEP:1536:MCZt3jwUyPYREWe3FN/CnBkinToIfkIOcIOv2Z8dVBN:MSTsYRI3F0NTBfKSv2Z8dVf
              MD5:0422C522026AA140572F327B44668D03
              SHA1:31161A0E5D10A9FE3D3E8FF4279E4CFE90ACDE94
              SHA-256:EBDE560BBF5FC3C4AEDD90459DA319E2E9335704E238904ED51AA6F58D75FBE7
              SHA-512:D8726D3F10D1F1C5AF0C3A44901F246311F501D457B428554ABF497271527C500D73C7B84511239CE328708B9251A109A662D33DFA24BABE2D69E84AB68E5E44
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3.o.3.o.3.o.:...;.o...n.0.o.....7.o...l.1.o...j.9.o...k.8.o..R..1.o.3.n...o...k.<.o...o.2.o...2.o.3...2.o...m.2.o.Rich3.o.........................PE..L....V.\...........!................F...............................................N.....@..........................p.................i...............P0...........f..8............................f..@............................................text............................... ..`.rdata...j.......l..................@..@.data...h............f..............@....idata..D............h..............@..@.gfids..%............r..............@..@.00cfg...............t..............@..@.rsrc...i............v..............@..@.reloc..9...........................@..B........................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsv954A.tmp\FindProcDLL.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):3584
              Entropy (8bit):4.070406328694606
              Encrypted:false
              SSDEEP:48:SJp9bgAa4QYAOpO+k5SR4aV0GV/XamAKDNh7Mt:Ab+4Tptk5SR4gxV/XamBN
              MD5:8614C450637267AFACAD1645E23BA24A
              SHA1:E7B7B09B5BBC13E910AA36316D9CC5FC5D4DCDC2
              SHA-256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758
              SHA-512:AF46CD679097584FF9A1D894A729B6397F4B3AF17DFF3E6F07BEF257BC7E48FFA341D82DAF298616CD5DF1450FC5AB7435CACB70F27302B6DB193F01A9F8391B
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9/.]XA.]XA.]XA..DO.\XA.]X@.VXA..P..XXA.k~J._XA..xE.\XA.Rich]XA.........................PE..L...s..E...........!......................... ...............................0..........................................K...t...<............................ ..P.......................................................4............................text............................... ....reloc..h.... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsv954A.tmp\System.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):11264
              Entropy (8bit):5.751023915745929
              Encrypted:false
              SSDEEP:192:jEvCcZ5+twSkY1YLKs4C/nWRfVMd8kQdOPEbpNZ8rQ6prY8:iCAGCYNs4C/nWxVg8kTM1yTFY8
              MD5:7DF8FB4196186F28CB308F9952D7EF64
              SHA1:F20A7259AD233AC3795B6E6537DE658209A8FD40
              SHA-256:72253837028ABED272E5D50A3A6771933E9DD1AAD73E90B8DB4538AA9C786CBF
              SHA-512:3F373D69664CE015CEAB16C12BA4C806C3489B89AE9DB282551EC2452ACD2CED1D70DDD4DE0EF8C56D62A715624C9D2CEDDC968ADF07E905F2E4C81C2850AE4B
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{b...........N.Q...........q.....a.....v.....t....Rich....................PE..L......R...........!................c'.......0...............................`.......................................3.......1..P............................P.......................................................0..\............................text...q........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsv954A.tmp\UserInfo.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):4096
              Entropy (8bit):3.306574744087796
              Encrypted:false
              SSDEEP:48:q8UoEYLj4bQp/BH1wgzRMJ/hwDMbj+cZSTvz2m:nPOQppHugydh5ecQvz2m
              MD5:127A2A7B8CB2C364BD7669E04822B334
              SHA1:F6D958E69B6608677F66EA7AB452D10F972F0859
              SHA-256:D652D20A63ABB4C1529C803E5B68233B36EFFD973006F0C4E36E9A5ECDA2D983
              SHA-512:5F03DBACA4F2B358FB44A0809E084C62713CC73DECB8607510B234638E8A3AAB1433E8D7A392FA31904484550E869143109C507E37E6B8CA241FA1E9E1133F80
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>B._,.._,.._,.VPq.._,.._-.._,...A.._,...V.._,...T.._,.Rich._,.................PE..L.../..R...........!................l........ ...............................P......................................p"....... ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...0....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsv954A.tmp\nsExec.dll

              Download File
              Process:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):6144
              Entropy (8bit):5.5371658829793065
              Encrypted:false
              SSDEEP:96:BUDpusY5MOwErFhxIUg80YvQF95/Xgh9KSY2u4AF3LMoBRYXIPN7/:B9dMOw4Fhxng83vQFgjKSluPlhB+XIPt
              MD5:77E34147071C3A021AEC15D59D3602EF
              SHA1:88DC0B5C16DDCA5ABD5F7097FC4085A29405A20C
              SHA-256:E0ADC770E8F0B3E2E949888046F458111AE3BEFD44C1CACE367C8399151CD5CB
              SHA-512:05C2AF83172799DB0374A1371C175CD0C44A5A9C30E80117D52D6F4DA6BD5DF3C4F3123CEC7A48BF2E6EB07A945351D32848A542BB826FEEB441D9ADFAF583A4
              Malicious:false
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1>B.u_,.u_,.u_,..Pq.r_,.u_-.[_,.R.A.v_,.R.V.t_,.R.T.t_,.Richu_,.........................PE..L...-..R...........!......................... ...............................P.......................................%..l...x!..P............................@....................................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.999876539921463
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:IdeaShareKeyInstaller.exe
              File size:23716040
              MD5:c7dfff14e887613a25cec2e1ee87f5a9
              SHA1:5dc3cbf93f7981ab7198e6769749f021cd01c062
              SHA256:d08117db56fe4550a2c35a3ab3140a515e2a2e9ebbfc2ab8b89d2ab12e0a5786
              SHA512:f7f4b01e111247240bd8a36108ebdd0a0ba02398ee444de62e121ac9ef32217edded348e5747d6d2d46b27eae8c85e9d42a2d8d3709d65361cdf8d920ec69983
              SSDEEP:393216:4k/9WC05CN0YZqFhXeeYc7R/ASRObUdUzdXVQkdnhN1rmL2Q4Lbcq81xxrsT69z:J/9WJ5CN1iBej+tUUdAfQkBhzmL2/blw
              TLSH:C73733C589FD80A9DA29817082E014F2E68E3D341D07EB1CB135FA15563B6BA7DB4B8D
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mu]..&]..&]..&..\&_..&..^&J..&]..&...&z\n&P..&z\.&\..&z\{&\..&Rich]..&........................PE..L...,..R.................x.

              File Icon

              Icon Hash:0109999d9d0d8901

              Static PE Info

              General

              Entrypoint:0x4038a8
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x52AFF32C [Tue Dec 17 06:46:04 2013 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:a73b2531bfc838dc3d19df5285b8d0fd

              Authenticode Signature

              Signature Valid:true
              Signature Issuer:CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 6/2/2021 12:37:54 AM 6/3/2022 12:37:54 AM
              Subject Chain
              • CN=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, O=\u8f6f\u901a\u52a8\u529b\u4fe1\u606f\u6280\u672f\uff08\u96c6\u56e2\uff09\u80a1\u4efd\u6709\u9650\u516c\u53f8, L=\u5317\u4eac\u5e02, S=\u5317\u4eac\u5e02, C=CN
              Version:3
              Thumbprint MD5:302F9D7469F8C3413FEEC8D8C9B808F8
              Thumbprint SHA-1:C2455B5BB7938677784BFE593CCE0E218E2AB68D
              Thumbprint SHA-256:F44AEB9493563C34D85C329C38D892C77DCC768C831AF7FB48DE773837E32AB6
              Serial:249A5D0D48B5FBE5F0138D14

              Entrypoint Preview

              Instruction
              sub esp, 000002D8h
              push ebx
              push ebp
              push esi
              push edi
              push 00000020h
              xor ebx, ebx
              pop esi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A2D0h
              mov dword ptr [esp+14h], ebx
              call dword ptr [00409090h]
              mov dword ptr [esp+1Ch], eax
              call dword ptr [00409034h]
              push 00008001h
              call dword ptr [004090B4h]
              push ebx
              call dword ptr [00409330h]
              push 00000008h
              mov dword ptr [00473EB8h], eax
              call 00007F230865D550h
              push ebx
              push 000002B4h
              mov dword ptr [00473DD0h], eax
              lea eax, dword ptr [esp+3Ch]
              push eax
              push ebx
              push 0040A2CCh
              call dword ptr [004091A4h]
              push 0040A2B4h
              push 0046BDC0h
              call 00007F230865D232h
              call dword ptr [004090B0h]
              push eax
              mov edi, 004C40A0h
              push edi
              call 00007F230865D220h
              push ebx
              call dword ptr [00409158h]
              cmp word ptr [004C40A0h], 0022h
              mov dword ptr [00473DD8h], eax
              mov eax, edi
              jne 00007F230865AB2Ah
              push 00000022h
              pop esi
              mov eax, 004C40A2h
              push esi
              push eax
              call 00007F230865CEF8h
              push eax
              call dword ptr [00409270h]
              mov esi, eax
              mov dword ptr [esp+20h], esi
              jmp 00007F230865ABB1h
              push 00000020h
              pop ebp
              cmp ax, word ptr [eax]

              Rich Headers

              Programming Language:
              • [ C ] VS2005 build 50727
              • [RES] VS2005 build 50727
              • [LNK] VS2005 build 50727

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xada40xf0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1010000x4bb0.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x169b0780x3050
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x90000x338.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x77880x7800False0.6550455729166667data6.509642546823201IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x90000x2f640x3000False0.3724772135416667data4.571600211578863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xc0000x67ebc0x200False0.21875data1.5987280494305565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x740000x8d0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x1010000x4bb00x4c00False0.2041529605263158data3.382324314575568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x1011d80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States
              RT_DIALOG0x1054000x100dataEnglishUnited States
              RT_DIALOG0x1055000x11cdataEnglishUnited States
              RT_DIALOG0x1056200x60dataEnglishUnited States
              RT_GROUP_ICON0x1056800x14dataEnglishUnited States
              RT_VERSION0x1056980x238data
              RT_MANIFEST0x1058d00x2ddXML 1.0 document, ASCII text, with very long lines (733), with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, CloseHandle, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, GlobalHandle, GlobalReAlloc, GetSystemDefaultLCID, GetVolumeInformationA, QueryPerformanceFrequency, GlobalMemoryStatusEx, GetSystemInfo, GetModuleFileNameA, lstrcatA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, GlobalLock, MulDiv
              USER32.dllGetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, GetClassInfoW, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, ScreenToClient, IsDlgButtonChecked, GetAsyncKeyState, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, SetWindowLongW
              GDI32.dllCreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor, SelectObject, CreateFontIndirectW, SetBkMode, SetTextColor
              SHELL32.dllSHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteW
              ADVAPI32.dllRegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegEnumValueW, RegDeleteKeyW, RegCloseKey, RegEnumKeyW, RegOpenKeyExW, RegDeleteValueW
              COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
              ole32.dllOleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize
              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoSizeA, VerQueryValueW, GetFileVersionInfoW, VerQueryValueA, GetFileVersionInfoA
              WININET.dllInternetReadFile, InternetConnectA, InternetOpenA, InternetCloseHandle, HttpOpenRequestA, HttpQueryInfoA, HttpSendRequestA, InternetSetOptionA
              SHLWAPI.dllPathFindFileNameA, StrStrIA
              iphlpapi.dllGetAdaptersInfo

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:13:04:14
              Start date:26/05/2023
              Path:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\IdeaShareKeyInstaller.exe
              Imagebase:0x400000
              File size:23716040 bytes
              MD5 hash:C7DFFF14E887613A25CEC2E1EE87F5A9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:13:04:15
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:"taskkill" /F /T /IM FaultReport.exe
              Imagebase:0xb60000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:13:04:15
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:13:04:15
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:"taskkill" /F /T /IM IdeaShareKey.exe
              Imagebase:0xb60000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:4
              Start time:13:04:15
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:5
              Start time:13:04:38
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:taskkill" /F /IM IdeaShareService.exe /FI "STATUS eq running
              Imagebase:0xb60000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:6
              Start time:13:04:38
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:7
              Start time:13:04:38
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:"taskkill" /F /T /IM FaultReport.exe
              Imagebase:0x7ff745070000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:8
              Start time:13:04:38
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:9
              Start time:13:04:39
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\taskkill.exe
              Wow64 process (32bit):true
              Commandline:"taskkill" /F /T /IM IdeaShareKey.exe
              Imagebase:0xb60000
              File size:74752 bytes
              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:10
              Start time:13:04:39
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:11
              Start time:13:04:40
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:12
              Start time:13:04:40
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks /delete /tn /f
              Imagebase:0xa90000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:13
              Start time:13:04:40
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:14
              Start time:13:04:40
              Start date:26/05/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks /create /xml C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.xml /tn IdeaShareServiceAt20230526130440
              Imagebase:0xa90000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:15
              Start time:13:04:41
              Start date:26/05/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff745070000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:18
              Start time:13:04:42
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe C:\Windows\system32\config\systemprofile\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:19
              Start time:13:04:48
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:21
              Start time:13:04:50
              Start date:26/05/2023
              Path:C:\Windows\System32\dllhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
              Imagebase:0x7ff769260000
              File size:20888 bytes
              MD5 hash:2528137C6745C4EADD87817A1909677E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:24
              Start time:13:04:50
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:13:04:57
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:29
              Start time:13:04:58
              Start date:26/05/2023
              Path:C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\IdeaShareKey\IdeaShareService.exe" service
              Imagebase:0x11c0000
              File size:467304 bytes
              MD5 hash:4C43F81A16703A0539A95CCCB064585F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:10%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:6.4%
                Total number of Nodes:1328
                Total number of Limit Nodes:9
                execution_graph 4587 11c1f10 4588 11c1f1d hid_read_timeout 4587->4588 5028 11c5410 5029 11c4b70 9 API calls 5028->5029 5030 11c541f _MallocaArrayHolder 5029->5030 3662 11cad08 3663 11cad14 ___scrt_is_nonwritable_in_current_image 3662->3663 3686 11cb153 3663->3686 3665 11cae6e 3694 11cb61a IsProcessorFeaturePresent 3665->3694 3667 11cad1b 3667->3665 3670 11cad45 3667->3670 3668 11cae75 exit 3669 11cae7b _exit 3668->3669 3671 11cad49 _initterm_e 3670->3671 3675 11cad92 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 3670->3675 3672 11cad64 3671->3672 3673 11cad75 _initterm 3671->3673 3673->3675 3674 11cade6 3690 11cb734 memset GetStartupInfoW 3674->3690 3675->3674 3678 11cadde _register_thread_local_exe_atexit_callback 3675->3678 3678->3674 3687 11cb15c 3686->3687 3698 11cb9bc IsProcessorFeaturePresent 3687->3698 3689 11cb168 pre_c_initialization 3689->3667 3691 11cadeb _get_wide_winmain_command_line 3690->3691 3692 11cbfaa 3691->3692 3693 11cc286 #2409 3692->3693 3695 11cb62f ___scrt_fastfail 3694->3695 3696 11cb63b memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 3695->3696 3697 11cb725 ___scrt_fastfail 3696->3697 3697->3668 3699 11cb9e2 3698->3699 3699->3689 4595 11c7500 4596 11c751a char_traits 4595->4596 4597 11c7545 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4596->4597 4613 11c7534 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z char_traits 4596->4613 4598 11c758b 4597->4598 4599 11c7552 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4597->4599 4601 11c6c50 2 API calls 4598->4601 4598->4613 4599->4598 4600 11c756a 4599->4600 4602 11c7573 ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4600->4602 4603 11c75a6 4601->4603 4602->4613 4604 11c75ed 4603->4604 4605 11c75af 4603->4605 4606 11c75fd ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD 4604->4606 4614 11c3e20 fputc 4605->4614 4607 11c763b 4606->4607 4606->4613 4609 11c7649 4607->4609 4610 11c7641 4607->4610 4611 11c7656 fwrite 4609->4611 4609->4613 4612 11c3e20 fputc 4610->4612 4610->4613 4611->4613 4612->4613 4615 11c3e3b 4614->4615 4615->4613 4616 11c7900 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4617 11c791c 4616->4617 4618 11c68e0 2 API calls 4617->4618 4620 11c799b fpos 4617->4620 4619 11c794e 4618->4619 4619->4620 4621 11c7963 _fseeki64 4619->4621 4622 11c7983 fgetpos 4619->4622 4621->4620 4621->4622 4622->4620 4623 11c79ac 4622->4623 4624 11c6c50 2 API calls 4623->4624 4624->4620 4625 11c5900 #316 4636 11c5ce0 _time64 4625->4636 4627 11c593e 4638 11c5ae0 #290 #6967 4627->4638 4629 11c5954 4641 11c5240 8 API calls 4629->4641 4631 11c5973 4642 11c5180 8 API calls 4631->4642 4633 11c5990 6 API calls 4634 11c59ff GetCurrentThreadId GetCurrentProcessId GetCurrentProcess MiniDumpWriteDump CloseHandle 4633->4634 4635 11c5a40 #1506 4633->4635 4634->4635 4637 11c5cf8 4636->4637 4637->4627 4643 11c5b70 4638->4643 4640 11c5b42 #1506 4640->4629 4641->4631 4642->4633 4644 11c5bbd _localtime64_s 4643->4644 4645 11c5b99 #286 4643->4645 4646 11c5bd8 4644->4646 4647 11c5be2 wcsftime 4644->4647 4650 11c5c59 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4645->4650 4654 11c55e0 4646->4654 4649 11c5c37 #286 4647->4649 4652 11c5c06 4647->4652 4649->4650 4650->4640 4651 11c5c20 4651->4649 4652->4651 4658 11cafaf 4652->4658 4655 11c55ec #2385 4654->4655 4656 11c55f3 #2389 4654->4656 4657 11c55fc 4655->4657 4656->4657 4657->4647 4661 11cafbb IsProcessorFeaturePresent 4658->4661 4662 11cafcf 4661->4662 4665 11cae8e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 4662->4665 4664 11cafb9 4664->4651 4665->4664 5036 11c1000 5041 11c38b0 #995 5036->5041 5038 11c100d 5039 11cb345 pre_c_initialization 2 API calls 5038->5039 5040 11c1017 5039->5040 5041->5038 5043 11cae3d 5050 11cb76a GetModuleHandleW 5043->5050 5046 11cae49 5048 11cae4f _c_exit 5046->5048 5049 11cae54 5046->5049 5047 11cae7b _exit 5048->5049 5051 11cae45 5050->5051 5051->5046 5051->5047 4667 11c7f30 4668 11c805b ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J 4667->4668 4669 11c7f46 4667->4669 4672 11c804b 4668->4672 4670 11c7f4f ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J 4669->4670 4671 11c7f69 ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4669->4671 4670->4672 4673 11c8000 4671->4673 4677 11c7f8a 4671->4677 4673->4672 4674 11c6c50 2 API calls 4673->4674 4676 11c801f fread 4674->4676 4675 11c7fbe ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4680 11c7070 memcpy 4675->4680 4676->4672 4677->4673 4677->4675 4679 11c7fd5 ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 4679->4673 4680->4679 5056 11c1a30 5057 11c10e0 2 API calls 5056->5057 5058 11c1a45 DeviceIoControl 5057->5058 5059 11c1a9d GetOverlappedResult 5058->5059 5060 11c1a7a GetLastError 5058->5060 5062 11c1abc 5059->5062 5065 11c1a95 5059->5065 5060->5059 5061 11c1a87 5060->5061 5063 11c26b0 3 API calls 5061->5063 5064 11c26b0 3 API calls 5062->5064 5063->5065 5064->5065 5067 11cae29 _seh_filter_exe 5068 11c7e2b 5069 11c4c40 _invalid_parameter_noinfo_noreturn 5068->5069 5070 11c7e3a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5068->5070 5069->5070 4683 11c5520 4684 11c4ee0 75 API calls 4683->4684 4685 11c552f 4684->4685 4686 11c2120 4687 11c2138 4686->4687 4688 11c2152 4687->4688 4690 11c26b0 GetLastError FormatMessageW 4687->4690 4692 11c26dd LocalFree 4690->4692 4692->4688 5071 11c1020 5072 11c2bf0 9 API calls 5071->5072 5073 11c1032 5072->5073 5074 11cb345 pre_c_initialization 2 API calls 5073->5074 5075 11c103c 5074->5075 5076 11c6220 #316 #4815 #280 5077 11c8630 70 API calls 5076->5077 5078 11c6283 5077->5078 5079 11c6292 5078->5079 5081 11ca540 74 API calls 5078->5081 5080 11c62a2 #10049 #1506 5079->5080 5081->5080 4694 11cb955 __std_exception_destroy 4695 11cb971 _MallocaArrayHolder 4694->4695 5089 11c5650 EnableWindow 4696 11c3950 4699 11c38f0 #1472 4696->4699 4698 11c395f 4699->4698 4705 11c1f50 4706 11c1f7a 4705->4706 4707 11c2003 4705->4707 4722 11c10e0 4706->4722 4709 11c2009 WaitForSingleObject 4707->4709 4710 11c2027 GetOverlappedResult 4707->4710 4709->4710 4712 11c2020 4709->4712 4713 11c2057 4710->4713 4721 11c20b7 4710->4721 4711 11c1fa0 ResetEvent ReadFile 4711->4707 4714 11c1fdb GetLastError 4711->4714 4717 11c20bc 4713->4717 4718 11c2077 4713->4718 4713->4721 4714->4707 4715 11c1fe8 CancelIo 4714->4715 4715->4721 4716 11c26b0 3 API calls 4716->4712 4719 11c24b0 8 API calls 4717->4719 4727 11c24b0 4718->4727 4719->4721 4721->4712 4721->4716 4723 11c10ea 4722->4723 4724 11c10f8 4722->4724 4723->4724 4725 11c111a memset 4723->4725 4726 11c1106 memset 4723->4726 4724->4711 4725->4711 4726->4724 4728 11c24c3 4727->4728 4736 11c24bc 4727->4736 4729 11c24e5 _errno _invalid_parameter_noinfo 4728->4729 4730 11c2501 4728->4730 4729->4736 4731 11c2513 memset 4730->4731 4732 11c25a4 memcpy 4730->4732 4733 11c252b 4731->4733 4732->4736 4734 11c2547 _errno _invalid_parameter_noinfo 4733->4734 4735 11c2560 4733->4735 4734->4736 4735->4736 4737 11c2584 _errno _invalid_parameter_noinfo 4735->4737 4736->4721 4737->4736 4738 11cb944 __std_exception_destroy 4739 11c7b40 4740 11c7b9b 4739->4740 4741 11c7b52 char_traits 4739->4741 4741->4740 4742 11c7b87 fflush 4741->4742 4742->4740 5091 11c5440 5092 11c53e0 11 API calls 5091->5092 5093 11c5452 _MallocaArrayHolder 5092->5093 5094 11cc440 ??1_Lockit@std@@QAE 5095 11cc041 DeleteCriticalSection 5096 11cc057 5095->5096 5097 11cc05f free 5096->5097 5098 11cc06a 5096->5098 5097->5098 5101 11cac43 _set_app_type 5124 11cb5a8 5101->5124 5103 11cac50 _set_fmode __p__commode 5104 11cac62 pre_c_initialization 5103->5104 5105 11cb18c pre_c_initialization 8 API calls 5104->5105 5108 11cac6b __RTC_Initialize 5105->5108 5106 11cb61a ___scrt_fastfail 6 API calls 5107 11caced ___scrt_initialize_default_local_stdio_options 5106->5107 5109 11cb345 pre_c_initialization 2 API calls 5108->5109 5121 11cacd7 pre_c_initialization 5108->5121 5110 11cac84 pre_c_initialization 5109->5110 5111 11cac89 _configure_wide_argv 5110->5111 5112 11cac95 5111->5112 5111->5121 5125 11cb5ae InitializeSListHead 5112->5125 5114 11cac9a pre_c_initialization 5115 11caca3 __setusermatherr 5114->5115 5116 11cacae pre_c_initialization 5114->5116 5115->5116 5126 11cb5bd _controlfp_s 5116->5126 5118 11cacbd pre_c_initialization 5119 11cacc2 _configthreadlocale 5118->5119 5120 11cacce pre_c_initialization 5119->5120 5120->5121 5122 11cacd2 _initialize_wide_environment 5120->5122 5121->5106 5123 11cace5 5121->5123 5122->5121 5124->5103 5125->5114 5127 11cb5d5 5126->5127 5128 11cb5d6 5126->5128 5127->5118 5129 11cb61a ___scrt_fastfail 6 API calls 5128->5129 5130 11cb5dd 5129->5130 4743 11c137c 4744 11c138b SetupDiEnumDeviceInfo 4743->4744 4745 11c13ba SetupDiGetDeviceRegistryPropertyA 4744->4745 4761 11c136b 4744->4761 4745->4761 4746 11c1924 free 4747 11c12a1 SetupDiEnumDeviceInterfaces 4746->4747 4748 11c12ed SetupDiGetDeviceInterfaceDetailA malloc SetupDiGetDeviceInterfaceDetailA 4747->4748 4749 11c12e8 SetupDiDestroyDeviceInfoList 4747->4749 4748->4761 4751 11c195b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4749->4751 4752 11c1488 SetupDiGetDeviceRegistryPropertyA 4752->4761 4754 11c1917 CloseHandle 4754->4746 4755 11c1540 calloc 4755->4761 4756 11c1664 calloc strncpy_s 4756->4761 4757 11c174a _wcsdup 4757->4761 4758 11c17c1 _wcsdup 4758->4761 4759 11cafaf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 4759->4761 4760 11c1838 _wcsdup 4760->4761 4761->4744 4761->4746 4761->4752 4761->4754 4761->4755 4761->4756 4761->4757 4761->4758 4761->4759 4761->4760 4762 11c189c strstr 4761->4762 4764 11c2660 4761->4764 4762->4754 4763 11c18c1 strtol 4762->4763 4763->4754 4763->4761 4765 11c266c CreateFileA 4764->4765 4765->4761 4767 11c5570 4770 11c4fd0 4767->4770 4769 11c557f _MallocaArrayHolder 4773 11c4ff0 __std_exception_destroy 4770->4773 4772 11c4fdf 4772->4769 4773->4772 5133 11c1c70 5134 11c1c7e 5133->5134 5135 11c1c91 5133->5135 5139 11c22d0 LoadLibraryA 5134->5139 5138 11c1c87 hid_exit 5138->5135 5140 11c22f0 GetProcAddress 5139->5140 5151 11c1c83 5139->5151 5141 11c2317 GetProcAddress 5140->5141 5140->5151 5142 11c233f GetProcAddress 5141->5142 5141->5151 5143 11c2367 GetProcAddress 5142->5143 5142->5151 5144 11c238e GetProcAddress 5143->5144 5143->5151 5145 11c23b6 GetProcAddress 5144->5145 5144->5151 5146 11c23de GetProcAddress 5145->5146 5145->5151 5147 11c2405 GetProcAddress 5146->5147 5146->5151 5148 11c242a GetProcAddress 5147->5148 5147->5151 5149 11c244f GetProcAddress 5148->5149 5148->5151 5150 11c2473 GetProcAddress 5149->5150 5149->5151 5150->5151 5151->5135 5151->5138 5152 11cc470 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 4774 11c616b #1506 4775 11c6178 4774->4775 4776 11c2cc0 _invalid_parameter_noinfo_noreturn 4775->4776 4777 11c618b 4776->4777 4778 11c2cc0 _invalid_parameter_noinfo_noreturn 4777->4778 4779 11c6197 4778->4779 4780 11c4c90 _invalid_parameter_noinfo_noreturn 4779->4780 4781 11c61a6 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4780->4781 5155 11c7e60 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5156 11c7e77 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5155->5156 5158 11c7e9e char_traits 5155->5158 5157 11c7e8f ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5156->5157 5156->5158 5157->5158 4785 11c4d8f #316 4789 11c4dc0 4785->4789 4786 11c4dee #4815 4788 11c4e0f #6967 #2304 #1506 4786->4788 4787 11c4dc4 #4815 4787->4788 4788->4785 4788->4789 4789->4785 4789->4786 4789->4787 4790 11c4e8d 4789->4790 5159 11cae84 5162 11cb556 5159->5162 5161 11cae89 5161->5161 5163 11cb56c 5162->5163 5164 11cb575 5163->5164 5166 11cb509 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5163->5166 5164->5161 5166->5164 5185 11c5480 5186 11c4ce0 std::bad_exception::~bad_exception #3882 5185->5186 5187 11c548f 5186->5187 5188 11c7a80 5189 11c7ad0 5188->5189 5190 11c7a92 setvbuf 5188->5190 5190->5189 5192 11c7ad6 5190->5192 5193 11c6a90 3 API calls 5192->5193 5193->5189 4791 11c1180 4792 11c1189 4791->4792 4793 11c118b CancelIo 4791->4793 4795 11c1130 CloseHandle CloseHandle LocalFree free free 4793->4795 4795->4792 4796 11c1980 4797 11c198c FreeLibrary 4796->4797 4798 11c1998 4796->4798 4797->4798 4799 11c6380 4813 11c5d60 IsIconic 4799->4813 4801 11c63b3 4802 11c63bb #890 4801->4802 4803 11c6470 #11038 4801->4803 4805 11c63d8 4802->4805 4804 11c6478 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4803->4804 4814 11c6750 SendMessageW 4805->4814 4807 11c63e3 GetSystemMetrics GetSystemMetrics 4808 11c6401 4807->4808 4815 11c5c70 GetClientRect 4808->4815 4810 11c640d 4816 11c5a90 DrawIcon 4810->4816 4812 11c645f #1391 4812->4804 4813->4801 4814->4807 4815->4810 4816->4812 5167 11c8080 5168 11c8096 5167->5168 5169 11c81a3 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J 5167->5169 5170 11c809f ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J 5168->5170 5171 11c80b9 ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5168->5171 5172 11c8193 5169->5172 5170->5172 5173 11c8150 5171->5173 5177 11c80da 5171->5177 5173->5172 5174 11c8167 fwrite 5173->5174 5174->5172 5175 11c810e ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5179 11c7070 memcpy 5175->5179 5177->5173 5177->5175 5178 11c8125 ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 5178->5173 5179->5178 5194 11cc4bd ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 5195 11c10b8 5200 11cbfcb 5195->5200 5198 11cb345 pre_c_initialization 2 API calls 5199 11c10c7 5198->5199 5208 11cc01e memset 5200->5208 5202 11cbfd3 5209 11caba0 5202->5209 5204 11cbffa 5205 11cbffe IsDebuggerPresent 5204->5205 5206 11c10bd 5204->5206 5205->5206 5207 11cc008 OutputDebugStringW 5205->5207 5206->5198 5207->5206 5208->5202 5214 11cabe0 InitializeCriticalSectionEx 5209->5214 5211 11cabbd 5212 11cabc4 GetLastError 5211->5212 5213 11cabd0 _HRESULT_FROM_WIN32 5211->5213 5212->5213 5213->5204 5214->5211 4817 11cb7b9 4818 11cb7ee 4817->4818 4820 11cb7c9 4817->4820 4819 11cb7f4 terminate 4820->4818 4820->4819 3700 11cb3ba 3711 11cb3fe InitializeCriticalSectionAndSpinCount GetModuleHandleW 3700->3711 3702 11cb3bf 3722 11cb18c 3702->3722 3704 11cb3c6 3705 11cb3d9 3704->3705 3706 11cb3cb 3704->3706 3708 11cb61a ___scrt_fastfail 6 API calls 3705->3708 3732 11cb345 3706->3732 3710 11cb3e0 3708->3710 3712 11cb459 GetProcAddress GetProcAddress GetProcAddress 3711->3712 3713 11cb444 GetModuleHandleW 3711->3713 3715 11cb4bf CreateEventW 3712->3715 3716 11cb487 3712->3716 3713->3712 3714 11cb4e5 3713->3714 3717 11cb61a ___scrt_fastfail 6 API calls 3714->3717 3715->3714 3719 11cb48f __crt_fast_encode_pointer 3715->3719 3716->3715 3716->3719 3718 11cb4ec DeleteCriticalSection 3717->3718 3720 11cb508 3718->3720 3721 11cb501 CloseHandle 3718->3721 3719->3702 3720->3702 3721->3720 3723 11cb19f 3722->3723 3724 11cb19b 3722->3724 3725 11cb229 3723->3725 3727 11cb1ac ___scrt_release_startup_lock 3723->3727 3724->3704 3726 11cb61a ___scrt_fastfail 6 API calls 3725->3726 3728 11cb230 3726->3728 3729 11cb1b9 _initialize_onexit_table 3727->3729 3731 11cb1d7 3727->3731 3730 11cb1c8 _initialize_onexit_table 3729->3730 3729->3731 3730->3731 3731->3704 3735 11cb30a 3732->3735 3736 11cb32e _register_onexit_function 3735->3736 3737 11cb327 _crt_atexit 3735->3737 3738 11cb339 3736->3738 3737->3738 5217 11cb8bb _except_handler4_common 5218 11c9ab6 5219 11c9ac5 5218->5219 5220 11c9c69 #286 5219->5220 5221 11c9ad7 memset GetLogicalDrives 5219->5221 5222 11c8960 70 API calls 5220->5222 5224 11c9b03 5221->5224 5225 11c9c82 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5222->5225 5223 11c9c57 Sleep 5223->5220 5224->5223 5226 11cab60 _swprintf __stdio_common_vswprintf_s 5224->5226 5227 11c9b58 #500 #11962 5224->5227 5226->5224 5228 11c9c18 #2885 #1142 5227->5228 5229 11c9b88 #316 #4815 #280 5227->5229 5228->5224 5230 11c8630 70 API calls 5229->5230 5231 11c9bd2 5230->5231 5232 11c9be7 #1506 #1142 5231->5232 5232->5225 5233 11caeb6 IsProcessorFeaturePresent 5234 11caeca 5233->5234 5237 11cae8e SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5234->5237 5236 11cafad 5237->5236 4821 11c19b0 4822 11c19bc 4821->4822 4823 11c1a1f 4822->4823 4824 11c19c2 free free free free free 4822->4824 4824->4822 4825 11c11b0 hid_init 4826 11c125f 4825->4826 4830 11c1258 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4825->4830 4827 11c10e0 2 API calls 4826->4827 4828 11c1271 SetupDiGetClassDevsA 4827->4828 4829 11c12a1 SetupDiEnumDeviceInterfaces 4828->4829 4831 11c12ed SetupDiGetDeviceInterfaceDetailA malloc SetupDiGetDeviceInterfaceDetailA 4829->4831 4832 11c12e8 SetupDiDestroyDeviceInfoList 4829->4832 4846 11c136b 4831->4846 4832->4830 4834 11c138b SetupDiEnumDeviceInfo 4836 11c13ba SetupDiGetDeviceRegistryPropertyA 4834->4836 4834->4846 4835 11c1924 free 4835->4829 4836->4846 4837 11c1488 SetupDiGetDeviceRegistryPropertyA 4837->4846 4838 11c2660 CreateFileA 4838->4846 4839 11c1917 CloseHandle 4839->4835 4840 11c1540 calloc 4840->4846 4841 11c1664 calloc strncpy_s 4841->4846 4842 11cafaf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 4842->4846 4843 11c174a _wcsdup 4843->4846 4844 11c17c1 _wcsdup 4844->4846 4845 11c1838 _wcsdup 4845->4846 4846->4834 4846->4835 4846->4837 4846->4838 4846->4839 4846->4840 4846->4841 4846->4842 4846->4843 4846->4844 4846->4845 4847 11c189c strstr 4846->4847 4847->4839 4848 11c18c1 strtol 4847->4848 4848->4839 4848->4846 5242 11c72b0 5243 11c4430 10 API calls 5242->5243 5244 11c72c0 5243->5244 5245 11c6b60 2 API calls 5244->5245 5246 11c72cc 5245->5246 4854 11c55a0 4857 11c4ff0 __std_exception_destroy 4854->4857 4856 11c55af _MallocaArrayHolder 4857->4856 4858 11c21a0 4859 11c10e0 2 API calls 4858->4859 4860 11c21b5 4859->4860 4861 11c21cc malloc 4860->4861 4874 11c21c4 WriteFile 4860->4874 4863 11c24b0 8 API calls 4861->4863 4864 11c21f5 4863->4864 4869 11c10e0 2 API calls 4864->4869 4865 11c224c GetLastError 4866 11c2273 GetOverlappedResult 4865->4866 4870 11c2259 4865->4870 4867 11c2267 4866->4867 4868 11c2292 4866->4868 4872 11c22bf 4867->4872 4873 11c22b2 free 4867->4873 4871 11c26b0 3 API calls 4868->4871 4869->4874 4875 11c26b0 3 API calls 4870->4875 4871->4867 4873->4872 4874->4865 4874->4866 4875->4867 5251 11cc4a0 5252 11cc4bc 5251->5252 5253 11cc4ac ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 5251->5253 5253->5252 5254 11c64a0 #316 #4815 #280 5255 11c8630 70 API calls 5254->5255 5256 11c6503 5255->5256 5257 11c6542 5256->5257 5258 11c6512 5256->5258 5261 11ca300 74 API calls 5257->5261 5259 11c6518 5258->5259 5260 11c6532 5258->5260 5262 11c651e 5259->5262 5264 11c5dd0 281 API calls 5259->5264 5263 11c5dd0 281 API calls 5260->5263 5261->5262 5267 11c6590 #3833 5262->5267 5263->5262 5264->5262 5266 11c6560 #1506 5267->5266 5268 11c1ca0 hid_enumerate 5271 11c1ccf 5268->5271 5269 11c1da6 hid_free_enumeration 5270 11c1d97 hid_open_path 5270->5269 5271->5269 5271->5270 5272 11c10a1 5275 11cbf8f #2246 5272->5275 5274 11c10ad 5275->5274 4905 11c49d0 4908 11c4a30 __std_exception_copy 4905->4908 4907 11c49e3 4908->4907 3916 11c62d0 SetUnhandledExceptionFilter #286 3917 11c8630 70 API calls 3916->3917 3918 11c62fa #10472 3917->3918 3929 11c6780 SendMessageW 3918->3929 3920 11c6319 3930 11c6780 SendMessageW 3920->3930 3922 11c632d 3931 11c5d20 #8817 #14234 #8776 3922->3931 3924 11c6335 WTSRegisterSessionNotification 3932 11c5dd0 3924->3932 3927 11c8630 70 API calls 3928 11c6368 3927->3928 3929->3920 3930->3922 3931->3924 3977 11c9a40 #286 3932->3977 3934 11c5de9 3935 11c5e0e 3934->3935 3936 11c5df0 #286 3934->3936 3938 11c5e17 3935->3938 3939 11c5e42 3935->3939 3937 11c8630 70 API calls 3936->3937 3943 11c5e06 #286 3937->3943 3993 11c9d50 CreateToolhelp32Snapshot 3938->3993 4003 11ca070 #286 3939->4003 3942 11c5e5b 3944 11c5ebc 3942->3944 3945 11c5e62 Sleep #286 3942->3945 3943->3927 4030 11c9cb0 #316 #4815 #280 3944->4030 3947 11c8630 70 API calls 3945->3947 3946 11c5e2c 3946->3943 3950 11c5e82 3947->3950 3949 11c5e25 3949->3939 3949->3946 3954 11ca070 148 API calls 3950->3954 3951 11c5eca 3952 11c5f27 3951->3952 3953 11c5ed1 Sleep #286 3951->3953 3956 11c5f35 #286 3952->3956 3957 11c5f50 3952->3957 3955 11c8630 70 API calls 3953->3955 3958 11c5e97 3954->3958 3959 11c5ef1 3955->3959 3960 11c8630 70 API calls 3956->3960 4033 11c67b0 SetTimer 3957->4033 3958->3944 3961 11c5e9e #286 3958->3961 3963 11c9cb0 74 API calls 3959->3963 3960->3943 3964 11c8630 70 API calls 3961->3964 3966 11c5f02 3963->3966 3964->3946 3965 11c5f6b 4034 11c9f70 #316 #4815 #280 3965->4034 3966->3952 3969 11c5f09 #286 3966->3969 3968 11c5f79 3970 11c5f90 3968->3970 3971 11c5f80 3968->3971 3972 11c8630 70 API calls 3969->3972 4054 11ca400 #286 3970->4054 4037 11ca5b0 #286 3971->4037 3972->3946 3975 11c5f8e 3975->3943 4070 11c5670 3975->4070 3978 11c8630 70 API calls 3977->3978 3979 11c9a8a 3978->3979 3980 11c9c69 #286 3979->3980 3981 11c9ad7 memset GetLogicalDrives 3979->3981 4102 11c8960 #280 #286 3980->4102 3984 11c9b03 3981->3984 3983 11c9c57 Sleep 3983->3980 3984->3983 3987 11c9b58 #500 #11962 3984->3987 4099 11cab60 3984->4099 3985 11c9c82 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 3985->3934 3988 11c9c18 #2885 #1142 3987->3988 3989 11c9b88 #316 #4815 #280 3987->3989 3988->3984 3990 11c8630 70 API calls 3989->3990 3991 11c9bd2 3990->3991 3992 11c9be7 #1506 #1142 3991->3992 3992->3985 3994 11c9db4 Process32FirstW 3993->3994 3996 11c9dad __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 3993->3996 4000 11c9dcd 3994->4000 3995 11c9eab CloseHandle #316 #4815 #280 3997 11c8630 70 API calls 3995->3997 3996->3949 3998 11c9f02 #1506 3997->3998 3998->3996 4000->3995 4001 11c9e7c 4000->4001 4002 11c9e8d Process32NextW 4000->4002 4001->3995 4002->4000 4004 11c8630 70 API calls 4003->4004 4005 11ca0a2 4004->4005 4006 11ca0ea memset 4005->4006 4007 11ca0c7 #286 4005->4007 4009 11ca10a 4006->4009 4008 11c8630 70 API calls 4007->4008 4013 11ca0e0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4008->4013 4010 11cab60 _swprintf __stdio_common_vswprintf_s 4009->4010 4011 11ca129 4010->4011 4012 11ca152 #286 4011->4012 4014 11c2bf0 9 API calls 4011->4014 4015 11c8630 70 API calls 4012->4015 4013->3942 4016 11ca147 4014->4016 4017 11ca16d 4015->4017 4110 11ca3a0 4016->4110 4019 11cab60 _swprintf __stdio_common_vswprintf_s 4017->4019 4020 11ca199 4019->4020 4021 11ca1b5 #286 4020->4021 4115 11c8d00 4020->4115 4023 11c8630 70 API calls 4021->4023 4024 11ca1d0 4023->4024 4118 11c8f50 #286 4024->4118 4026 11ca1de 4146 11c90f0 4026->4146 4028 11ca1e9 #286 4029 11c8630 70 API calls 4028->4029 4029->4013 4031 11c8630 70 API calls 4030->4031 4032 11c9d16 #1506 4031->4032 4032->3951 4033->3965 4035 11c8630 70 API calls 4034->4035 4036 11c9fd7 #1506 4035->4036 4036->3968 4038 11c8630 70 API calls 4037->4038 4039 11ca5f4 FindWindowW GetWindowThreadProcessId OpenProcess TerminateProcess 4038->4039 4040 11ca63f FindWindowW GetWindowThreadProcessId OpenProcess TerminateProcess 4039->4040 4042 11ca690 4040->4042 4404 11ca300 #286 4042->4404 4045 11c96d0 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4046 11ca6ed 4045->4046 4047 11ca6f8 CreateProcessW 4046->4047 4048 11ca703 4047->4048 4049 11c2cc0 _invalid_parameter_noinfo_noreturn 4048->4049 4050 11ca71b #316 #4815 #280 4049->4050 4051 11c8630 70 API calls 4050->4051 4052 11ca757 #1506 4051->4052 4053 11ca77f __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4052->4053 4053->3975 4055 11c8630 70 API calls 4054->4055 4056 11ca444 4055->4056 4410 11c8dd0 LoadLibraryW 4056->4410 4059 11ca522 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4059->3975 4060 11ca300 74 API calls 4061 11ca463 memset 4060->4061 4062 11c9590 25 API calls 4061->4062 4063 11ca4a5 4062->4063 4064 11ca4b0 CreateProcessW 4063->4064 4065 11ca4bb 4064->4065 4066 11c2cc0 _invalid_parameter_noinfo_noreturn 4065->4066 4067 11ca4d3 #316 #4815 #280 4066->4067 4068 11c8630 70 API calls 4067->4068 4069 11ca50f #1506 4068->4069 4069->4059 4425 11c35e0 4070->4425 4072 11c56a7 4073 11c2b70 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4072->4073 4074 11c56bd 4073->4074 4075 11c2bf0 9 API calls 4074->4075 4076 11c56ce 4075->4076 4077 11c56ef 4076->4077 4438 11c34b0 CoCreateInstance 4076->4438 4440 11c4610 4077->4440 4080 11c587d 4462 11c53e0 4080->4462 4082 11c588c 4083 11c2cc0 _invalid_parameter_noinfo_noreturn 4082->4083 4086 11c5898 4083->4086 4084 11c5872 4457 11c7010 4084->4457 4087 11c2cc0 _invalid_parameter_noinfo_noreturn 4086->4087 4088 11c58a4 4087->4088 4465 11c4c90 4088->4465 4089 11c4720 9 API calls 4092 11c583a 4089->4092 4090 11c5772 4090->4089 4453 11c3dc0 4092->4453 4093 11c5725 __alloca_probe_16 4093->4080 4093->4084 4093->4090 4449 11c5600 4093->4449 4094 11c58b3 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4094->3943 4098 11c4c40 _invalid_parameter_noinfo_noreturn 4098->4084 4105 11cab10 4099->4105 4103 11c86c0 67 API calls 4102->4103 4104 11c89bd #1506 4103->4104 4104->3985 4109 11cab00 4105->4109 4107 11cab2f __stdio_common_vswprintf_s 4108 11cab48 4107->4108 4108->3984 4109->4107 4208 11c8c90 4110->4208 4113 11c2cc0 _invalid_parameter_noinfo_noreturn 4114 11ca3eb 4113->4114 4114->4012 4116 11c33f0 9 API calls 4115->4116 4117 11c8d13 4116->4117 4117->4021 4119 11c8630 70 API calls 4118->4119 4120 11c8f95 4119->4120 4214 11c96d0 4120->4214 4122 11c8faa 4123 11c8fc2 #286 4122->4123 4124 11c8630 70 API calls 4123->4124 4125 11c8fd0 4124->4125 4126 11c2cc0 _invalid_parameter_noinfo_noreturn 4125->4126 4127 11c8fe2 4126->4127 4128 11c96d0 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4127->4128 4129 11c8fee std::ios_base::good 4128->4129 4130 11c2cc0 _invalid_parameter_noinfo_noreturn 4129->4130 4131 11c9004 4130->4131 4132 11c900c #286 4131->4132 4133 11c9033 4131->4133 4217 11c85a0 #280 #286 4132->4217 4135 11c96d0 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4133->4135 4136 11c904a 4135->4136 4138 11c2bf0 9 API calls 4136->4138 4137 11c902b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4137->4026 4139 11c906a 4138->4139 4220 11ca260 #500 4139->4220 4142 11c2cc0 _invalid_parameter_noinfo_noreturn 4143 11c90a2 4142->4143 4143->4137 4144 11c90aa #286 4143->4144 4145 11c85a0 70 API calls 4144->4145 4145->4137 4147 11c9134 4146->4147 4148 11c912f __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4146->4148 4242 11c9590 GetModuleFileNameW #286 #12884 #8360 4147->4242 4148->4028 4150 11c9151 4151 11c2bf0 9 API calls 4150->4151 4152 11c917d 4151->4152 4153 11ca260 5 API calls 4152->4153 4154 11c9188 4153->4154 4155 11c2cc0 _invalid_parameter_noinfo_noreturn 4154->4155 4156 11c91cd 4155->4156 4156->4148 4157 11c9590 25 API calls 4156->4157 4158 11c91fe 4157->4158 4248 11c9730 #316 4158->4248 4161 11c2bf0 9 API calls 4162 11c9235 4161->4162 4263 11c4720 4162->4263 4166 11c9260 4167 11c2bf0 9 API calls 4166->4167 4168 11c9281 4167->4168 4169 11ca260 5 API calls 4168->4169 4170 11c928c 4169->4170 4171 11c929d 4170->4171 4172 11c92da #500 4170->4172 4273 11c4c40 4171->4273 4174 11caa30 4172->4174 4176 11c92fb #11962 #12351 memset #2885 4174->4176 4175 11c92b3 4177 11c2cc0 _invalid_parameter_noinfo_noreturn 4175->4177 4178 11c4720 9 API calls 4176->4178 4179 11c92c2 #1506 4177->4179 4180 11c9367 std::ios_base::good 4178->4180 4179->4148 4181 11c93f6 4180->4181 4182 11c9382 #286 4180->4182 4276 11c8b40 4181->4276 4183 11c85a0 70 API calls 4182->4183 4185 11c93a5 4183->4185 4187 11c4c40 _invalid_parameter_noinfo_noreturn 4185->4187 4189 11c93b4 #1142 4187->4189 4191 11c4c40 _invalid_parameter_noinfo_noreturn 4189->4191 4190 11c943b 4192 11c8b40 6 API calls 4190->4192 4194 11c93cf 4191->4194 4193 11c9453 4192->4193 4195 11c9910 11 API calls 4193->4195 4196 11c2cc0 _invalid_parameter_noinfo_noreturn 4194->4196 4197 11c945e 4195->4197 4198 11c93de #1506 4196->4198 4199 11c9471 #316 #4815 #280 4197->4199 4198->4148 4200 11c8630 70 API calls 4199->4200 4201 11c94c5 #1506 4200->4201 4202 11c4c40 _invalid_parameter_noinfo_noreturn 4201->4202 4203 11c94e4 #1142 4202->4203 4204 11c4c40 _invalid_parameter_noinfo_noreturn 4203->4204 4205 11c94ff 4204->4205 4206 11c2cc0 _invalid_parameter_noinfo_noreturn 4205->4206 4207 11c950e #1506 4206->4207 4207->4148 4210 11c8ca2 allocator 4208->4210 4209 11c8cea 4209->4113 4210->4209 4211 11c3290 _invalid_parameter_noinfo_noreturn 4210->4211 4212 11c8cb6 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 4210->4212 4211->4212 4213 11c3420 9 API calls 4212->4213 4213->4209 4227 11c2b70 4214->4227 4218 11c86c0 67 API calls 4217->4218 4219 11c85fd #1506 4218->4219 4219->4137 4240 11caa30 4220->4240 4222 11ca2ab #11962 4223 11ca2bc #2885 #1142 4222->4223 4224 11ca2b8 4222->4224 4225 11c2cc0 _invalid_parameter_noinfo_noreturn 4223->4225 4224->4223 4226 11c9072 4225->4226 4226->4142 4228 11c2ba0 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 4227->4228 4231 11c30b0 4228->4231 4232 11c30c1 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 4231->4232 4233 11c30e9 4232->4233 4235 11c3113 Concurrency::details::ContextBase::GetWorkQueueIdentity _Min_value Concurrency::details::SchedulerBase::GetPolicy 4232->4235 4234 11c35a0 Concurrency::details::SchedulerBase::GetPolicy memcpy 4233->4234 4239 11c2bc9 4234->4239 4236 11c33a0 allocator 5 API calls 4235->4236 4237 11c3156 construct allocator 4236->4237 4238 11c35a0 Concurrency::details::SchedulerBase::GetPolicy memcpy 4237->4238 4238->4239 4239->4122 4241 11caa5e Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 4240->4241 4241->4222 4292 11c5180 8 API calls 4242->4292 4244 11c9646 #6967 4245 11c2bf0 9 API calls 4244->4245 4246 11c9662 #1506 #1506 #1506 4245->4246 4247 11c96bc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4246->4247 4247->4150 4249 11caa30 4248->4249 4250 11c9794 GetFileVersionInfoSizeW 4249->4250 4251 11c9852 #316 4250->4251 4252 11c97a7 4250->4252 4293 11c5240 8 API calls 4251->4293 4256 11c97d0 GetFileVersionInfoW 4252->4256 4254 11c9871 #6967 #4815 #1506 #280 4255 11c8630 70 API calls 4254->4255 4257 11c98ba #280 #1506 #1506 4255->4257 4258 11c9839 4256->4258 4259 11c97da VerQueryValueW 4256->4259 4260 11c2cc0 _invalid_parameter_noinfo_noreturn 4257->4260 4258->4251 4259->4258 4262 11c97f4 #4815 4259->4262 4261 11c9210 #6967 4260->4261 4261->4161 4262->4258 4264 11c474e 4263->4264 4294 11c6e60 4264->4294 4267 11ca790 4268 11ca7a1 std::ios_base::good 4267->4268 4328 11caab0 4268->4328 4270 11ca7b2 4271 11ca7cf WideCharToMultiByte 4270->4271 4272 11ca7e3 4271->4272 4272->4166 4361 11c6cf0 4273->4361 4275 11c4c6e 4275->4175 4277 11c8b70 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 4276->4277 4365 11ca800 4277->4365 4280 11c9910 4281 11c4720 9 API calls 4280->4281 4282 11c994f std::ios_base::good 4281->4282 4283 11c99dc 4282->4283 4288 11c9995 atoi 4282->4288 4379 11c8db0 4282->4379 4284 11c99e4 atoi 4283->4284 4285 11c4c40 _invalid_parameter_noinfo_noreturn 4284->4285 4286 11c9a0c 4285->4286 4287 11c4c40 _invalid_parameter_noinfo_noreturn 4286->4287 4290 11c9a1b __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4287->4290 4376 11c8c70 4288->4376 4290->4190 4292->4244 4293->4254 4295 11c6e70 allocator char_traits 4294->4295 4298 11c6e90 4295->4298 4297 11c4769 4297->4267 4299 11c6ea1 Concurrency::details::ContextBase::GetWorkQueueIdentity 4298->4299 4300 11c6eaf Concurrency::task_continuation_context::task_continuation_context 4299->4300 4301 11c6ef3 4299->4301 4305 11c73d0 memmove 4300->4305 4306 11c4140 4301->4306 4304 11c6ed4 Concurrency::task_continuation_context::task_continuation_context 4304->4297 4305->4304 4307 11c4151 Concurrency::task_continuation_context::task_continuation_context 4306->4307 4309 11c415b Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4307->4309 4316 11c3390 ?_Xlength_error@std@@YAXPBD 4307->4316 4317 11c6e30 4309->4317 4311 11c4198 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity 4321 11c5360 4311->4321 4313 11c41d2 4315 11c41ed construct allocator 4313->4315 4324 11c70e0 4313->4324 4315->4304 4316->4309 4318 11c6e40 allocator 4317->4318 4319 11c27f0 _Allocate 5 API calls 4318->4319 4320 11c6e49 4319->4320 4320->4311 4327 11c7070 memcpy 4321->4327 4323 11c537a Concurrency::task_continuation_context::task_continuation_context 4323->4313 4325 11c28b0 _Deallocate _invalid_parameter_noinfo_noreturn 4324->4325 4326 11c70f4 4325->4326 4326->4315 4327->4323 4329 11caac1 std::ios_base::good 4328->4329 4331 11caacc 4329->4331 4332 11ca970 4329->4332 4331->4270 4333 11ca981 Concurrency::details::ContextBase::GetWorkQueueIdentity 4332->4333 4334 11ca9e9 4333->4334 4335 11ca99b Concurrency::task_continuation_context::task_continuation_context 4333->4335 4340 11c8a10 4334->4340 4339 11caa10 memset 4335->4339 4338 11ca9c7 Concurrency::task_continuation_context::task_continuation_context 4338->4331 4339->4338 4341 11c8a21 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4340->4341 4343 11c8a42 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4341->4343 4353 11c3390 ?_Xlength_error@std@@YAXPBD 4341->4353 4344 11c6e30 allocator 5 API calls 4343->4344 4345 11c8a7d allocator Concurrency::details::ContextBase::GetWorkQueueIdentity 4344->4345 4346 11c8aaf allocator 4345->4346 4347 11c8afa 4345->4347 4354 11c8d50 4346->4354 4348 11c8d50 2 API calls 4347->4348 4352 11c8af0 construct allocator 4348->4352 4350 11c8add 4351 11c70e0 allocator _invalid_parameter_noinfo_noreturn 4350->4351 4351->4352 4352->4338 4353->4343 4359 11c7070 memcpy 4354->4359 4356 11c8d6a 4360 11caa10 memset 4356->4360 4358 11c8d82 Concurrency::task_continuation_context::task_continuation_context 4358->4350 4359->4356 4360->4358 4363 11c6d01 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4361->4363 4362 11c6d5d Concurrency::task_continuation_context::task_continuation_context 4362->4275 4363->4362 4364 11c70e0 allocator _invalid_parameter_noinfo_noreturn 4363->4364 4364->4362 4366 11ca811 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4365->4366 4367 11ca839 4366->4367 4370 11ca863 Concurrency::details::ContextBase::GetWorkQueueIdentity _Min_value Concurrency::task_continuation_context::task_continuation_context 4366->4370 4374 11c7070 memcpy 4367->4374 4369 11c8b99 4369->4280 4371 11c6e30 allocator 5 API calls 4370->4371 4372 11ca8a6 construct allocator 4371->4372 4375 11c7070 memcpy 4372->4375 4374->4369 4375->4369 4377 11c6e60 9 API calls 4376->4377 4378 11c8c83 4377->4378 4378->4282 4382 11c7840 4379->4382 4381 11c8dc4 4381->4282 4383 11c7851 Concurrency::details::ContextBase::GetWorkQueueIdentity 4382->4383 4385 11c7868 Concurrency::task_continuation_context::task_continuation_context 4383->4385 4386 11c4220 4383->4386 4385->4381 4387 11c4231 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4386->4387 4389 11c4252 Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::task_continuation_context::task_continuation_context 4387->4389 4399 11c3390 ?_Xlength_error@std@@YAXPBD 4387->4399 4390 11c6e30 allocator 5 API calls 4389->4390 4391 11c428d allocator Concurrency::details::ContextBase::GetWorkQueueIdentity 4390->4391 4392 11c42bf allocator 4391->4392 4393 11c4306 4391->4393 4400 11c5300 4392->4400 4394 11c5300 Concurrency::task_continuation_context::task_continuation_context memcpy 4393->4394 4398 11c42fc construct allocator 4394->4398 4396 11c42e9 4397 11c70e0 allocator _invalid_parameter_noinfo_noreturn 4396->4397 4397->4398 4398->4385 4399->4389 4403 11c7070 memcpy 4400->4403 4402 11c531a Concurrency::task_continuation_context::task_continuation_context 4402->4396 4403->4402 4405 11c8630 70 API calls 4404->4405 4406 11ca31f FindWindowW 4405->4406 4407 11ca338 SendMessageA #286 4406->4407 4409 11ca35e memset 4406->4409 4408 11c8630 70 API calls 4407->4408 4408->4409 4409->4045 4411 11c8e37 GetProcAddress GetProcAddress 4410->4411 4412 11c8e17 #286 4410->4412 4416 11c8e65 4411->4416 4422 11c8ef4 4411->4422 4413 11c85a0 70 API calls 4412->4413 4415 11c8e2d 4413->4415 4414 11c8f19 FreeLibrary 4414->4415 4415->4059 4415->4060 4417 11c8ec0 WTSGetActiveConsoleSessionId 4416->4417 4418 11c8e8a 4416->4418 4419 11c8ea1 4416->4419 4416->4422 4420 11c8ed6 4417->4420 4418->4415 4421 11c8e90 FreeLibrary 4418->4421 4419->4417 4420->4422 4423 11c8ee0 4420->4423 4421->4415 4422->4414 4422->4415 4423->4415 4424 11c8ee6 FreeLibrary 4423->4424 4424->4415 4426 11c2bf0 9 API calls 4425->4426 4427 11c361c 4426->4427 4430 11c3652 4427->4430 4434 11c2bf0 9 API calls 4427->4434 4436 11c2cc0 _invalid_parameter_noinfo_noreturn 4427->4436 4468 11c2e00 CoInitialize CoCreateInstance 4427->4468 4470 11c2d30 4427->4470 4474 11c2ad0 4430->4474 4432 11c2cc0 _invalid_parameter_noinfo_noreturn 4433 11c375a __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4432->4433 4433->4072 4434->4427 4437 11c36e6 PropVariantClear 4436->4437 4437->4427 4437->4430 4439 11c3512 4438->4439 4439->4077 4441 11c466a ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 4440->4441 4442 11c4645 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 4440->4442 4482 11c45a0 ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 4441->4482 4442->4441 4446 11c46dc 4447 11c46f7 4446->4447 4448 11c46e0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 4446->4448 4447->4093 4448->4447 4450 11c560a 4449->4450 4452 11c5610 4449->4452 4451 11c5614 WideCharToMultiByte 4450->4451 4450->4452 4451->4452 4452->4090 4454 11c3dcb std::ios_base::good 4453->4454 4521 11c3e60 ?width@ios_base@std@ 4454->4521 4559 11c6fa0 4457->4559 4460 11c703d 4460->4080 4461 11c7026 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 4461->4460 4573 11c4be0 4462->4573 4464 11c53f2 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 4464->4082 4466 11c2cc0 _invalid_parameter_noinfo_noreturn 4465->4466 4467 11c4c9f 4466->4467 4467->4094 4469 11c2e6a 4468->4469 4469->4427 4471 11c2d61 allocator 4470->4471 4472 11c3290 _invalid_parameter_noinfo_noreturn 4471->4472 4473 11c2d71 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity 4471->4473 4472->4473 4473->4427 4475 11c2ae4 allocator 4474->4475 4478 11c2750 4475->4478 4477 11c2afd 4477->4432 4479 11c2760 allocator 4478->4479 4480 11c2b70 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4479->4480 4481 11c276c allocator 4480->4481 4481->4477 4494 11c6a90 4482->4494 4485 11c7440 4486 11c7471 ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 4485->4486 4493 11c748e 4485->4493 4487 11c7492 4486->4487 4486->4493 4488 11c6a90 3 API calls 4487->4488 4489 11c74a0 ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 4488->4489 4500 11c4430 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 4489->4500 4491 11c74c6 4510 11c6b60 ?always_noconv@codecvt_base@std@ 4491->4510 4493->4446 4495 11c6a9f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4494->4495 4497 11c45ed 4495->4497 4498 11c6ace 4495->4498 4497->4485 4498->4497 4499 11c6ad7 _get_stream_buffer_pointers ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001 4498->4499 4499->4497 4514 11c6a00 4500->4514 4503 11c4528 ??1_Lockit@std@@QAE 4503->4491 4504 11c44a8 ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@ 4505 11c44be std::bad_alloc::bad_alloc 4504->4505 4506 11c44d6 4504->4506 4507 11c44c6 _CxxThrowException 4505->4507 4518 11cc10c 4506->4518 4507->4503 4509 11c449d 4509->4503 4511 11c6b77 4510->4511 4512 11c6b83 allocator 4510->4512 4511->4493 4513 11c6b8c ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4512->4513 4513->4511 4515 11c6a17 4514->4515 4516 11c6a53 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 4515->4516 4517 11c448a 4515->4517 4516->4517 4517->4503 4517->4504 4517->4509 4519 11cb09a std::_Facet_Register 4 API calls 4518->4519 4520 11cc117 4519->4520 4520->4509 4522 11c3eed 4521->4522 4523 11c3eb2 4521->4523 4541 11c4aa0 4522->4541 4523->4522 4524 11c3eba ?width@ios_base@std@ 4523->4524 4524->4522 4525 11c3ed2 ?width@ios_base@std@ 4524->4525 4525->4522 4527 11c3f06 4528 11c3f2a ?flags@ios_base@std@ 4527->4528 4538 11c3f1c ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 4527->4538 4530 11c3fbe 4528->4530 4539 11c3f4f char_traits 4528->4539 4531 11c3fd1 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 4530->4531 4540 11c4014 char_traits 4530->4540 4533 11c401c 4531->4533 4531->4540 4536 11c40aa ?width@ios_base@std@@QAE_J_J 4533->4536 4535 11c3f60 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 4535->4539 4536->4538 4537 11c403b ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 4537->4540 4548 11c50a0 ?uncaught_exception@std@ 4538->4548 4539->4530 4539->4535 4540->4533 4540->4536 4540->4537 4553 11c4970 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 4541->4553 4544 11c4b39 ?good@ios_base@std@ 4544->4527 4545 11c4af1 ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2 4545->4544 4546 11c4b06 ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2 4545->4546 4546->4544 4547 11c4b1e ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 4546->4547 4547->4544 4549 11c50dd 4548->4549 4550 11c50d2 ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 4548->4550 4556 11c4f50 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 4549->4556 4550->4549 4554 11c499e ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 4553->4554 4555 11c49c7 ?good@ios_base@std@ 4553->4555 4554->4555 4555->4544 4555->4545 4557 11c4f95 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 4556->4557 4558 11c3dde 4556->4558 4557->4558 4558->4098 4560 11c6fc1 4559->4560 4561 11c6fb8 4559->4561 4567 11c68e0 4560->4567 4563 11c6a90 3 API calls 4561->4563 4565 11c6ffe 4563->4565 4564 11c6fc9 fclose 4564->4561 4565->4460 4565->4461 4568 11c6907 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4567->4568 4569 11c68fc char_traits 4567->4569 4568->4564 4569->4568 4570 11c694a ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 4569->4570 4571 11c6979 4570->4571 4571->4568 4572 11c699b fwrite 4571->4572 4572->4568 4576 11c4b70 4573->4576 4575 11c4c22 ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 4575->4464 4577 11c4ba8 4576->4577 4578 11c4bb0 4576->4578 4582 11c6c50 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4577->4582 4579 11c4bc3 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 4578->4579 4581 11c6fa0 6 API calls 4578->4581 4579->4575 4581->4579 4583 11c6c88 4582->4583 4584 11c6c6a ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 4582->4584 4583->4578 4584->4583 4877 11c65d0 4878 11c65f2 4877->4878 4897 11c6623 4877->4897 4879 11c65fc #286 4878->4879 4880 11c6628 #286 4878->4880 4881 11c6651 #286 4878->4881 4882 11c6681 #286 4878->4882 4878->4897 4886 11c8630 70 API calls 4879->4886 4888 11c8630 70 API calls 4880->4888 4884 11c8630 70 API calls 4881->4884 4885 11c8630 70 API calls 4882->4885 4890 11c666e 4884->4890 4891 11c669e Sleep 4885->4891 4892 11c6612 4886->4892 4887 11c66ca 4889 11c663e 4888->4889 4893 11ca300 74 API calls 4889->4893 4898 11ca540 #286 4890->4898 4895 11c5dd0 281 API calls 4891->4895 4896 11c5dd0 281 API calls 4892->4896 4893->4897 4895->4897 4896->4897 4904 11c6590 #3833 4897->4904 4899 11c8630 70 API calls 4898->4899 4900 11ca55f FindWindowW 4899->4900 4901 11ca578 SendMessageA #286 4900->4901 4902 11ca59e 4900->4902 4903 11c8630 70 API calls 4901->4903 4902->4897 4903->4902 4904->4887 4909 11cc3cd #1506 5288 11c10ce 5289 11cb345 pre_c_initialization 2 API calls 5288->5289 5290 11c10d3 5289->5290 4910 11c1dc0 hid_init 4911 11c1de7 4910->4911 4914 11c1de0 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4910->4914 4932 11c25c0 calloc 4911->4932 4913 11c1dec 4915 11c2660 CreateFileA 4913->4915 4916 11c1dfa 4915->4916 4917 11c1e0a 4916->4917 4918 11c1e20 4916->4918 4919 11c26b0 3 API calls 4917->4919 4920 11c1e4f 4918->4920 4921 11c1e39 4918->4921 4930 11c1e18 4919->4930 4924 11c1e7d 4920->4924 4925 11c1e6a 4920->4925 4922 11c26b0 3 API calls 4921->4922 4922->4930 4927 11c1eaa malloc 4924->4927 4928 11c1e97 4924->4928 4926 11c26b0 3 API calls 4925->4926 4926->4930 4927->4914 4929 11c26b0 3 API calls 4928->4929 4929->4930 4935 11c1130 CloseHandle CloseHandle LocalFree free free 4930->4935 4933 11c10e0 2 API calls 4932->4933 4934 11c2634 CreateEventW 4933->4934 4934->4913 4935->4914 4936 11c5fc0 #286 4937 11c8630 70 API calls 4936->4937 4938 11c5fdf #9418 4937->4938 5291 11cccc0 5292 11c2cc0 _invalid_parameter_noinfo_noreturn 5291->5292 5293 11ccccd 5292->5293 5295 11c40c3 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 3739 11cacf6 3743 11cb7ad SetUnhandledExceptionFilter 3739->3743 3741 11cacfb pre_c_initialization 3742 11cad00 _set_new_mode 3741->3742 3743->3741 4939 11c6df0 4940 11c6e10 4939->4940 4941 11c6e00 _unlock_file 4939->4941 4941->4940 3744 11c39f0 #286 3763 11c8630 #280 #286 3744->3763 3746 11c3a3a InitCommonControlsEx #7997 #2205 3766 11c3910 3746->3766 3749 11c3a90 #952 3751 11c3aad #13911 #286 #6967 CreateEventW 3749->3751 3750 11c3aa3 3750->3751 3752 11c3b28 GetLastError 3751->3752 3753 11c3b35 #1506 3751->3753 3752->3753 3754 11c3b5d 3752->3754 3756 11c3c34 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 3753->3756 3769 11c4860 #462 3754->3769 3758 11c3bdf CloseHandle 3776 11c4ee0 #286 3758->3776 3759 11c3b97 3759->3758 3783 11c86c0 #500 #503 #316 3763->3783 3765 11c868d #1506 3765->3746 3814 11cb09a 3766->3814 3822 11c8bc0 3769->3822 3773 11c48d7 3828 11c5da0 #2215 LoadIconW 3773->3828 3775 11c3b6a #4092 3775->3758 3775->3759 3777 11c8630 70 API calls 3776->3777 3778 11c4f27 3777->3778 3896 11c8c40 3778->3896 3782 11c3c1b #1506 3782->3756 3803 11c8330 #286 #280 #1506 3783->3803 3785 11c871d 3804 11c83b0 6 API calls 3785->3804 3787 11c872d 3807 11c84c0 #316 GetLocalTime #4815 #280 #1506 3787->3807 3789 11c873d #6967 #4715 3790 11c8778 3789->3790 3791 11c8766 #6967 CreateDirectoryW 3789->3791 3809 11c5180 8 API calls 3790->3809 3791->3790 3793 11c8795 3810 11c8270 9 API calls 3793->3810 3795 11c87b2 #6967 #11962 #1506 #1506 3796 11c87f6 3795->3796 3797 11c87ff #14606 3796->3797 3798 11c8816 3796->3798 3797->3798 3811 11c8270 9 API calls 3798->3811 3800 11c882c 3812 11c5180 8 API calls 3800->3812 3802 11c8849 19 API calls 3802->3765 3803->3785 3813 11c5180 8 API calls 3804->3813 3806 11c8451 #1523 #1506 #1506 #280 #1506 3806->3787 3808 11c857c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 3807->3808 3808->3789 3809->3793 3810->3795 3811->3800 3812->3802 3813->3806 3815 11cb0ac malloc 3814->3815 3816 11cb09f _callnewh 3815->3816 3817 11c391c 3815->3817 3816->3815 3818 11cb0bb std::_Facet_Register 3816->3818 3817->3749 3817->3750 3819 11cb99f std::_Facet_Register 3818->3819 3821 11cb990 _CxxThrowException 3818->3821 3820 11cb9ad _CxxThrowException 3819->3820 3821->3819 3829 11c2bf0 3822->3829 3825 11c2bf0 9 API calls 3826 11c48b2 3825->3826 3827 11c55d0 #2246 3826->3827 3827->3773 3828->3775 3830 11c2c1e 3829->3830 3833 11c33f0 3830->3833 3834 11c3400 allocator _WChar_traits 3833->3834 3837 11c3420 3834->3837 3836 11c2c39 3836->3825 3838 11c3431 Concurrency::details::ContextBase::GetWorkQueueIdentity 3837->3838 3839 11c3488 3838->3839 3841 11c343f Concurrency::details::SchedulerBase::GetPolicy 3838->3841 3847 11c29b0 3839->3847 3844 11c3830 3841->3844 3843 11c3464 3843->3836 3857 11c3890 memmove 3844->3857 3846 11c3844 3846->3843 3848 11c29c1 Concurrency::details::SchedulerBase::GetPolicy 3847->3848 3850 11c29cb Concurrency::details::ContextBase::GetWorkQueueIdentity 3848->3850 3858 11c3390 ?_Xlength_error@std@@YAXPBD 3848->3858 3859 11c33a0 3850->3859 3852 11c2a08 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity 3863 11c2dc0 3852->3863 3854 11c2a42 3855 11c2a5d construct allocator 3854->3855 3866 11c35c0 3854->3866 3855->3843 3857->3846 3858->3850 3860 11c33b0 _Get_size_of_n 3859->3860 3869 11c27f0 3860->3869 3884 11c35a0 3863->3884 3865 11c2dda 3865->3854 3888 11c28b0 3866->3888 3868 11c35d6 3868->3855 3870 11c27fc 3869->3870 3871 11c280a 3869->3871 3875 11c2830 3870->3875 3873 11c2805 3871->3873 3881 11c2f40 3871->3881 3873->3852 3876 11c2847 3875->3876 3877 11c2f40 _Allocate 4 API calls 3876->3877 3878 11c2857 3877->3878 3879 11c2865 _invalid_parameter_noinfo_noreturn 3878->3879 3880 11c2873 3878->3880 3879->3878 3879->3879 3880->3873 3882 11cb09a std::_Facet_Register 4 API calls 3881->3882 3883 11c2f4c 3882->3883 3883->3873 3887 11c3870 memcpy 3884->3887 3886 11c35b4 3886->3865 3887->3886 3889 11c28c9 _MallocaArrayHolder 3888->3889 3890 11c28bc 3888->3890 3889->3868 3892 11c2ed0 3890->3892 3894 11c2f0e 3892->3894 3893 11c2f1c _invalid_parameter_noinfo_noreturn 3893->3893 3893->3894 3894->3893 3895 11c2f2a 3894->3895 3895->3889 3904 11c2cc0 3896->3904 3898 11c8c52 3899 11c2cc0 _invalid_parameter_noinfo_noreturn 3898->3899 3900 11c4f38 3899->3900 3901 11c4d00 #1113 3900->3901 3911 11c4ce0 3901->3911 3907 11c3290 3904->3907 3906 11c2cee 3906->3898 3909 11c32a1 allocator Concurrency::details::ContextBase::GetWorkQueueIdentity Concurrency::details::SchedulerBase::GetPolicy 3907->3909 3908 11c32fd 3908->3906 3909->3908 3910 11c35c0 allocator _invalid_parameter_noinfo_noreturn 3909->3910 3910->3908 3914 11c4d30 #3882 3911->3914 3913 11c4cf8 #1111 3913->3782 3915 11c4e93 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z Concurrency::details::ContextBase::GetWorkQueueIdentity 3914->3915 3915->3913 4942 11c5ff0 4943 11c35e0 12 API calls 4942->4943 4944 11c6024 4943->4944 4945 11c2b70 Concurrency::details::SchedulerBase::GetPolicy 6 API calls 4944->4945 4946 11c603a 4945->4946 4947 11c2bf0 9 API calls 4946->4947 4948 11c604b 4947->4948 4949 11c60a0 #316 4948->4949 4950 11c6081 4948->4950 4951 11c8dd0 78 API calls 4949->4951 4956 11c608a 4950->4956 4971 11c61d0 #286 4950->4971 4954 11c60bb 4951->4954 4953 11c612a #4815 #280 4959 11c8630 70 API calls 4953->4959 4954->4953 4957 11c60cd #4815 #280 4954->4957 4955 11c2cc0 _invalid_parameter_noinfo_noreturn 4958 11c618b 4955->4958 4956->4955 4960 11c8630 70 API calls 4957->4960 4961 11c2cc0 _invalid_parameter_noinfo_noreturn 4958->4961 4962 11c6128 #1506 4959->4962 4963 11c60fc #286 4960->4963 4964 11c6197 4961->4964 4962->4956 4966 11c8630 70 API calls 4963->4966 4967 11c4c90 _invalid_parameter_noinfo_noreturn 4964->4967 4968 11c6115 4966->4968 4969 11c61a6 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 4967->4969 4970 11c5dd0 281 API calls 4968->4970 4970->4962 4972 11c8630 70 API calls 4971->4972 4973 11c61ef 4972->4973 4974 11c9a40 88 API calls 4973->4974 4975 11c6202 4974->4975 4976 11c6217 4975->4976 4977 11ca540 74 API calls 4975->4977 4976->4956 4977->4976 5298 11c1af0 5300 11c1aff 5298->5300 5299 11c1b42 5300->5299 5301 11c26b0 3 API calls 5300->5301 5301->5299 5302 11c66f0 5303 11c6705 5302->5303 5304 11c6707 5302->5304 5309 11c6730 #3833 5303->5309 5308 11c5d80 KillTimer 5304->5308 5307 11c6727 5308->5303 5309->5307 5311 11c40e9 5312 11c40f0 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 5311->5312 5313 11c50a0 4 API calls 5312->5313 5314 11c411c 5313->5314 4978 11c79e0 4979 11c79f1 fpos 4978->4979 4980 11c68e0 2 API calls 4979->4980 4985 11c7a27 fpos 4979->4985 4981 11c7a08 4980->4981 4982 11c7a0f fsetpos 4981->4982 4981->4985 4983 11c7a38 fpos 4982->4983 4982->4985 4984 11c6c50 2 API calls 4983->4984 4984->4985 4986 11c6be0 4987 11c6c00 4986->4987 4988 11c6bf0 _lock_file 4986->4988 4988->4987 4989 11c7be0 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4990 11c7c48 4989->4990 4991 11c7c19 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4989->4991 4993 11c6c50 2 API calls 4990->4993 5000 11c7c40 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z char_traits 4990->5000 4991->4990 4992 11c7c31 ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 4991->4992 4992->5000 4994 11c7c63 4993->4994 4995 11c7c6c 4994->4995 5007 11c7ca7 std::ios_base::good 4994->5007 5014 11c3df0 fgetc 4995->5014 4997 11c7cb6 fgetc 4998 11c7ccf char_traits 4997->4998 4997->5007 5001 11c4c40 _invalid_parameter_noinfo_noreturn 4998->5001 4999 11c7840 Concurrency::task_continuation_context::task_continuation_context 8 API calls 4999->5007 5001->5000 5002 11c7d28 ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD 5003 11c7d59 char_traits 5002->5003 5002->5007 5006 11c4c40 _invalid_parameter_noinfo_noreturn 5003->5006 5004 11c7d4f 5004->5003 5005 11c7de8 5004->5005 5010 11c4c40 _invalid_parameter_noinfo_noreturn 5005->5010 5006->5000 5007->4997 5007->4999 5007->5002 5007->5004 5009 11c7d66 std::ios_base::good 5007->5009 5016 11c7140 5007->5016 5011 11c7dab 5009->5011 5012 11c7d86 ungetc 5009->5012 5010->5000 5013 11c4c40 _invalid_parameter_noinfo_noreturn 5011->5013 5012->5009 5013->5000 5015 11c3e0a 5014->5015 5015->5000 5017 11c7151 Concurrency::details::ContextBase::GetWorkQueueIdentity 5016->5017 5022 11c6890 5017->5022 5019 11c7160 Concurrency::task_continuation_context::task_continuation_context 5026 11c73d0 memmove 5019->5026 5021 11c71bc 5021->5007 5023 11c68a7 5022->5023 5024 11c68a2 5022->5024 5023->5019 5027 11c6e20 ?_Xout_of_range@std@@YAXPBD 5024->5027 5026->5021 5027->5023 5315 11c58e0 #3164 5319 11c76e0 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5320 11c76fb ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5319->5320 5326 11c7787 char_traits 5319->5326 5321 11c7713 char_traits 5320->5321 5320->5326 5323 11c7768 ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5321->5323 5324 11c7732 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5321->5324 5322 11c777a char_traits 5323->5322 5328 11c774b char_traits 5324->5328 5325 11c77f1 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5325->5322 5327 11c7804 5325->5327 5326->5322 5326->5325 5332 11c43f0 ungetc 5326->5332 5334 11c6c90 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5327->5334 5328->5323 5328->5326 5333 11c440d 5332->5333 5333->5322 5333->5325 5335 11c6cc8 ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 5334->5335 5336 11c6caa ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 5334->5336 5335->5322 5336->5335

                Executed Functions

                Function 011C62D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 77%
                			E011C62D0(intOrPtr __ecx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _t20;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t38;
				void* _t41;

				_t41 = __eflags;
				_t25 = __ecx;
				_v8 = __ecx;
				SetUnhandledExceptionFilter(E011C5900); // executed
				_v12 = _t38;
				__imp__#286(_t25); // executed
				E011C8630(L"************************Dialog Init Start************************"); // executed
				L011CBEDB();
				E011C6780(_v8,  *((intOrPtr*)(_v8 + 0xd0)), 1); // executed
				_t20 = E011C6780(_v8,  *((intOrPtr*)(_v8 + 0xd0)), 0); // executed
				E011C5D20(_t20, _v8); // executed
				L011CC150(); // executed
				_t33 = _v8;
				E011C5DD0(_t33,  *((intOrPtr*)(_v8 + 0x20)), __esi, _t41, 0x401, 0); // executed
				_v16 = _t38 + 4;
				__imp__#286(_t33,  *((intOrPtr*)(_v8 + 0x20)), 0); // executed
				E011C8630(L"***********************Dialog Init Finish***********************"); // executed
				return 1;
			}











                0x011c62d0
                0x011c62d0
                0x011c62d6
                0x011c62de
                0x011c62e7
                0x011c62ef
                0x011c62f5
                0x011c6300
                0x011c6314
                0x011c6328
                0x011c6330
                0x011c633e
                0x011c634a
                0x011c634d
                0x011c6355
                0x011c635d
                0x011c6363
                0x011c6373

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00005900), ref: 011C62DE
                • #286.MFC140U(************************Dialog Init Start************************), ref: 011C62EF
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #10472.MFC140U ref: 011C6300
                  • Part of subcall function 011C6780: SendMessageW.USER32(?,00000080,011C6319,?), ref: 011C679B
                  • Part of subcall function 011C5D20: #8817.MFC140U(00000000,00000000,00000000,00000000,00000001), ref: 011C5D34
                  • Part of subcall function 011C5D20: #14234.MFC140U(00000000,00000000,00000000,00000000,00000000,00000001), ref: 011C5D3E
                  • Part of subcall function 011C5D20: #8776.MFC140U(00040000,00000080,00000000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 011C5D52
                • WTSRegisterSessionNotification.WTSAPI32(?,00000000,?,00000000,?,00000001), ref: 011C633E
                  • Part of subcall function 011C5DD0: #286.MFC140U(Not found Device,?,00000014), ref: 011C5DFB
                • #286.MFC140U(***********************Dialog Init Finish***********************,?,?,00000000,?,00000000,?,00000001), ref: 011C635D
                Strings
                • ***********************Dialog Init Finish***********************, xrefs: 011C6358
                • ************************Dialog Init Start************************, xrefs: 011C62EA
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#10472#14234#1506#280#8776#8817ExceptionFilterMessageNotificationRegisterSendSessionUnhandled
                • String ID: ************************Dialog Init Start************************$***********************Dialog Init Finish***********************
                • API String ID: 1555158641-3847803563
                • Opcode ID: 897013a09989b52c9b5c5f4a84f4c96bbc764ae96241fe6fe5fc0b04f4fe4f9e
                • Instruction ID: 9c1aa72ea8c8632b010f8299f63013543d982c4b0d162423d15ae6de05493fab
                • Opcode Fuzzy Hash: 897013a09989b52c9b5c5f4a84f4c96bbc764ae96241fe6fe5fc0b04f4fe4f9e
                • Instruction Fuzzy Hash: 91110CB4A00209ABDB08EBD4E956BAD7775ABA8B04F1041BCE5056B280DB717E01DB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CB7AD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 191 11cb7ad-11cb7b8 SetUnhandledExceptionFilter
                C-Code - Quality: 100%
                			E011CB7AD() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E011CB7B9); // executed
				return _t1;
			}




                0x011cb7b2
                0x011cb7b8

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_0000B7B9,011CACFB), ref: 011CB7B2
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 36543faa5db39c6879d9ab7ef3498abf5f79934ec7b7862264e26433d65647ca
                • Instruction ID: adbe2ee92f98bae5b7b2f99b7d3e91c50c69837966a92e0f14b7e535074e678e
                • Opcode Fuzzy Hash: 36543faa5db39c6879d9ab7ef3498abf5f79934ec7b7862264e26433d65647ca
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C86C0 Relevance: 46.7, APIs: 31, Instructions: 187COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • #500.MFC140U(5A3FFFE3), ref: 011C86EF
                • #503.MFC140U(5A3FFFE3), ref: 011C86FE
                • #316.MFC140U(5A3FFFE3), ref: 011C870A
                  • Part of subcall function 011C8330: #286.MFC140U(IdeaShareService.log), ref: 011C8364
                  • Part of subcall function 011C8330: #280.MFC140U(?), ref: 011C8378
                  • Part of subcall function 011C8330: #1506.MFC140U ref: 011C8391
                  • Part of subcall function 011C83B0: #316.MFC140U(5A3FFFE3,?,?,?,00000000), ref: 011C83DF
                  • Part of subcall function 011C83B0: #5117.MFC140U(00000105,00000104,?,?,?,00000000), ref: 011C83F9
                  • Part of subcall function 011C83B0: GetModuleFileNameW.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 011C8402
                  • Part of subcall function 011C83B0: #12559.MFC140U(000000FF,?,?,?,00000000), ref: 011C840D
                  • Part of subcall function 011C83B0: #12884.MFC140U(0000005C,?,?,?,00000000), ref: 011C8418
                  • Part of subcall function 011C83B0: #8360.MFC140U(?,00000000,\Log,?,?,?,00000000), ref: 011C8431
                  • Part of subcall function 011C83B0: #1523.MFC140U(?,?,?,?,?,?,?,00000000), ref: 011C8468
                  • Part of subcall function 011C83B0: #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C8475
                  • Part of subcall function 011C83B0: #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C8482
                  • Part of subcall function 011C83B0: #280.MFC140U(000000FF,?,?,?,?,?,?,00000000), ref: 011C848F
                  • Part of subcall function 011C83B0: #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C84A8
                  • Part of subcall function 011C84C0: #316.MFC140U ref: 011C84F2
                  • Part of subcall function 011C84C0: GetLocalTime.KERNEL32(5A3FFFE3), ref: 011C8503
                  • Part of subcall function 011C84C0: #4815.MFC140U(?,[%4d-%2d-%2d]-[%2d:%2d:%2d:%3d],5A3FFFE3,?,?,00000000,?,011CC879,?), ref: 011C8535
                  • Part of subcall function 011C84C0: #280.MFC140U(?), ref: 011C8545
                  • Part of subcall function 011C84C0: #1506.MFC140U ref: 011C855E
                • #6967.MFC140U(00000000), ref: 011C8750
                • #4715.MFC140U(00000000), ref: 011C875D
                • #6967.MFC140U(00000000,00000000), ref: 011C876B
                • CreateDirectoryW.KERNELBASE(00000000), ref: 011C8772
                • #6967.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87C5
                • #11962.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87CF
                • #1506.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87DB
                • #1506.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87E8
                • #14606.MFC140U(?,00000002,?,?,?,?,00000000,00000000), ref: 011C8811
                • #1523.MFC140U(?,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8860
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C886D
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C887A
                • #5885.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8883
                • #6967.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C888F
                • #14606.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8899
                • #1692.MFC140U(011CE2C8,00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88A6
                • #5885.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88AF
                • #6967.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88BB
                • #14606.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88C5
                • #2885.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88CD
                • #1506.MFC140U(00000000,?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88DD
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88EA
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C88F7
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8904
                • #1144.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8914
                • #1142.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C8920
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C892C
                • #1506.MFC140U(?,?,?,?,?,011CE2C4,?,?,?,?,00000000,00000000), ref: 011C893C
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506$#6967$#14606#280#316$#1523#5885$#1142#1144#11962#12559#12884#1692#286#2885#4715#4815#500#503#5117#8360CreateDirectoryFileLocalModuleNameTime
                • String ID:
                • API String ID: 1567984962-0
                • Opcode ID: 9334fdda361589d9203aaf9276ee2ff91cf1c040959e35b95645d21c6b4e5199
                • Instruction ID: 82c00072cee01f8fccaec5d3767c4744c9c60b4188630c1711b959402ba70320
                • Opcode Fuzzy Hash: 9334fdda361589d9203aaf9276ee2ff91cf1c040959e35b95645d21c6b4e5199
                • Instruction Fuzzy Hash: F9815CB1C04249EFCF09DBE4E958BDDBFB4AF24704F10816DE426A7290EB741A49CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9A40 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 135sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 49%
                			E011C9A40(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				int _v8;
				char _v16;
				signed int _v20;
				void _v540;
				char _v541;
				int _v548;
				int _v552;
				char _v556;
				unsigned int _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				long _v572;
				int _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				void* _v604;
				signed int _t51;
				signed int _t52;
				long _t61;
				void* _t65;
				int _t72;
				signed int _t101;
				void* _t102;
				int _t103;
				intOrPtr _t104;

				_t103 = _t102 - 0x24c;
				_t51 =  *0x11d3258; // 0x5a3fffe3
				_t52 = _t51 ^ _t101;
				_v20 = _t52;
				 *[fs:0x0] =  &_v16;
				_v568 = __ecx;
				_t72 = _t103;
				_v576 = _t103;
				__imp__#286(__ecx, _t52,  *[fs:0x0], E011CCB37, 0xffffffff); // executed
				E011C8630(L"Check IdeaShareKey Device"); // executed
				_t104 = _t103 + 4;
				_v564 = _a4;
				_v552 = 0;
				_v572 = 0xfa;
				_v552 = 0;
				while(1) {
					_t94 = _v552;
					if(_v552 >= _v564) {
						break;
					}
					_v548 = 0;
					memset( &_v540, 0, 0x208);
					_t104 = _t104 + 0xc; // executed
					_t61 = GetLogicalDrives(); // executed
					_v560 = _t61;
					while(_v560 != 0 && _v548 + 0x41 <= 0x5a) {
						_push(E011CAA30());
						_t65 = E011CAB60( &_v540, 0x104, L"%c:\\%s", _v548 + 0x41);
						_t104 = _t104 + 0x14;
						if(_t65 == 0) {
							L10:
							continue;
						} else {
							L011CBF59();
							_v8 = 0;
							_push(0);
							_push(0);
							_push( &_v540);
							L011CBF5F(); // executed
							if(_t65 == 0) {
								L011CBF6B();
								_v560 = _v560 >> 1;
								_v548 = _v548 + 1;
								_v8 = 0xffffffff;
								L011CBF71();
								goto L10;
							} else {
								__imp__#296();
								_v8 = 1;
								__imp__#4815( &_v556, L"Get Logical Drives:%c", _v548 + 0x41);
								_v580 = _t104 + 0xc;
								_t94 =  &_v556;
								__imp__#280( &_v556);
								E011C8630( &_v556);
								E011CA370(_v568, _v548);
								_v541 = 1;
								_v8 = 0;
								__imp__#1045();
								_v8 = 0xffffffff;
								L011CBF71();
							}
						}
						L13:
						 *[fs:0x0] = _v16;
						return E011CB089(_v20 ^ _t101, _t94);
					}
					Sleep(_v572); // executed
					_t72 = _v552 + 1;
					_v552 = _t72;
				}
				_v584 = _t104;
				__imp__#286(_t72); // executed
				E011C8960(L"not Get Logical Drives"); // executed
				goto L13;
			}




























                0x011c9a51
                0x011c9a57
                0x011c9a5c
                0x011c9a5e
                0x011c9a65
                0x011c9a6b
                0x011c9a72
                0x011c9a74
                0x011c9a7f
                0x011c9a85
                0x011c9a8a
                0x011c9a90
                0x011c9a96
                0x011c9aa0
                0x011c9aaa
                0x011c9ac5
                0x011c9ac5
                0x011c9ad1
                0x00000000
                0x00000000
                0x011c9ad7
                0x011c9aef
                0x011c9af4
                0x011c9af7
                0x011c9afd
                0x011c9b03
                0x011c9b2c
                0x011c9b48
                0x011c9b4d
                0x011c9b52
                0x011c9c52
                0x00000000
                0x011c9b58
                0x011c9b5e
                0x011c9b63
                0x011c9b6a
                0x011c9b6c
                0x011c9b74
                0x011c9b7b
                0x011c9b82
                0x011c9c1e
                0x011c9c2b
                0x011c9c3a
                0x011c9c40
                0x011c9c4d
                0x00000000
                0x011c9b88
                0x011c9b8e
                0x011c9b94
                0x011c9bae
                0x011c9bba
                0x011c9bc0
                0x011c9bc7
                0x011c9bcd
                0x011c9be2
                0x011c9be7
                0x011c9bee
                0x011c9bf8
                0x011c9bfe
                0x011c9c0b
                0x011c9c10
                0x011c9b82
                0x011c9c87
                0x011c9c8a
                0x011c9c9f
                0x011c9c9f
                0x011c9c5e
                0x011c9abc
                0x011c9abf
                0x011c9abf
                0x011c9c6c
                0x011c9c77
                0x011c9c7d
                0x00000000

                APIs
                • #286.MFC140U(Check IdeaShareKey Device,?,5A3FFFE3), ref: 011C9A7F
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • memset.VCRUNTIME140(?,00000000,00000208), ref: 011C9AEF
                • GetLogicalDrives.KERNELBASE ref: 011C9AF7
                • _swprintf.LIBCMTD ref: 011C9B48
                • #500.MFC140U ref: 011C9B5E
                • #11962.MFC140U(?,00000000,00000000), ref: 011C9B7B
                • #316.MFC140U(?,00000000,00000000), ref: 011C9B8E
                • #4815.MFC140U(?,Get Logical Drives:%c,-00000041), ref: 011C9BAE
                • #280.MFC140U(?), ref: 011C9BC7
                • #1506.MFC140U(00000000), ref: 011C9BF8
                • #1142.MFC140U ref: 011C9C0B
                • #2885.MFC140U(?,00000000,00000000), ref: 011C9C1E
                • #1142.MFC140U(?,00000000,00000000), ref: 011C9C4D
                • Sleep.KERNELBASE(000000FA), ref: 011C9C5E
                • #286.MFC140U(not Get Logical Drives), ref: 011C9C77
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1142#1506#280$#11962#2885#316#4815#500DrivesLogicalSleep_swprintfmemset
                • String ID: %c:\%s$Check IdeaShareKey Device$Get Logical Drives:%c$not Get Logical Drives
                • API String ID: 3156476124-3082949880
                • Opcode ID: bb7a4431b6598a19621e959b173ba0399ec5106f48d22fa96d6b7932d7d6dc7a
                • Instruction ID: 2abd252a38b577aeafe88879d86826eae2678855bec8f2ca0aaab5c730987965
                • Opcode Fuzzy Hash: bb7a4431b6598a19621e959b173ba0399ec5106f48d22fa96d6b7932d7d6dc7a
                • Instruction Fuzzy Hash: 115183B0904219AFCB28DF94EC89BDDBBB4AF64B04F0041EDE419A7291DB745B84CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C39F0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 49%
                			E011C39F0(void* __ecx, void* __eflags) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v300;
				void* _v304;
				WCHAR* _v308;
				void* _v312;
				WCHAR* _v316;
				WCHAR* _v320;
				intOrPtr _v324;
				WCHAR* _v328;
				WCHAR* _v332;
				struct _SECURITY_ATTRIBUTES* _v336;
				WCHAR* _v340;
				struct _SECURITY_ATTRIBUTES* _v344;
				struct _SECURITY_ATTRIBUTES* _v348;
				intOrPtr _v352;
				char _v356;
				intOrPtr _v360;
				signed int _t63;
				signed int _t64;
				WCHAR* _t68;
				void* _t74;
				void* _t98;
				signed int _t108;
				void* _t109;

				_t63 =  *0x11d3258; // 0x5a3fffe3
				_t64 = _t63 ^ _t108;
				_v20 = _t64;
				 *[fs:0x0] =  &_v16;
				_v304 = __ecx;
				_v360 = _t109 - 0x158;
				__imp__#286(__ecx, _t64,  *[fs:0x0], E011CC3E4, 0xffffffff); // executed
				E011C8630(L"********************IdeaShareService Start!!!********************"); // executed
				_v356 = 8;
				_v352 = 0xff;
				__imp__InitCommonControlsEx( &_v356);
				L011CBCBF(); // executed
				_push(0);
				L011CBCFB();
				_t68 = E011C3910(0xc);
				_v316 = _t68;
				_v8 = 0;
				if(_v316 == 0) {
					_v320 = 0;
				} else {
					L011CBD01();
					_v320 = _t68;
				}
				_v332 = _v320;
				_v8 = 0xffffffff;
				_v328 = _v332;
				L011CBC23();
				__imp__#286(L"Air Presence Monitor", 0x11cd76c);
				_v8 = 1;
				__imp__#1663();
				 *((intOrPtr*)(_v304 + 0xcc)) = CreateEventW(0, 1, 0, _t68);
				_t105 = _v304;
				if( *((intOrPtr*)(_v304 + 0xcc)) == 0 || GetLastError() == 0xb7) {
					_v336 = 0;
					_v8 = 0xffffffff;
					__imp__#1045();
				} else {
					E011C4860(0); // executed
					_v8 = 2;
					_t74 = _v304;
					 *((intOrPtr*)(_t74 + 0x20)) =  &_v300;
					L011CBBED(); // executed
					_v324 = _t74;
					if(_v328 != 0) {
						_v340 = _v328;
						_v308 = _v340;
						if(_v308 == 0) {
							_v344 = 0;
						} else {
							_v344 =  *((intOrPtr*)( *((intOrPtr*)( *_v308 + 4))))(1);
						}
					}
					_t98 = _v304;
					_t105 =  *(_t98 + 0xcc);
					CloseHandle( *(_t98 + 0xcc));
					 *(_v304 + 0xcc) = 0;
					_v348 = 0;
					_v8 = 1;
					E011C4EE0( &_v300);
					_v8 = 0xffffffff;
					__imp__#1045();
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t108, _t105);
			}





























                0x011c3a07
                0x011c3a0c
                0x011c3a0e
                0x011c3a15
                0x011c3a1b
                0x011c3a24
                0x011c3a2f
                0x011c3a35
                0x011c3a3d
                0x011c3a47
                0x011c3a58
                0x011c3a64
                0x011c3a69
                0x011c3a6b
                0x011c3a75
                0x011c3a7a
                0x011c3a80
                0x011c3a8e
                0x011c3aa3
                0x011c3a90
                0x011c3a96
                0x011c3a9b
                0x011c3a9b
                0x011c3ab3
                0x011c3ab9
                0x011c3ac6
                0x011c3ad7
                0x011c3ae7
                0x011c3aed
                0x011c3afa
                0x011c3b13
                0x011c3b19
                0x011c3b26
                0x011c3b35
                0x011c3b3f
                0x011c3b4c
                0x011c3b5d
                0x011c3b65
                0x011c3b6a
                0x011c3b6e
                0x011c3b7a
                0x011c3b83
                0x011c3b88
                0x011c3b95
                0x011c3b9d
                0x011c3ba9
                0x011c3bb6
                0x011c3bd5
                0x011c3bb8
                0x011c3bcd
                0x011c3bcd
                0x011c3bb6
                0x011c3bdf
                0x011c3be5
                0x011c3bec
                0x011c3bf8
                0x011c3c02
                0x011c3c0c
                0x011c3c16
                0x011c3c1b
                0x011c3c28
                0x011c3c2e
                0x011c3c37
                0x011c3c4c

                APIs
                • #286.MFC140U(********************IdeaShareService Start!!!********************,?,5A3FFFE3), ref: 011C3A2F
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • InitCommonControlsEx.COMCTL32(00000008), ref: 011C3A58
                • #7997.MFC140U ref: 011C3A64
                • #2205.MFC140U(00000000), ref: 011C3A6B
                • #952.MFC140U ref: 011C3A96
                  • Part of subcall function 011C4860: #462.MFC140U(00000066,011C3B6A,5A3FFFE3,?,00000000,011CC506,000000FF,?,011C3B6A,00000000), ref: 011C488F
                • #13911.MFC140U(011CD76C), ref: 011C3AD7
                • #286.MFC140U(Air Presence Monitor,011CD76C), ref: 011C3AE7
                • #6967.MFC140U ref: 011C3AFA
                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 011C3B07
                • GetLastError.KERNEL32 ref: 011C3B28
                • #1506.MFC140U ref: 011C3B4C
                • #4092.MFC140U(00000000), ref: 011C3B83
                • CloseHandle.KERNEL32(00000000,00000000), ref: 011C3BEC
                • #1506.MFC140U ref: 011C3C28
                Strings
                • Air Presence Monitor, xrefs: 011C3ADC
                • ********************IdeaShareService Start!!!********************, xrefs: 011C3A2A
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#286$#13911#2205#280#4092#462#6967#7997#952CloseCommonControlsCreateErrorEventHandleInitLast
                • String ID: ********************IdeaShareService Start!!!********************$Air Presence Monitor
                • API String ID: 3536398266-542593313
                • Opcode ID: b9d1fee9ebd14a8637c08115ac5c246f8957af47c33f0173ac395f4e612231ef
                • Instruction ID: 06884339479e38b42e088128de73dec389911e50d7b621f5e51c32f014c2a030
                • Opcode Fuzzy Hash: b9d1fee9ebd14a8637c08115ac5c246f8957af47c33f0173ac395f4e612231ef
                • Instruction Fuzzy Hash: 5951F3B0905228DFDB28DF64DD59BDDBBB0BB58714F0042EDE429A7290DB751A84CF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5DD0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 136COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 71%
                			E011C5DD0(intOrPtr __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed char _t32;
				signed char _t34;
				void* _t40;
				signed char _t44;
				signed char _t48;
				signed char _t51;
				void* _t53;
				intOrPtr _t56;
				signed int _t61;
				intOrPtr _t62;
				void* _t75;
				long _t77;
				void* _t80;
				void* _t88;
				void* _t93;
				intOrPtr _t94;

				_t93 = __esi;
				_t88 = __edx;
				_v8 = __ecx;
				_t56 = _v8 + 0xd4; // executed
				_t32 = E011C9A40(_t56, __eflags, 0x14); // executed
				if((_t32 & 0x000000ff) == 0) {
					_v16 = _t94;
					__imp__#286(_t56); // executed
					_t53 = E011C8630(L"Not found Device"); // executed
					return _t53;
				}
				__eflags = _a4 - 0x8000;
				if(__eflags != 0) {
					_t51 = E011C9D50(_v8 + 0xd4, _t88);
					__eflags = _t51 & 0x000000ff;
					if((_t51 & 0x000000ff) != 0) {
						return _t51;
					}
					__eflags = _v8 + 0xd4;
					_a8 = E011C9710(_v8 + 0xd4);
				}
				_v12 = 0x1f4;
				_t34 = E011CA070(_v8 + 0xd4, _a8, _t93, __eflags, _a8);
				__eflags = _t34 & 0x000000ff;
				if((_t34 & 0x000000ff) == 0) {
					_t77 = _v12;
					Sleep(_t77);
					_v20 = _t94;
					__imp__#286(_t77);
					E011C8630(L"ParseDriverData Check Again");
					_t94 = _t94 + 4;
					_t80 = _v8 + 0xd4;
					_t48 = E011CA070(_t80, _a8, _t93, __eflags, _a8);
					__eflags = _t48 & 0x000000ff;
					if((_t48 & 0x000000ff) == 0) {
						_v24 = _t94;
						__imp__#286(_t80);
						return E011C8630(L"ParseDriverData error");
					}
				}
				_t61 = E011C9CB0(_v8 + 0xd4) & 0x000000ff;
				__eflags = _t61;
				if(_t61 == 0) {
					Sleep(_v12);
					_v28 = _t94;
					__imp__#286(_t61);
					E011C8630(L"HasValidSetup Check Again");
					_t94 = _t94 + 4;
					_t75 = _v8 + 0xd4;
					_t44 = E011C9CB0(_t75);
					__eflags = _t44 & 0x000000ff;
					if((_t44 & 0x000000ff) == 0) {
						_v32 = _t94;
						__imp__#286(_t75);
						return E011C8630(L"HasValidSetup error");
					}
				}
				_t62 = _v8;
				__eflags =  *(_t62 + 0x110) & 0x000000ff;
				if(( *(_t62 + 0x110) & 0x000000ff) != 0) {
					_v36 = _t94;
					__imp__#286(_t62);
					return E011C8630(L"start protect and return");
				}
				 *((char*)(_v8 + 0x110)) = 1;
				E011C67B0(_v8, 1, 0xbb8, 0);
				__eflags = E011C9F70(_v8 + 0xd4) & 0x000000ff;
				if(__eflags == 0) {
					__eflags = _v8 + 0xd4;
					_t40 = E011CA400(_v8 + 0xd4, _v8 + 0xd4);
				} else {
					_t40 = E011CA5B0(_v8 + 0xd4, __eflags);
				}
				__eflags = _a4 - 0x8000;
				if(__eflags == 0) {
					return E011C5670(_v8, __eflags);
				}
				return _t40;
			}



























                0x011c5dd0
                0x011c5dd0
                0x011c5dd6
                0x011c5dde
                0x011c5de4
                0x011c5dee
                0x011c5df3
                0x011c5dfb
                0x011c5e01
                0x00000000
                0x011c5e06
                0x011c5e0e
                0x011c5e15
                0x011c5e20
                0x011c5e28
                0x011c5e2a
                0x00000000
                0x00000000
                0x011c5e34
                0x011c5e3f
                0x011c5e3f
                0x011c5e42
                0x011c5e56
                0x011c5e5e
                0x011c5e60
                0x011c5e62
                0x011c5e66
                0x011c5e6f
                0x011c5e77
                0x011c5e7d
                0x011c5e82
                0x011c5e8c
                0x011c5e92
                0x011c5e9a
                0x011c5e9c
                0x011c5ea1
                0x011c5ea9
                0x00000000
                0x011c5eb4
                0x011c5e9c
                0x011c5eca
                0x011c5ecd
                0x011c5ecf
                0x011c5ed5
                0x011c5ede
                0x011c5ee6
                0x011c5eec
                0x011c5ef1
                0x011c5ef7
                0x011c5efd
                0x011c5f05
                0x011c5f07
                0x011c5f0c
                0x011c5f14
                0x00000000
                0x011c5f1f
                0x011c5f07
                0x011c5f27
                0x011c5f31
                0x011c5f33
                0x011c5f38
                0x011c5f40
                0x00000000
                0x011c5f4b
                0x011c5f53
                0x011c5f66
                0x011c5f7c
                0x011c5f7e
                0x011c5f93
                0x011c5f99
                0x011c5f80
                0x011c5f89
                0x011c5f89
                0x011c5f9e
                0x011c5fa5
                0x00000000
                0x011c5faa
                0x011c5fb2

                APIs
                  • Part of subcall function 011C9A40: #286.MFC140U(Check IdeaShareKey Device,?,5A3FFFE3), ref: 011C9A7F
                  • Part of subcall function 011C9A40: memset.VCRUNTIME140(?,00000000,00000208), ref: 011C9AEF
                  • Part of subcall function 011C9A40: GetLogicalDrives.KERNELBASE ref: 011C9AF7
                  • Part of subcall function 011C9A40: _swprintf.LIBCMTD ref: 011C9B48
                  • Part of subcall function 011C9A40: #500.MFC140U ref: 011C9B5E
                  • Part of subcall function 011C9A40: #11962.MFC140U(?,00000000,00000000), ref: 011C9B7B
                  • Part of subcall function 011C9A40: #316.MFC140U(?,00000000,00000000), ref: 011C9B8E
                  • Part of subcall function 011C9A40: #4815.MFC140U(?,Get Logical Drives:%c,-00000041), ref: 011C9BAE
                  • Part of subcall function 011C9A40: #280.MFC140U(?), ref: 011C9BC7
                  • Part of subcall function 011C9A40: #1506.MFC140U(00000000), ref: 011C9BF8
                  • Part of subcall function 011C9A40: #1142.MFC140U ref: 011C9C0B
                • #286.MFC140U(Not found Device,?,00000014), ref: 011C5DFB
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1506#280$#1142#11962#316#4815#500DrivesLogical_swprintfmemset
                • String ID: HasValidSetup Check Again$HasValidSetup error$Not found Device$ParseDriverData Check Again$ParseDriverData error$start protect and return
                • API String ID: 2793170334-1606213482
                • Opcode ID: f706958adb10ad2938bf51ce2557ed7f67d9b1f6ca36a8706a84ce5127859aa8
                • Instruction ID: 0329a9a6d8076b5a5c1616645a97b3e9d5ab340645730b8355b6ccd935a4b631
                • Opcode Fuzzy Hash: f706958adb10ad2938bf51ce2557ed7f67d9b1f6ca36a8706a84ce5127859aa8
                • Instruction Fuzzy Hash: FE41B9B0A14116ABDF0CEBD9E85577D7772AF74B08F00407DF1066A281DB356A00DBA7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9AB6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 87sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 51%
                			E011C9AB6() {
				long _t46;
				void* _t50;
				signed int _t80;
				intOrPtr _t82;

				L0:
				while(1) {
					L0:
					_t57 =  *(_t80 - 0x224) + 1;
					 *(_t80 - 0x224) = _t57;
					L1:
					_t75 =  *(_t80 - 0x224);
					if( *(_t80 - 0x224) >=  *((intOrPtr*)(_t80 - 0x230))) {
						L11:
						 *((intOrPtr*)(_t80 - 0x244)) = _t82;
						__imp__#286(_t57); // executed
						E011C8960(L"not Get Logical Drives"); // executed
					} else {
						L2:
						 *(_t80 - 0x220) = 0;
						memset(_t80 - 0x218, 0, 0x208);
						_t82 = _t82 + 0xc; // executed
						_t46 = GetLogicalDrives(); // executed
						 *(_t80 - 0x22c) = _t46;
						L3:
						while( *(_t80 - 0x22c) != 0) {
							_t57 =  *(_t80 - 0x220) + 0x41;
							if( *(_t80 - 0x220) + 0x41 > 0x5a) {
								break;
							} else {
								L5:
								_t57 = 0x11d36d0;
								_push(E011CAA30());
								_t75 =  *(_t80 - 0x220) + 0x41;
								_t50 = E011CAB60(_t80 - 0x218, 0x104, L"%c:\\%s",  *(_t80 - 0x220) + 0x41);
								_t82 = _t82 + 0x14;
								if(_t50 == 0) {
									L9:
									continue;
								} else {
									L6:
									L011CBF59();
									 *(_t80 - 4) = 0;
									_push(0);
									_push(0);
									_push(_t80 - 0x218);
									L011CBF5F(); // executed
									if(_t50 == 0) {
										L8:
										L011CBF6B();
										 *(_t80 - 0x22c) =  *(_t80 - 0x22c) >> 1;
										_t75 =  *(_t80 - 0x220) + 1;
										 *(_t80 - 0x220) =  *(_t80 - 0x220) + 1;
										 *(_t80 - 4) = 0xffffffff;
										_t57 = _t80 - 0x258;
										L011CBF71();
										goto L9;
									} else {
										L7:
										__imp__#296();
										 *(_t80 - 4) = 1;
										__imp__#4815(_t80 - 0x228, L"Get Logical Drives:%c",  *(_t80 - 0x220) + 0x41);
										 *((intOrPtr*)(_t80 - 0x240)) = _t82 + 0xc;
										_t75 = _t80 - 0x228;
										__imp__#280(_t80 - 0x228);
										E011C8630(_t80 - 0x228);
										E011CA370( *((intOrPtr*)(_t80 - 0x234)),  *(_t80 - 0x220));
										 *((char*)(_t80 - 0x219)) = 1;
										 *(_t80 - 4) = 0;
										__imp__#1045();
										 *(_t80 - 4) = 0xffffffff;
										L011CBF71();
									}
								}
							}
							goto L12;
						}
						L10:
						Sleep( *(_t80 - 0x238)); // executed
						continue;
					}
					L12:
					 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
					return E011CB089( *(_t80 - 0x10) ^ _t80, _t75);
					L13:
				}
			}







                0x011c9ab6
                0x011c9ab6
                0x011c9ab6
                0x011c9abc
                0x011c9abf
                0x011c9ac5
                0x011c9ac5
                0x011c9ad1
                0x011c9c69
                0x011c9c6c
                0x011c9c77
                0x011c9c7d
                0x011c9ad7
                0x011c9ad7
                0x011c9ad7
                0x011c9aef
                0x011c9af4
                0x011c9af7
                0x011c9afd
                0x00000000
                0x011c9b03
                0x011c9b16
                0x011c9b1c
                0x00000000
                0x011c9b22
                0x011c9b22
                0x011c9b22
                0x011c9b2c
                0x011c9b33
                0x011c9b48
                0x011c9b4d
                0x011c9b52
                0x011c9c52
                0x00000000
                0x011c9b58
                0x011c9b58
                0x011c9b5e
                0x011c9b63
                0x011c9b6a
                0x011c9b6c
                0x011c9b74
                0x011c9b7b
                0x011c9b82
                0x011c9c18
                0x011c9c1e
                0x011c9c2b
                0x011c9c37
                0x011c9c3a
                0x011c9c40
                0x011c9c47
                0x011c9c4d
                0x00000000
                0x011c9b88
                0x011c9b88
                0x011c9b8e
                0x011c9b94
                0x011c9bae
                0x011c9bba
                0x011c9bc0
                0x011c9bc7
                0x011c9bcd
                0x011c9be2
                0x011c9be7
                0x011c9bee
                0x011c9bf8
                0x011c9bfe
                0x011c9c0b
                0x011c9c10
                0x011c9b82
                0x011c9b52
                0x00000000
                0x011c9b1c
                0x011c9c57
                0x011c9c5e
                0x00000000
                0x011c9c5e
                0x011c9c87
                0x011c9c8a
                0x011c9c9f
                0x00000000
                0x011c9c9f

                APIs
                • memset.VCRUNTIME140(?,00000000,00000208), ref: 011C9AEF
                • GetLogicalDrives.KERNELBASE ref: 011C9AF7
                • _swprintf.LIBCMTD ref: 011C9B48
                • #500.MFC140U ref: 011C9B5E
                • #11962.MFC140U(?,00000000,00000000), ref: 011C9B7B
                • #316.MFC140U(?,00000000,00000000), ref: 011C9B8E
                • #4815.MFC140U(?,Get Logical Drives:%c,-00000041), ref: 011C9BAE
                • #280.MFC140U(?), ref: 011C9BC7
                • #1506.MFC140U(00000000), ref: 011C9BF8
                • #1142.MFC140U ref: 011C9C0B
                • Sleep.KERNELBASE(000000FA), ref: 011C9C5E
                • #286.MFC140U(not Get Logical Drives), ref: 011C9C77
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1142#11962#1506#280#286#316#4815#500DrivesLogicalSleep_swprintfmemset
                • String ID: %c:\%s$Get Logical Drives:%c
                • API String ID: 3872463447-2830019738
                • Opcode ID: 72f14f4f93882808a6f5b8c4d766fcfd5444004bcc2a2f030b46a68c83f13bf7
                • Instruction ID: 67b354e963b77b276c9038eeb0de42ad2f24f99b36d2c4cef25f98558b48ecc2
                • Opcode Fuzzy Hash: 72f14f4f93882808a6f5b8c4d766fcfd5444004bcc2a2f030b46a68c83f13bf7
                • Instruction Fuzzy Hash: 513162B0900119AFDB28DB94EC9DBEDBB74AF64B08F0041ECD40AA2291DB705BC5CF59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8960 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 166 11c8960-11c89b8 #280 #286 call 11c86c0 168 11c89bd-11c89e5 #1506 166->168
                APIs
                • #280.MFC140U(011C9C82,?,5A3FFFE3,000000FF,?,011C9C82), ref: 011C8996
                • #286.MFC140U(Warn,?,?,5A3FFFE3,000000FF,?,011C9C82), ref: 011C89AE
                  • Part of subcall function 011C86C0: #500.MFC140U(5A3FFFE3), ref: 011C86EF
                  • Part of subcall function 011C86C0: #503.MFC140U(5A3FFFE3), ref: 011C86FE
                  • Part of subcall function 011C86C0: #316.MFC140U(5A3FFFE3), ref: 011C870A
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000), ref: 011C8750
                  • Part of subcall function 011C86C0: #4715.MFC140U(00000000), ref: 011C875D
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000,00000000), ref: 011C876B
                  • Part of subcall function 011C86C0: CreateDirectoryW.KERNELBASE(00000000), ref: 011C8772
                  • Part of subcall function 011C86C0: #6967.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87C5
                  • Part of subcall function 011C86C0: #11962.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87CF
                  • Part of subcall function 011C86C0: #1506.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87DB
                  • Part of subcall function 011C86C0: #1506.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87E8
                  • Part of subcall function 011C86C0: #14606.MFC140U(?,00000002,?,?,?,?,00000000,00000000), ref: 011C8811
                • #1506.MFC140U(?,5A3FFFE3,000000FF,?,011C9C82), ref: 011C89CE
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#6967$#11962#14606#280#286#316#4715#500#503CreateDirectory
                • String ID: Warn
                • API String ID: 3432314039-2307399227
                • Opcode ID: 81961bd1ffb270371b88ece7d641e85fbcd2197a7703125b29922e8ac996f513
                • Instruction ID: fbae0a9f09095aa6bd75013d1cb25db3661ce0ee0716bf6fa0049219bab66ff4
                • Opcode Fuzzy Hash: 81961bd1ffb270371b88ece7d641e85fbcd2197a7703125b29922e8ac996f513
                • Instruction Fuzzy Hash: DF015EB5D18248EFCB14DFA8E90579DBFB8EB19714F1042ADE829A3380D7751744CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8630 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 163 11c8630-11c86b5 #280 #286 call 11c86c0 #1506
                APIs
                • #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                • #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C86C0: #500.MFC140U(5A3FFFE3), ref: 011C86EF
                  • Part of subcall function 011C86C0: #503.MFC140U(5A3FFFE3), ref: 011C86FE
                  • Part of subcall function 011C86C0: #316.MFC140U(5A3FFFE3), ref: 011C870A
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000), ref: 011C8750
                  • Part of subcall function 011C86C0: #4715.MFC140U(00000000), ref: 011C875D
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000,00000000), ref: 011C876B
                  • Part of subcall function 011C86C0: CreateDirectoryW.KERNELBASE(00000000), ref: 011C8772
                  • Part of subcall function 011C86C0: #6967.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87C5
                  • Part of subcall function 011C86C0: #11962.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87CF
                  • Part of subcall function 011C86C0: #1506.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87DB
                  • Part of subcall function 011C86C0: #1506.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87E8
                  • Part of subcall function 011C86C0: #14606.MFC140U(?,00000002,?,?,?,?,00000000,00000000), ref: 011C8811
                • #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#6967$#11962#14606#280#286#316#4715#500#503CreateDirectory
                • String ID: Info
                • API String ID: 3432314039-1807457897
                • Opcode ID: ed77b0f1b4a465038aff15e5877cfa94b9a5b240d0a1f5714b631f382ddcc1b6
                • Instruction ID: 06588b14edfe244156e94a0b726d219c26bd95c7de9bbc5066ee2c0b3374da88
                • Opcode Fuzzy Hash: ed77b0f1b4a465038aff15e5877cfa94b9a5b240d0a1f5714b631f382ddcc1b6
                • Instruction Fuzzy Hash: B9015EB5D08248EFCB14DFA8E905B9DBFB8EB19714F1042ADE829A3380D7751744CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5D20 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 169 11c5d20-11c5d5a #8817 #14234 #8776
                C-Code - Quality: 16%
                			E011C5D20(void* __eax, intOrPtr __ecx) {
				intOrPtr _v8;

				_push(__ecx);
				_v8 = __ecx;
				_push(1);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				L011CBD73(); // executed
				_push("true");
				L011CBD79(); // executed
				_push(0);
				_push(0x80);
				_push(0x40000);
				L011CBD37();
				return __eax;
			}




                0x011c5d23
                0x011c5d24
                0x011c5d27
                0x011c5d29
                0x011c5d2b
                0x011c5d2d
                0x011c5d2f
                0x011c5d34
                0x011c5d39
                0x011c5d3e
                0x011c5d43
                0x011c5d45
                0x011c5d4a
                0x011c5d52
                0x011c5d5a

                APIs
                • #8817.MFC140U(00000000,00000000,00000000,00000000,00000001), ref: 011C5D34
                • #14234.MFC140U(00000000,00000000,00000000,00000000,00000000,00000001), ref: 011C5D3E
                • #8776.MFC140U(00040000,00000080,00000000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 011C5D52
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #14234#8776#8817
                • String ID:
                • API String ID: 1866587484-0
                • Opcode ID: 636b0c01ea83bde0b1988864b336d800a4c627a62fbd3e0cf16ff4e981b74bff
                • Instruction ID: 07fc9e49f5e3a0ca1e37c0be15ac26e436ff8af5a5351284b2689b7306f92f3d
                • Opcode Fuzzy Hash: 636b0c01ea83bde0b1988864b336d800a4c627a62fbd3e0cf16ff4e981b74bff
                • Instruction Fuzzy Hash: 56E0EC30784308B6E628EA50DD53FAD72259B60F48F200198B7047E2C0CAE23E00968D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CB3BA Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 170 11cb3ba call 11cb3fe 172 11cb3bf-11cb3c9 call 11cb18c 170->172 175 11cb3d9-11cb3fd call 11cb61a 172->175 176 11cb3cb-11cb3d8 call 11cb345 172->176
                C-Code - Quality: 71%
                			E011CB3BA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v0;
				void* _t3;
				signed int _t8;

				E011CB3FE(__ebx, __edx, __edi, __esi); // executed
				_t3 = E011CB18C(__edx, 0);
				_t24 = _t3;
				if(_t3 == 0) {
					E011CB61A(__edx, __edi, __esi, 7);
					asm("int3");
					_push(0x20);
					asm("ror eax, cl");
					_t8 = _v0 ^  *0x11d3258;
					__eflags = _t8;
					return _t8;
				} else {
					E011CB345(_t24, 0x11cb4ed);
					return 0;
				}
			}






                0x011cb3ba
                0x011cb3c1
                0x011cb3c7
                0x011cb3c9
                0x011cb3db
                0x011cb3e0
                0x011cb3ec
                0x011cb3f4
                0x011cb3f6
                0x011cb3f6
                0x011cb3fd
                0x011cb3cb
                0x011cb3d0
                0x011cb3d8
                0x011cb3d8

                APIs
                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 011CB3BA
                  • Part of subcall function 011CB3FE: InitializeCriticalSectionAndSpinCount.KERNEL32(011D3A78,00000FA0,5A3FFFE3,?,?,?,?,011CC780,000000FF), ref: 011CB42D
                  • Part of subcall function 011CB3FE: GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,011CC780,000000FF), ref: 011CB438
                  • Part of subcall function 011CB3FE: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,011CC780,000000FF), ref: 011CB449
                  • Part of subcall function 011CB3FE: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 011CB45F
                  • Part of subcall function 011CB3FE: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 011CB46D
                  • Part of subcall function 011CB3FE: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 011CB47B
                  • Part of subcall function 011CB3FE: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 011CB4A6
                  • Part of subcall function 011CB3FE: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 011CB4B1
                • ___scrt_fastfail.LIBCMT ref: 011CB3DB
                  • Part of subcall function 011CB345: __onexit.LIBCMT ref: 011CB34B
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                • String ID:
                • API String ID: 66158676-0
                • Opcode ID: e3ebf0765d5caa3426f12e32de2da71ec414b0bdb5e0e10fd9bf2078aa01c89a
                • Instruction ID: bb22d7556191e63c0d658b25839d202244af4d76240f0c8efb994c82a7155a3f
                • Opcode Fuzzy Hash: e3ebf0765d5caa3426f12e32de2da71ec414b0bdb5e0e10fd9bf2078aa01c89a
                • Instruction Fuzzy Hash: 8AE08C2266D30667D91CAABCF807B4833819770DA5F00115DBA29CA4C5DF80A480821A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5DA0 Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 182 11c5da0-11c5dc2 #2215 LoadIconW
                C-Code - Quality: 53%
                			E011C5DA0(intOrPtr __ecx, signed int _a4) {
				intOrPtr _v8;
				struct HINSTANCE__* _t4;
				struct HICON__* _t5;

				_push(__ecx);
				_v8 = __ecx;
				_t4 = _a4 & 0x0000ffff;
				_push(_t4);
				_push(0xe);
				L011CBF23(); // executed
				_t5 = LoadIconW(_t4, _a4 & 0x0000ffff); // executed
				return _t5;
			}






                0x011c5da3
                0x011c5da4
                0x011c5da7
                0x011c5dab
                0x011c5dac
                0x011c5db3
                0x011c5db9
                0x011c5dc2

                APIs
                • #2215.MFC140U(011C3B6A,0000000E,011C3B6A,00000000,?,011C48DE,00000080,00000066,011C3B6A,5A3FFFE3,?,00000000,011CC506,000000FF,?,011C3B6A), ref: 011C5DB3
                • LoadIconW.USER32(00000000,011C3B6A), ref: 011C5DB9
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #2215IconLoad
                • String ID:
                • API String ID: 2636068934-0
                • Opcode ID: d9884a51c73bcf9c119f279806633d02341bcf47b264156d3cc1ba4c58e0eb84
                • Instruction ID: b7bc4ed082e63c00d498ce8bd3e20f423a4f358f944345721375b8a53a90d8e3
                • Opcode Fuzzy Hash: d9884a51c73bcf9c119f279806633d02341bcf47b264156d3cc1ba4c58e0eb84
                • Instruction Fuzzy Hash: DCD0A7F140820876C7185F91E80197A7AACD758741F00415DBD0485280D576C58092B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C4860 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 183 11c4860-11c48ff #462 call 11c8bc0 call 11c55d0 call 11c5da0
                C-Code - Quality: 60%
                			E011C4860(intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				signed int _t19;
				intOrPtr _t26;
				intOrPtr* _t28;
				signed int _t38;

				_push(0xffffffff);
				_push(E011CC506);
				_push( *[fs:0x0]);
				_push(_t28);
				_t19 =  *0x11d3258; // 0x5a3fffe3
				_push(_t19 ^ _t38);
				 *[fs:0x0] =  &_v16;
				_v20 = _t28;
				_push(_a4);
				_push(0x66);
				L011CBF3B();
				_v8 = 0;
				 *_v20 = 0x11cdf68;
				E011C8BC0();
				_v8 = 1;
				 *((intOrPtr*)(_v20 + 0x10c)) = 0;
				 *((char*)(_v20 + 0x110)) = 0;
				_t26 = E011C5DA0(E011C55D0(_v20), 0x80); // executed
				 *((intOrPtr*)(_v20 + 0xd0)) = _t26;
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}











                0x011c4863
                0x011c4865
                0x011c4870
                0x011c4871
                0x011c4872
                0x011c4879
                0x011c487d
                0x011c4883
                0x011c4889
                0x011c488a
                0x011c488f
                0x011c4894
                0x011c489e
                0x011c48ad
                0x011c48b2
                0x011c48b9
                0x011c48c6
                0x011c48d9
                0x011c48e1
                0x011c48e7
                0x011c48f4
                0x011c48ff

                APIs
                • #462.MFC140U(00000066,011C3B6A,5A3FFFE3,?,00000000,011CC506,000000FF,?,011C3B6A,00000000), ref: 011C488F
                  • Part of subcall function 011C55D0: #2246.MFC140U(?,011C48D7,00000080,00000066,011C3B6A,5A3FFFE3,?,00000000,011CC506,000000FF,?,011C3B6A), ref: 011C55D3
                  • Part of subcall function 011C5DA0: #2215.MFC140U(011C3B6A,0000000E,011C3B6A,00000000,?,011C48DE,00000080,00000066,011C3B6A,5A3FFFE3,?,00000000,011CC506,000000FF,?,011C3B6A), ref: 011C5DB3
                  • Part of subcall function 011C5DA0: LoadIconW.USER32(00000000,011C3B6A), ref: 011C5DB9
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #2215#2246#462IconLoad
                • String ID:
                • API String ID: 2076563837-0
                • Opcode ID: 38bfbeb61e5f2aa23265c1f69252f5b5d5feab7c6804d132d28ca2bae1aadc4b
                • Instruction ID: d115a560065ee69257ac4255d729d4e589b0654157fe6345c211fb80bcd7b88b
                • Opcode Fuzzy Hash: 38bfbeb61e5f2aa23265c1f69252f5b5d5feab7c6804d132d28ca2bae1aadc4b
                • Instruction Fuzzy Hash: ED1184B0A0424ADFCB08CF94C850BAEB7B5FB24B14F10466DE825AB3C0DB756901CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C6780 Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 190 11c6780-11c67a4 SendMessageW
                C-Code - Quality: 68%
                			E011C6780(intOrPtr __ecx, long _a4, int _a8) {
				intOrPtr _v8;
				long _t8;

				_push(__ecx);
				_v8 = __ecx;
				_t8 = SendMessageW( *(_v8 + 0x20), 0x80, _a8, _a4); // executed
				return _t8;
			}





                0x011c6783
                0x011c6784
                0x011c679b
                0x011c67a4

                APIs
                • SendMessageW.USER32(?,00000080,011C6319,?), ref: 011C679B
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 7a6a6a7829d0a6b131e9d5dffb1cfddd7d4b59df0784b3701c877095fc395b29
                • Instruction ID: f1e18227b8397faee6601464c84ddb1a63360c29dcf55a4a8b654278541f8650
                • Opcode Fuzzy Hash: 7a6a6a7829d0a6b131e9d5dffb1cfddd7d4b59df0784b3701c877095fc395b29
                • Instruction Fuzzy Hash: D3D09EB5605108BFCB48DFC9E945D5AB7ACFB4C310F108259F94887740D671EE509BE4
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 011C22D0 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 112libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011C22D0() {
				signed int _t1;
				struct HINSTANCE__* _t3;
				signed int _t4;
				signed int _t5;
				signed int _t6;
				struct HINSTANCE__* _t7;
				signed int _t8;
				signed int _t9;
				signed int _t10;
				struct HINSTANCE__* _t11;
				signed int _t12;
				signed int _t13;
				signed int _t14;
				struct HINSTANCE__* _t15;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t34;
				struct HINSTANCE__* _t35;
				struct HINSTANCE__* _t36;

				_t1 = LoadLibraryA("hid.dll");
				 *0x11d35dc = _t1;
				if( *0x11d35dc == 0) {
					return _t1 | 0xffffffff;
				}
				_t3 =  *0x11d35dc; // 0x0
				_t4 = GetProcAddress(_t3, "HidD_GetAttributes");
				 *0x11d35b0 = _t4;
				if( *0x11d35b0 != 0) {
					_t30 =  *0x11d35dc; // 0x0
					_t5 = GetProcAddress(_t30, "HidD_GetSerialNumberString");
					 *0x11d35b4 = _t5;
					if( *0x11d35b4 != 0) {
						_t34 =  *0x11d35dc; // 0x0
						_t6 = GetProcAddress(_t34, "HidD_GetManufacturerString");
						 *0x11d35b8 = _t6;
						if( *0x11d35b8 != 0) {
							_t7 =  *0x11d35dc; // 0x0
							_t8 = GetProcAddress(_t7, "HidD_GetProductString");
							 *0x11d35bc = _t8;
							if( *0x11d35bc != 0) {
								_t31 =  *0x11d35dc; // 0x0
								_t9 = GetProcAddress(_t31, "HidD_SetFeature");
								 *0x11d35c0 = _t9;
								if( *0x11d35c0 != 0) {
									_t35 =  *0x11d35dc; // 0x0
									_t10 = GetProcAddress(_t35, "HidD_GetFeature");
									 *0x11d35c4 = _t10;
									if( *0x11d35c4 != 0) {
										_t11 =  *0x11d35dc; // 0x0
										_t12 = GetProcAddress(_t11, "HidD_GetIndexedString");
										 *0x11d35c8 = _t12;
										if( *0x11d35c8 != 0) {
											_t32 =  *0x11d35dc; // 0x0
											_t13 = GetProcAddress(_t32, "HidD_GetPreparsedData");
											 *0x11d35cc = _t13;
											if( *0x11d35cc != 0) {
												_t36 =  *0x11d35dc; // 0x0
												_t14 = GetProcAddress(_t36, "HidD_FreePreparsedData");
												 *0x11d35d0 = _t14;
												if( *0x11d35d0 != 0) {
													_t15 =  *0x11d35dc; // 0x0
													_t16 = GetProcAddress(_t15, "HidP_GetCaps");
													 *0x11d35d4 = _t16;
													if( *0x11d35d4 != 0) {
														_t33 =  *0x11d35dc; // 0x0
														_t17 = GetProcAddress(_t33, "HidD_SetNumInputBuffers");
														 *0x11d35d8 = _t17;
														if( *0x11d35d8 != 0) {
															return 0;
														}
														return _t17 | 0xffffffff;
													}
													return _t16 | 0xffffffff;
												}
												return _t14 | 0xffffffff;
											}
											return _t13 | 0xffffffff;
										}
										return _t12 | 0xffffffff;
									}
									return _t10 | 0xffffffff;
								}
								return _t9 | 0xffffffff;
							}
							return _t8 | 0xffffffff;
						}
						return _t6 | 0xffffffff;
					}
					return _t5 | 0xffffffff;
				}
				return _t4 | 0xffffffff;
			}


























                0x011c22d8
                0x011c22de
                0x011c22ea
                0x00000000
                0x011c249a
                0x011c22f5
                0x011c22fb
                0x011c2301
                0x011c230d
                0x011c231c
                0x011c2323
                0x011c2329
                0x011c2335
                0x011c2344
                0x011c234b
                0x011c2351
                0x011c235d
                0x011c236c
                0x011c2372
                0x011c2378
                0x011c2384
                0x011c2393
                0x011c239a
                0x011c23a0
                0x011c23ac
                0x011c23bb
                0x011c23c2
                0x011c23c8
                0x011c23d4
                0x011c23e3
                0x011c23e9
                0x011c23ef
                0x011c23fb
                0x011c240a
                0x011c2411
                0x011c2417
                0x011c2423
                0x011c242f
                0x011c2436
                0x011c243c
                0x011c2448
                0x011c2454
                0x011c245a
                0x011c2460
                0x011c246c
                0x011c2478
                0x011c247f
                0x011c2485
                0x011c2491
                0x00000000
                0x011c249f
                0x00000000
                0x011c2493
                0x00000000
                0x011c246e
                0x00000000
                0x011c244a
                0x00000000
                0x011c2425
                0x00000000
                0x011c23fd
                0x00000000
                0x011c23d6
                0x00000000
                0x011c23ae
                0x00000000
                0x011c2386
                0x00000000
                0x011c235f
                0x00000000
                0x011c2337
                0x00000000

                APIs
                • LoadLibraryA.KERNEL32(hid.dll,?,011C1C83,?,011C1254), ref: 011C22D8
                • GetProcAddress.KERNEL32(00000000,HidD_GetAttributes), ref: 011C22FB
                • GetProcAddress.KERNEL32(00000000,HidD_GetSerialNumberString), ref: 011C2323
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: AddressProc$LibraryLoad
                • String ID: HidD_FreePreparsedData$HidD_GetAttributes$HidD_GetFeature$HidD_GetIndexedString$HidD_GetManufacturerString$HidD_GetPreparsedData$HidD_GetProductString$HidD_GetSerialNumberString$HidD_SetFeature$HidD_SetNumInputBuffers$HidP_GetCaps$hid.dll
                • API String ID: 2238633743-3071789778
                • Opcode ID: 0618dd775e41e96969b1eaf922297eefb4cec5eab873ed7866ba9f20372d6521
                • Instruction ID: 9e96b6e6217b462d54689bfec4c78267c5ff265b81c56b3bac3ade8a46a79e00
                • Opcode Fuzzy Hash: 0618dd775e41e96969b1eaf922297eefb4cec5eab873ed7866ba9f20372d6521
                • Instruction Fuzzy Hash: 204193F0626250EFCB3CAB69F84D710BA64B718B39F505739A536821C8DBB490C68F43
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C11B0 Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 430COMMON
                Download Yara Rule
                C-Code - Quality: 21%
                			E011C11B0(char* __edx, signed int _a4, signed int _a8) {
				signed int _v8;
				char _v264;
				char _v1288;
				char _v1289;
				char _v1290;
				char _v1291;
				char _v1292;
				char _v1293;
				char _v1294;
				char _v1295;
				char _v1296;
				short _v1298;
				short _v1300;
				char _v1304;
				char* _v1308;
				signed int _v1310;
				signed int _v1312;
				char _v1316;
				char _v1344;
				char _v1372;
				char* _v1434;
				void* _v1436;
				signed int _v1437;
				char** _v1444;
				intOrPtr _v1448;
				void* _v1452;
				char* _v1456;
				char _v1457;
				char _v1458;
				char _v1459;
				void* _v1464;
				intOrPtr* _v1468;
				signed int _v1472;
				intOrPtr* _v1476;
				intOrPtr _v1480;
				char* _v1484;
				intOrPtr* _v1488;
				char* _v1492;
				char* _v1496;
				char* _v1500;
				int _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				char* _v1520;
				char* _v1524;
				char* _v1528;
				char* _v1532;
				signed int _v1536;
				signed int _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				signed int _t218;
				char* _t223;
				char* _t224;
				char* _t225;
				void* _t226;
				char* _t228;
				char* _t229;
				char* _t230;
				char* _t233;
				void* _t236;
				void* _t240;
				intOrPtr* _t245;
				char* _t250;
				char* _t255;
				char* _t260;
				char* _t268;
				long _t270;
				signed int _t296;
				char _t340;
				char _t377;
				signed int _t378;
				void* _t379;
				void* _t380;
				void* _t381;

				_t333 = __edx;
				_t218 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t218 ^ _t378;
				_v1532 = 0;
				_v1444 = 0;
				_v1304 = 0x4d1e55b2;
				_v1300 = 0xf16f;
				_v1298 = 0x11cf;
				_v1296 = 0x88;
				_v1295 = 0xcb;
				_v1294 = 0;
				_v1293 = 0x11;
				_v1292 = 0x11;
				_v1291 = 0;
				_v1290 = 0;
				_v1289 = 0x30;
				_v1464 = 0;
				_v1456 = 0xffffffff;
				_v1484 = 0;
				if(E011C1C70() >= 0) {
					E011C10E0( &_v1344, 0x1c, 0, 0x1c);
					_t380 = _t379 + 0x10;
					_v1344 = 0x1c;
					_v1372 = 0x1c;
					_t223 =  &_v1304;
					__imp__SetupDiGetClassDevsA(_t223, 0, 0, 0x12);
					_v1456 = _t223;
					while(1) {
						_v1452 = 0xffffffff;
						_v1504 = 0;
						_t333 = _v1484;
						_t224 =  &_v1304;
						__imp__SetupDiEnumDeviceInterfaces(_v1456, 0, _t224, _v1484,  &_v1372);
						_v1448 = _t224;
						if(_v1448 == 0) {
							break;
						}
						_t225 =  &_v1372;
						__imp__SetupDiGetDeviceInterfaceDetailA(_v1456, _t225, 0, 0,  &_v1504, 0);
						_v1448 = _t225;
						_t226 = malloc(_v1504);
						_t381 = _t380 + 4;
						_v1464 = _t226;
						 *_v1464 = 5;
						_t228 =  &_v1372;
						__imp__SetupDiGetDeviceInterfaceDetailA(_v1456, _t228, _v1464, _v1504, 0, 0);
						_v1448 = _t228;
						if(_v1448 != 0) {
							_v1500 = 0;
							while(1) {
								L9:
								_t229 =  &_v1344;
								__imp__SetupDiEnumDeviceInfo(_v1456, _v1500, _t229);
								_v1448 = _t229;
								if(_v1448 == 0) {
									break;
								}
								_t230 =  &_v264;
								__imp__SetupDiGetDeviceRegistryPropertyA(_v1456,  &_v1344, 7, 0, _t230, 0x100, 0);
								_v1448 = _t230;
								if(_v1448 != 0) {
									_v1476 = "HIDClass";
									_v1472 =  &_v264;
									while(1) {
										_t296 = _v1472;
										_t340 =  *_t296;
										_v1457 = _t340;
										if(_t340 !=  *_v1476) {
											break;
										}
										if(_v1457 == 0) {
											L18:
											_v1536 = 0;
										} else {
											_t296 = _v1472;
											_t377 =  *((intOrPtr*)(_t296 + 1));
											_v1458 = _t377;
											_t68 = _v1476 + 1; // 0x6c434449
											if(_t377 !=  *_t68) {
												break;
											} else {
												_v1472 = _v1472 + 2;
												_v1476 = _v1476 + 2;
												if(_v1458 != 0) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										L20:
										_v1540 = _v1536;
										if(_v1540 != 0) {
											L23:
											_v1500 =  &(_v1500[1]);
											goto L9;
										} else {
											_t233 =  &_v264;
											__imp__SetupDiGetDeviceRegistryPropertyA(_v1456,  &_v1344, 9, 0, _t233, 0x100, 0);
											_v1448 = _t233;
											if(_v1448 == 0) {
												goto L23;
											} else {
												_t236 = E011C2660(_v1464 + 4, 1);
												_t381 = _t381 + 8;
												_v1452 = _t236;
												if(_v1452 != 0xffffffff) {
													_v1316 = 0xc;
													 *0x11d35b0(_v1452,  &_v1316);
													if((_a4 & 0x0000ffff) == 0 || (_v1312 & 0x0000ffff) == (_a4 & 0x0000ffff)) {
														if((_a8 & 0x0000ffff) == 0 || (_v1310 & 0x0000ffff) == (_a8 & 0x0000ffff)) {
															_v1492 = 0;
															_t240 = calloc(1, 0x24);
															_t381 = _t381 + 8;
															_v1496 = _t240;
															if(_v1444 == 0) {
																_v1532 = _v1496;
															} else {
																_v1444[8] = _v1496;
															}
															_v1444 = _v1496;
															_v1437 =  *0x11d35cc(_v1452,  &_v1492);
															if((_v1437 & 0x000000ff) != 0) {
																_v1544 =  *0x11d35d4(_v1492,  &_v1436);
																if(_v1544 == 0x110000) {
																	_v1444[6] = _v1434;
																	_v1444[6] = _v1436;
																}
																 *0x11d35d0(_v1492);
															}
															_v1444[8] = 0;
															_t245 = _v1464 + 4;
															_v1488 = _t245;
															if(_t245 == 0) {
																 *_v1444 = 0;
															} else {
																_v1468 = _v1488;
																_v1548 = _v1468 + 1;
																do {
																	_v1459 =  *_v1468;
																	_v1468 = _v1468 + 1;
																} while (_v1459 != 0);
																_v1552 = _v1468 - _v1548;
																_v1480 = _v1552;
																 *_v1444 = calloc(_v1480 + 1, 1);
																__imp__strncpy_s( *_v1444, _v1480 + 1, _v1488, _v1480 + 1);
																_t381 = _t381 + 0x18;
																( *_v1444)[_v1480] = 0;
															}
															_v1437 =  *0x11d35b4(_v1452,  &_v1288, 0x400);
															_v1508 = 0x3fe;
															if(_v1508 >= 0x400) {
																E011CAFAF();
															}
															 *((short*)(_t378 + _v1508 - 0x504)) = 0;
															_t250 = _v1437 & 0x000000ff;
															if(_t250 != 0) {
																__imp___wcsdup( &_v1288);
																_t381 = _t381 + 4;
																_v1444[2] = _t250;
															}
															_v1437 =  *0x11d35b8(_v1452,  &_v1288, 0x400);
															_v1512 = 0x3fe;
															if(_v1512 >= 0x400) {
																E011CAFAF();
															}
															 *((short*)(_t378 + _v1512 - 0x504)) = 0;
															_t255 = _v1437 & 0x000000ff;
															if(_t255 != 0) {
																__imp___wcsdup( &_v1288);
																_t381 = _t381 + 4;
																_v1444[4] = _t255;
															}
															_v1437 =  *0x11d35bc(_v1452,  &_v1288, 0x400);
															_v1516 = 0x3fe;
															if(_v1516 >= 0x400) {
																E011CAFAF();
															}
															 *((short*)(_t378 + _v1516 - 0x504)) = 0;
															_t260 = _v1437 & 0x000000ff;
															if(_t260 != 0) {
																__imp___wcsdup( &_v1288);
																_t381 = _t381 + 4;
																_v1444[5] = _t260;
															}
															_v1444[1] = _v1312;
															_v1444[1] = _v1310;
															_v1444[3] = _v1308;
															_v1444[7] = 0xffffffff;
															if( *_v1444 != 0) {
																_t268 = strstr( *_v1444, "&mi_");
																_t381 = _t381 + 8;
																_v1520 = _t268;
																if(_v1520 != 0) {
																	_v1528 =  &(_v1520[4]);
																	_v1524 = 0;
																	_t270 = strtol(_v1528,  &_v1524, 0x10);
																	_t381 = _t381 + 0xc;
																	_v1444[7] = _t270;
																	if(_v1524 == _v1528) {
																		_v1444[7] = 0xffffffff;
																	}
																}
															}
														}
													}
												} else {
												}
												CloseHandle(_v1452);
											}
										}
										goto L62;
									}
									asm("sbb ecx, ecx");
									_v1536 = _t296 | 0x00000001;
									goto L20;
								} else {
								}
								goto L62;
							}
						} else {
						}
						L62:
						free(_v1464);
						_t380 = _t381 + 4;
						_v1484 =  &(_v1484[1]);
					}
					__imp__SetupDiDestroyDeviceInfoList(_v1456);
				} else {
				}
				return E011CB089(_v8 ^ _t378, _t333);
			}
















































































                0x011c11b0
                0x011c11b9
                0x011c11c0
                0x011c11c3
                0x011c11cd
                0x011c11d7
                0x011c11e6
                0x011c11f2
                0x011c11f9
                0x011c1200
                0x011c1207
                0x011c120e
                0x011c1215
                0x011c121c
                0x011c1223
                0x011c122a
                0x011c1231
                0x011c123b
                0x011c1245
                0x011c1256
                0x011c126c
                0x011c1271
                0x011c1274
                0x011c127e
                0x011c128e
                0x011c1295
                0x011c129b
                0x011c12a1
                0x011c12a1
                0x011c12ab
                0x011c12bc
                0x011c12c3
                0x011c12d3
                0x011c12d9
                0x011c12e6
                0x00000000
                0x00000000
                0x011c12fa
                0x011c1308
                0x011c130e
                0x011c131b
                0x011c1321
                0x011c1324
                0x011c1330
                0x011c1348
                0x011c1356
                0x011c135c
                0x011c1369
                0x011c1370
                0x011c138b
                0x011c138b
                0x011c138b
                0x011c13a0
                0x011c13a6
                0x011c13b3
                0x00000000
                0x00000000
                0x011c13c1
                0x011c13da
                0x011c13e0
                0x011c13ed
                0x011c13f4
                0x011c1404
                0x011c140a
                0x011c140a
                0x011c1410
                0x011c1412
                0x011c1420
                0x00000000
                0x00000000
                0x011c1429
                0x011c145c
                0x011c145c
                0x011c142b
                0x011c142b
                0x011c1431
                0x011c1434
                0x011c1440
                0x011c1443
                0x00000000
                0x011c1445
                0x011c1445
                0x011c144c
                0x011c145a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x011c145a
                0x011c1443
                0x011c1473
                0x011c1479
                0x011c1486
                0x011c14bf
                0x011c1385
                0x00000000
                0x011c1488
                0x011c148f
                0x011c14a8
                0x011c14ae
                0x011c14bb
                0x00000000
                0x011c14bd
                0x011c14d0
                0x011c14d5
                0x011c14d8
                0x011c14e5
                0x011c14ec
                0x011c1504
                0x011c1510
                0x011c152b
                0x011c1540
                0x011c154e
                0x011c1554
                0x011c1557
                0x011c1564
                0x011c157d
                0x011c1566
                0x011c1572
                0x011c1572
                0x011c1589
                0x011c15a3
                0x011c15b2
                0x011c15c8
                0x011c15d8
                0x011c15e7
                0x011c15f8
                0x011c15f8
                0x011c1603
                0x011c1603
                0x011c160f
                0x011c161c
                0x011c161f
                0x011c1625
                0x011c16e6
                0x011c162b
                0x011c1631
                0x011c1640
                0x011c1646
                0x011c164e
                0x011c1654
                0x011c165b
                0x011c1670
                0x011c167c
                0x011c169d
                0x011c16c3
                0x011c16c9
                0x011c16da
                0x011c16da
                0x011c1705
                0x011c1716
                0x011c1726
                0x011c172a
                0x011c172a
                0x011c1737
                0x011c173f
                0x011c1748
                0x011c1751
                0x011c1757
                0x011c1760
                0x011c1760
                0x011c177c
                0x011c178d
                0x011c179d
                0x011c17a1
                0x011c17a1
                0x011c17ae
                0x011c17b6
                0x011c17bf
                0x011c17c8
                0x011c17ce
                0x011c17d7
                0x011c17d7
                0x011c17f3
                0x011c1804
                0x011c1814
                0x011c1818
                0x011c1818
                0x011c1825
                0x011c182d
                0x011c1836
                0x011c183f
                0x011c1845
                0x011c184e
                0x011c184e
                0x011c185e
                0x011c186f
                0x011c1880
                0x011c188a
                0x011c189a
                0x011c18aa
                0x011c18af
                0x011c18b2
                0x011c18bf
                0x011c18ca
                0x011c18d0
                0x011c18ea
                0x011c18f0
                0x011c18f9
                0x011c1908
                0x011c1910
                0x011c1910
                0x011c1908
                0x011c18bf
                0x011c189a
                0x011c152b
                0x00000000
                0x011c14e7
                0x011c191e
                0x011c191e
                0x011c14bb
                0x00000000
                0x011c1486
                0x011c1468
                0x011c146d
                0x00000000
                0x00000000
                0x011c13ef
                0x00000000
                0x011c13ed
                0x00000000
                0x011c136b
                0x011c1924
                0x011c192b
                0x011c1931
                0x011c193d
                0x011c193d
                0x011c194f
                0x011c1258
                0x011c1258
                0x011c1968

                APIs
                • hid_init.IDEASHARESERVICE ref: 011C124F
                  • Part of subcall function 011C1C70: hid_exit.IDEASHARESERVICE(?,011C1254), ref: 011C1C87
                • SetupDiGetClassDevsA.SETUPAPI(4D1E55B2,00000000,00000000,00000012), ref: 011C1295
                • SetupDiEnumDeviceInterfaces.SETUPAPI(FFFFFFFF,00000000,4D1E55B2,00000000,0000001C), ref: 011C12D3
                • SetupDiDestroyDeviceInfoList.SETUPAPI(FFFFFFFF), ref: 011C194F
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: Setup$Device$ClassDestroyDevsEnumInfoInterfacesListhid_exithid_init
                • String ID: &mi_$0$HIDClass
                • API String ID: 34287975-1432604414
                • Opcode ID: 31728dc27514faf44970d006972eae9f0b23f0bea92742f2562a20fff1db01f2
                • Instruction ID: 20573d484d96c6c66a5b744b7c65df2e05ca1358cf0dc71644fd831693eb8566
                • Opcode Fuzzy Hash: 31728dc27514faf44970d006972eae9f0b23f0bea92742f2562a20fff1db01f2
                • Instruction Fuzzy Hash: 682229B0A40A28DFDB28CF54CC44BABBBB5AF59706F0042EDE549A7281D7749AC0CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9D50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116processCOMMON
                Download Yara Rule
                C-Code - Quality: 31%
                			E011C9D50(intOrPtr __ecx, char* __edx) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v540;
				void* _v576;
				char _v577;
				signed int _v584;
				intOrPtr* _v588;
				void* _v592;
				int _v596;
				short _v598;
				short _v600;
				char _v604;
				signed int _v608;
				int _v612;
				int _v616;
				signed int _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				signed int _t57;
				signed int _t58;
				signed int _t70;
				char* _t78;
				short _t86;
				short _t89;
				signed int _t97;
				void* _t98;
				void* _t99;

				_t90 = __edx;
				_push(0xffffffff);
				_push(E011CCB9C);
				_push( *[fs:0x0]);
				_t99 = _t98 - 0x264;
				_t57 =  *0x11d3258; // 0x5a3fffe3
				_t58 = _t57 ^ _t97;
				_v20 = _t58;
				_push(_t58);
				 *[fs:0x0] =  &_v16;
				_v624 = __ecx;
				_v596 = 0;
				_v592 = CreateToolhelp32Snapshot(2, 0);
				_v576 = 0x22c;
				if(_v592 != 0xffffffff) {
					_push( &_v576);
					_v612 = Process32FirstW(_v592);
					L3:
					while(_v612 != 0) {
						_v588 =  &_v540;
						_v584 = E011CAA30();
						while(1) {
							_t70 = _v584;
							_t86 =  *_t70;
							_v598 = _t86;
							if(_t86 !=  *_v588) {
								break;
							}
							if(_v598 == 0) {
								L9:
								_v608 = 0;
							} else {
								_t70 = _v584;
								_t89 =  *((intOrPtr*)(_t70 + 2));
								_v600 = _t89;
								if(_t89 !=  *((intOrPtr*)(_v588 + 2))) {
									break;
								} else {
									_v584 = _v584 + 4;
									_v588 = _v588 + 4;
									if(_v600 != 0) {
										continue;
									} else {
										goto L9;
									}
								}
							}
							L11:
							_v620 = _v608;
							if(_v620 != 0) {
								_v612 = Process32NextW(_v592,  &_v576);
								goto L3;
							} else {
								_v596 = _v596 + 1;
							}
							goto L14;
						}
						asm("sbb eax, eax");
						_v608 = _t70 | 0x00000001;
						goto L11;
					}
					L14:
					CloseHandle(_v592);
					__imp__#296();
					_v8 = 0;
					_t78 =  &_v604;
					__imp__#4815(_t78, L"IdeaShareKey num:%d", _v596);
					_v628 = _t99 + 0xc;
					_t90 =  &_v604;
					__imp__#280(_t78);
					E011C8630( &_v604);
					if(_v596 <= 0) {
						_v616 = 0;
					} else {
						_v616 = 1;
					}
					_v577 = _v616;
					_v8 = 0xffffffff;
					__imp__#1045();
				} else {
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t97, _t90);
			}































                0x011c9d50
                0x011c9d53
                0x011c9d55
                0x011c9d60
                0x011c9d61
                0x011c9d67
                0x011c9d6c
                0x011c9d6e
                0x011c9d71
                0x011c9d75
                0x011c9d7b
                0x011c9d81
                0x011c9d94
                0x011c9d9a
                0x011c9dab
                0x011c9dba
                0x011c9dc7
                0x00000000
                0x011c9dcd
                0x011c9de0
                0x011c9df0
                0x011c9df6
                0x011c9df6
                0x011c9dfc
                0x011c9dff
                0x011c9e0f
                0x00000000
                0x00000000
                0x011c9e19
                0x011c9e50
                0x011c9e50
                0x011c9e1b
                0x011c9e1b
                0x011c9e21
                0x011c9e25
                0x011c9e36
                0x00000000
                0x011c9e38
                0x011c9e38
                0x011c9e3f
                0x011c9e4e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x011c9e4e
                0x011c9e36
                0x011c9e67
                0x011c9e6d
                0x011c9e7a
                0x011c9ea0
                0x00000000
                0x011c9e7c
                0x011c9e85
                0x011c9e85
                0x00000000
                0x011c9e7a
                0x011c9e5c
                0x011c9e61
                0x00000000
                0x011c9e61
                0x011c9eab
                0x011c9eb2
                0x011c9ebe
                0x011c9ec4
                0x011c9ed7
                0x011c9ede
                0x011c9eea
                0x011c9ef0
                0x011c9ef7
                0x011c9efd
                0x011c9f0c
                0x011c9f1a
                0x011c9f0e
                0x011c9f0e
                0x011c9f0e
                0x011c9f2a
                0x011c9f30
                0x011c9f3d
                0x011c9dad
                0x011c9dad
                0x011c9f4c
                0x011c9f61

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 011C9D8F
                • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 011C9DC2
                • CloseHandle.KERNEL32(000000FF,5A3FFFE3), ref: 011C9EB2
                • #316.MFC140U ref: 011C9EBE
                • #4815.MFC140U(?,IdeaShareKey num:%d,00000000), ref: 011C9EDE
                • #280.MFC140U(?), ref: 011C9EF7
                • #1506.MFC140U ref: 011C9F3D
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280#316#4815CloseCreateFirstHandleProcess32SnapshotToolhelp32
                • String ID: IdeaShareKey num:%d
                • API String ID: 3445345298-3806956022
                • Opcode ID: bd6064d4270dea8fa4d91fbd88e24e1fcec3c9576eae20dddf306c95421bd537
                • Instruction ID: a05b5b1df70376189e080f6e797886cd42f0ca221dcff803ee7a77ea74a5233a
                • Opcode Fuzzy Hash: bd6064d4270dea8fa4d91fbd88e24e1fcec3c9576eae20dddf306c95421bd537
                • Instruction Fuzzy Hash: E55126B080566D9FCB38EF58DC487A9BBB0EB64B09F1042E9D41DA2290DB755AC4CF45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C1A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E011C1A30(void* __eflags, void** _a4, void* _a8, long _a12) {
				long _v8;
				int _v12;
				struct _OVERLAPPED _v32;

				E011C10E0( &_v32, 0x14, 0, 0x14);
				_v12 = DeviceIoControl( *_a4, 0xb0192, _a8, _a12, _a8, _a12,  &_v8,  &_v32);
				if(_v12 != 0 || GetLastError() == 0x3e5) {
					_v12 = GetOverlappedResult( *_a4,  &_v32,  &_v8, 1);
					if(_v12 != 0) {
						_v8 = _v8 + 1;
						return _v8;
					}
					_push("Send Feature Report GetOverLappedResult");
					return E011C26B0(_a4) | 0xffffffff;
				} else {
					_push("Send Feature Report DeviceIoControl");
					return E011C26B0(_a4) | 0xffffffff;
				}
			}






                0x011c1a40
                0x011c1a71
                0x011c1a78
                0x011c1ab3
                0x011c1aba
                0x011c1ad8
                0x00000000
                0x011c1adb
                0x011c1abc
                0x00000000
                0x011c1a87
                0x011c1a87
                0x00000000
                0x011c1a98

                APIs
                • DeviceIoControl.KERNEL32 ref: 011C1A6B
                • GetLastError.KERNEL32 ref: 011C1A7A
                  • Part of subcall function 011C26B0: GetLastError.KERNEL32(00000400,00000000,00000000,00000000,00000000,Send Feature Report GetOverLappedResult), ref: 011C26C3
                  • Part of subcall function 011C26B0: FormatMessageW.KERNEL32(00001300,00000000,00000000), ref: 011C26D1
                  • Part of subcall function 011C26B0: LocalFree.KERNEL32(?), ref: 011C270E
                • GetOverlappedResult.KERNEL32(?,?,?,00000001), ref: 011C1AAD
                Strings
                • Send Feature Report DeviceIoControl, xrefs: 011C1A87
                • Send Feature Report GetOverLappedResult, xrefs: 011C1ABC
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ErrorLast$ControlDeviceFormatFreeLocalMessageOverlappedResult
                • String ID: Send Feature Report DeviceIoControl$Send Feature Report GetOverLappedResult
                • API String ID: 3063457916-4161453215
                • Opcode ID: 4b0c8e4bf890e0d8d422531b446debbd2798cd3246ea0a9fc8922042536d8641
                • Instruction ID: aa015597dff692193ed56fc57f1062394cfe68fe069f9b4f86e94f5b35b74072
                • Opcode Fuzzy Hash: 4b0c8e4bf890e0d8d422531b446debbd2798cd3246ea0a9fc8922042536d8641
                • Instruction Fuzzy Hash: CE218175A00208FFCB08DFA8CC85EAE7BB8AF58714F108658F92597281E7709644CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CBFCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011CBFCB(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E011CC01E(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x11c0000;
				 *((intOrPtr*)(__ecx + 4)) = 0x11c0000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x11cee84;
				if(E011CABA0(__ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x11d3730 = 1;
				}
				return _t13;
			}




                0x011cbfcc
                0x011cbfce
                0x011cbfd8
                0x011cbfe1
                0x011cbfe4
                0x011cbfe7
                0x011cbfee
                0x011cbffc
                0x011cc006
                0x011cc00d
                0x011cc00d
                0x011cc013
                0x011cc013
                0x011cc01d

                APIs
                  • Part of subcall function 011CC01E: memset.VCRUNTIME140(?,00000000,00000018,?,?,011CBFD3,?,011C10BD), ref: 011CC02B
                  • Part of subcall function 011CABA0: GetLastError.KERNEL32 ref: 011CABC4
                  • Part of subcall function 011CABA0: _HRESULT_FROM_WIN32.LIBCMTD ref: 011CABCB
                • IsDebuggerPresent.KERNEL32(?,?,?,011C10BD), ref: 011CBFFE
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,011C10BD), ref: 011CC00D
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 011CC008
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: DebugDebuggerErrorLastOutputPresentStringmemset
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 1848478996-631824599
                • Opcode ID: 8fce076c9c2b52b53e84c9be92180252ce8cffac1e7301e28b2d2badb5a3d6e2
                • Instruction ID: b9eeda6cb8812ec470392d65e1fcd785b1e06af54587446a11f2c69347e85b96
                • Opcode Fuzzy Hash: 8fce076c9c2b52b53e84c9be92180252ce8cffac1e7301e28b2d2badb5a3d6e2
                • Instruction Fuzzy Hash: 98E06D742017918FD7389FB8E004346BFE4BF24A88F01882CD4AAC3240E7B5D8949B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C26B0 Relevance: 4.5, APIs: 3, Instructions: 41windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011C26B0(intOrPtr _a4) {
				short _v8;
				short _v12;
				void* _t20;

				FormatMessageW(0x1300, 0, GetLastError(), 0x400,  &_v12, 0, 0);
				_v8 = _v12;
				while(( *_v8 & 0x0000ffff) != 0) {
					if(( *_v8 & 0x0000ffff) != 0xd) {
						_v8 = _v8 + 2;
						continue;
					} else {
						 *_v8 = 0;
					}
					break;
				}
				LocalFree( *(_a4 + 0x10));
				_t20 = _v12;
				 *(_a4 + 0x10) = _t20;
				return _t20;
			}






                0x011c26d1
                0x011c26da
                0x011c26dd
                0x011c26f0
                0x011c2702
                0x00000000
                0x011c26f2
                0x011c26f7
                0x011c26f7
                0x00000000
                0x011c26f0
                0x011c270e
                0x011c2717
                0x011c271a
                0x011c2720

                APIs
                • GetLastError.KERNEL32(00000400,00000000,00000000,00000000,00000000,Send Feature Report GetOverLappedResult), ref: 011C26C3
                • FormatMessageW.KERNEL32(00001300,00000000,00000000), ref: 011C26D1
                • LocalFree.KERNEL32(?), ref: 011C270E
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ErrorFormatFreeLastLocalMessage
                • String ID:
                • API String ID: 1365068426-0
                • Opcode ID: b3c54f6a1f7ab3e0e7000e22bfecdea57122e6e61fe61b1ec62034cbbea2210a
                • Instruction ID: e697243f2d6957104f9b4d76bf2686676bb81de991700e59b49931356f6ce77a
                • Opcode Fuzzy Hash: b3c54f6a1f7ab3e0e7000e22bfecdea57122e6e61fe61b1ec62034cbbea2210a
                • Instruction Fuzzy Hash: A8012C78A04308EFDB18CF98D941BADBBB5FB44745F204099E9059B384D730AE91DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C34B0 Relevance: 1.6, APIs: 1, Instructions: 68comCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011C34B0(intOrPtr* _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _t26;
				char* _t29;
				intOrPtr _t30;
				void* _t37;
				void* _t39;
				void* _t50;
				void* _t52;
				signed int _t54;
				void* _t55;

				_t26 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				_v20 = _t55 - 0x18;
				_v8 = 0;
				_v28 = 0;
				_v40 = 0;
				_t29 =  &_v28;
				__imp__CoCreateInstance(0x11cd694, 0, 0x17, 0x11cd6a4, _t29, _t26 ^ _t54, _t50, _t52, _t37, _t39,  *[fs:0x0], E011CC370, 0xffffffff);
				_v32 = _t29;
				if(_v32 < 0) {
					_t30 = 0;
				} else {
					_v44 =  *((intOrPtr*)( *((intOrPtr*)( *_v28 + 0x30))))(_v28,  *_a4, _v40);
					_v32 = _v44;
					 *((intOrPtr*)( *((intOrPtr*)( *_v28 + 8))))(_v28);
					if(_v32 < 0) {
						_v36 = 0;
					} else {
						_v36 = 1;
					}
					_t30 = _v36;
				}
				 *[fs:0x0] = _v16;
				return _t30;
			}




















                0x011c34c8
                0x011c34d3
                0x011c34d9
                0x011c34dc
                0x011c34e3
                0x011c34ea
                0x011c34f1
                0x011c3503
                0x011c3509
                0x011c3510
                0x011c355e
                0x011c3512
                0x011c352a
                0x011c3530
                0x011c353f
                0x011c3545
                0x011c3550
                0x011c3547
                0x011c3547
                0x011c3547
                0x011c3557
                0x011c3557
                0x011c358a
                0x011c3598

                APIs
                • CoCreateInstance.OLE32(011CD694,00000000,00000017,011CD6A4,00000000,5A3FFFE3), ref: 011C3503
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: CreateInstance
                • String ID:
                • API String ID: 542301482-0
                • Opcode ID: d4e01766cf728f51e8769b01a4625a8e84c3e662d78e976db7ce3e36884dc4b7
                • Instruction ID: 47098c17069635b584fc63d2bae13ca77505d24b691d18e597cd0b1af2dd803e
                • Opcode Fuzzy Hash: d4e01766cf728f51e8769b01a4625a8e84c3e662d78e976db7ce3e36884dc4b7
                • Instruction Fuzzy Hash: 4E213CB1A14209EFCB08CF89D845BEEBBB8FB59714F10416DE529A7280C375A941CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5D60 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011C5D60(intOrPtr __ecx) {
				intOrPtr _v8;

				_push(__ecx);
				_v8 = __ecx;
				return IsIconic( *(_v8 + 0x20));
			}




                0x011c5d63
                0x011c5d64
                0x011c5d77

                APIs
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: Iconic
                • String ID:
                • API String ID: 110040809-0
                • Opcode ID: 9b5fbe846e03cc61b93ec0cf3879f7ff8d6e5333c19aced3cd7334cfc75ddc8f
                • Instruction ID: c67815061a8b1befca293b49112def9f1dcd01013c6c939cca35100b20eb6d1c
                • Opcode Fuzzy Hash: 9b5fbe846e03cc61b93ec0cf3879f7ff8d6e5333c19aced3cd7334cfc75ddc8f
                • Instruction Fuzzy Hash: 42C012B0908208AF8B18CB88E904C29BBA8EB48200B0002EDF808833008A32AE008A94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA5B0 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 144threadprocessCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E011CA5B0(intOrPtr __ecx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v45;
				char _v46;
				void* _v47;
				signed char _v48;
				char _v49;
				char _v50;
				struct HWND__* _v56;
				long _v60;
				void* _v64;
				char _v68;
				int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				struct _PROCESS_INFORMATION _v104;
				struct _STARTUPINFOW _v172;
				signed int _t53;
				signed int _t54;
				int _t68;
				signed int _t106;
				void* _t107;
				intOrPtr _t108;
				void* _t109;
				void* _t110;

				_t108 = _t107 - 0x9c;
				_t53 =  *0x11d3258; // 0x5a3fffe3
				_t54 = _t53 ^ _t106;
				_v20 = _t54;
				 *[fs:0x0] =  &_v16;
				_v76 = __ecx;
				_v84 = _t108;
				__imp__#286(__ecx, _t54,  *[fs:0x0], E011CCC79, 0xffffffff);
				E011C8630(L"Try to Upgrade");
				_t109 = _t108 + 4;
				_v72 = 4;
				_v56 = FindWindowW(0, L"IdeaShare Key  Setup: Installing");
				GetWindowThreadProcessId(_v56,  &_v60);
				_v64 = OpenProcess(1, 0, _v60);
				if(TerminateProcess(_v64, _v72) == 0) {
					_v45 = 0;
				} else {
					_v45 = 1;
				}
				_v49 = _v45;
				_v56 = FindWindowW(0, L"IdeaShare Key  Setup: Completed");
				GetWindowThreadProcessId(_v56,  &_v60);
				_v64 = OpenProcess(1, 0, _v60);
				_t68 = TerminateProcess(_v64, _v72);
				_t115 = _t68;
				if(_t68 == 0) {
					_v46 = 0;
				} else {
					_v46 = 1;
				}
				_v50 = _v46;
				E011CA300(_v76, _t115);
				memset( &_v172, 0, 0x44);
				_t110 = _t109 + 0xc;
				_v172.cb = 0x44;
				_v80 = E011C96D0(_v76,  &_v44);
				if(CreateProcessW(E011CAA30(), L"/S", 0, 0, 0, 0, 0, 0,  &_v172,  &_v104) == 0) {
					_v47 = 0;
				} else {
					_v47 = 1;
				}
				_v48 = _v47;
				E011C2CC0();
				__imp__#296();
				_v8 = 0;
				__imp__#4815( &_v68, L"Start Upgrade:%d", _v48 & 0x000000ff);
				_v88 = _t110 + 0xc;
				__imp__#280( &_v68);
				E011C8630( &_v68);
				_v8 = 0xffffffff;
				__imp__#1045();
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t106,  &_v68);
			}
































                0x011ca5c1
                0x011ca5c7
                0x011ca5cc
                0x011ca5ce
                0x011ca5d5
                0x011ca5db
                0x011ca5e1
                0x011ca5e9
                0x011ca5ef
                0x011ca5f4
                0x011ca5f7
                0x011ca60b
                0x011ca616
                0x011ca62a
                0x011ca63d
                0x011ca645
                0x011ca63f
                0x011ca63f
                0x011ca63f
                0x011ca64c
                0x011ca65c
                0x011ca667
                0x011ca67b
                0x011ca686
                0x011ca68c
                0x011ca68e
                0x011ca696
                0x011ca690
                0x011ca690
                0x011ca690
                0x011ca69d
                0x011ca6a3
                0x011ca6b3
                0x011ca6b8
                0x011ca6bb
                0x011ca6ed
                0x011ca701
                0x011ca709
                0x011ca703
                0x011ca703
                0x011ca703
                0x011ca710
                0x011ca716
                0x011ca71e
                0x011ca724
                0x011ca739
                0x011ca745
                0x011ca74c
                0x011ca752
                0x011ca75a
                0x011ca764
                0x011ca76d
                0x011ca782

                APIs
                • #286.MFC140U(Try to Upgrade,?,5A3FFFE3), ref: 011CA5E9
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • FindWindowW.USER32(00000000,IdeaShare Key Setup: Installing), ref: 011CA605
                • GetWindowThreadProcessId.USER32(?,?), ref: 011CA616
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 011CA624
                • TerminateProcess.KERNEL32(?,00000004), ref: 011CA635
                • FindWindowW.USER32(00000000,IdeaShare Key Setup: Completed), ref: 011CA656
                • GetWindowThreadProcessId.USER32(?,?), ref: 011CA667
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 011CA675
                • TerminateProcess.KERNEL32(?,00000004), ref: 011CA686
                • memset.VCRUNTIME140(00000000,00000000,00000044), ref: 011CA6B3
                • Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 011CA6E8
                • CreateProcessW.KERNEL32 ref: 011CA6F9
                • #316.MFC140U ref: 011CA71E
                • #4815.MFC140U(?,Start Upgrade:%d,?), ref: 011CA739
                • #280.MFC140U(?), ref: 011CA74C
                • #1506.MFC140U ref: 011CA764
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: Process$Window$#1506#280#286FindOpenTerminateThread$#316#4815Base::Concurrency::details::CreatePolicySchedulermemset
                • String ID: D$IdeaShare Key Setup: Completed$IdeaShare Key Setup: Installing$Start Upgrade:%d$Try to Upgrade
                • API String ID: 3333293505-2109770766
                • Opcode ID: c9f75fca66e5caed136491e48f477faa0b36de26ebefe394a3ee61eb0c2f0c68
                • Instruction ID: df7c119e239f8ae0bcdf4a9e1508430d1ec4469f45e2ff8ad27711f57c5b57b7
                • Opcode Fuzzy Hash: c9f75fca66e5caed136491e48f477faa0b36de26ebefe394a3ee61eb0c2f0c68
                • Instruction Fuzzy Hash: D2515CB1E04248EFDB18DFE4E845BDDBFB4AF68B04F00412DE516A7280EB755944CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C90F0 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 269COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E011C90F0(signed char* __ecx, void* __edx, void* __esi) {
				int _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v104;
				char _v128;
				char _v152;
				char _v176;
				signed char* _v180;
				signed int _v181;
				signed char _v182;
				signed int _v183;
				char _v188;
				char _v192;
				int _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				void* _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				signed int _t132;
				signed int _t133;
				char* _t154;
				signed char _t159;
				char* _t212;
				signed int _t221;
				signed int _t260;
				void* _t261;
				void* _t262;
				intOrPtr _t263;
				intOrPtr _t264;
				intOrPtr _t265;
				intOrPtr _t266;
				intOrPtr _t267;
				intOrPtr _t268;

				_push(0xffffffff);
				_push(E011CCA19);
				_push( *[fs:0x0]);
				_t262 = _t261 - 0xf4;
				_t132 =  *0x11d3258; // 0x5a3fffe3
				_t133 = _t132 ^ _t260;
				_v20 = _t133;
				_push(_t133);
				 *[fs:0x0] =  &_v16;
				_v180 = __ecx;
				if(( *_v180 & 0x000000ff) != 0) {
					_t263 = _t262 - 0x18;
					_v232 = _t263;
					_v204 = E011C9590(_v180, __eflags,  &_v176);
					_v208 = _v204;
					_v8 = 0;
					E011C2BF0(E011CAA30());
					_v181 = E011CA260(_v180);
					__eflags = _v181 & 0x000000ff;
					if((_v181 & 0x000000ff) != 0) {
						_v196 = 0;
					} else {
						_v196 = 1;
					}
					_v182 = _v196;
					_v8 = 0xffffffff;
					E011C2CC0();
					__eflags = _v182 & 0x000000ff;
					if(__eflags == 0) {
						_t264 = _t263 - 0x18;
						_v236 = _t264;
						E011C9590(_v180, __eflags, _t264);
						_v240 = E011C9730(_v180, _t264);
						_v8 = 1;
						__imp__#6966();
						E011C2BF0(_t145);
						_v8 = 2;
						E011C4720(0x11ce35b);
						_v8 = 3;
						E011CA790(_v180, __eflags,  &_v152,  &_v128);
						_t265 = _t264 - 0x18;
						_v244 = _t265;
						E011C2BF0(E011CAA30());
						_v183 = E011CA260(_v180,  &_v188);
						__eflags = _v183 & 0x000000ff;
						if((_v183 & 0x000000ff) != 0) {
							L011CBF59();
							_v8 = 4;
							_push(0);
							_push(0);
							_push(E011CAA30());
							L011CBF5F();
							_v40 = 0;
							_v36 = 0;
							_v32 = 0;
							_v28 = 0;
							_v24 = 0;
							_push(0x14);
							_t154 =  &_v40;
							_push(_t154);
							L011CBF89();
							_v200 = _t154;
							memset(_t260 + _v200 - 0x24, 0, 0x14 - _v200);
							_t266 = _t265 + 0xc;
							L011CBF6B();
							E011C4720( &_v40);
							_v8 = 5;
							E011C7AF0( &_v104);
							_t212 =  &_v104;
							_t159 = E011CAA80(_t212);
							_t251 = _t159 & 0x000000ff;
							__eflags = _t159 & 0x000000ff;
							if((_t159 & 0x000000ff) == 0) {
								_v80 = 0;
								_v76 = 0;
								_v72 = 0;
								_v68 = 0;
								_v64 = 0;
								__eflags = 0;
								_v60 = 0;
								_v56 = 0;
								_v52 = 0;
								_v48 = 0;
								_v44 = 0;
								_t267 = _t266 - 0x18;
								_v252 = _t267;
								E011C8B40(_t267,  &_v128);
								E011C9910(_v180);
								_t268 = _t267 - 0x18;
								_v256 = _t268;
								E011C8B40(_t268,  &_v104);
								E011C9910(_v180);
								_v180[1] = E011CA010(_v180,  &_v80,  &_v60);
								__imp__#296( &_v60,  &_v80);
								_v8 = 6;
								_t221 = _v180[1] & 0x000000ff;
								_t251 =  &_v192;
								__imp__#4815( &_v192, L"Find new Version:%d", _t221);
								_v260 = _t268 + 0xc;
								__imp__#280(_t221);
								E011C8630( &_v192);
								_v8 = 5;
								__imp__#1045();
								_v8 = 4;
								E011C4C40();
								_v8 = 3;
								L011CBF71();
								_v8 = 2;
								E011C4C40();
								_v8 = 1;
								E011C2CC0();
								_v8 = 0xffffffff;
								__imp__#1045();
							} else {
								_v180[1] = 0;
								_v248 = _t266;
								__imp__#286(_t212);
								E011C85A0(L"not Get Setup Version");
								_v8 = 4;
								E011C4C40();
								_v8 = 3;
								L011CBF71();
								_v8 = 2;
								E011C4C40();
								_v8 = 1;
								E011C2CC0();
								_v8 = 0xffffffff;
								__imp__#1045();
							}
						} else {
							_v180[1] = 0;
							_v8 = 2;
							E011C4C40();
							_v8 = 1;
							E011C2CC0();
							_v8 = 0xffffffff;
							__imp__#1045();
						}
					} else {
						_v180[1] = 1;
					}
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t260, _t251);
			}



























































                0x011c90f3
                0x011c90f5
                0x011c9100
                0x011c9101
                0x011c9107
                0x011c910c
                0x011c910e
                0x011c9112
                0x011c9116
                0x011c911c
                0x011c912d
                0x011c9134
                0x011c9139
                0x011c9151
                0x011c915d
                0x011c9163
                0x011c9178
                0x011c9188
                0x011c9195
                0x011c9197
                0x011c91a5
                0x011c9199
                0x011c9199
                0x011c9199
                0x011c91b5
                0x011c91bb
                0x011c91c8
                0x011c91d4
                0x011c91d6
                0x011c91e7
                0x011c91ec
                0x011c91f9
                0x011c9210
                0x011c9216
                0x011c9223
                0x011c9230
                0x011c9235
                0x011c9241
                0x011c9246
                0x011c925b
                0x011c9260
                0x011c9265
                0x011c927c
                0x011c928c
                0x011c9299
                0x011c929b
                0x011c92e0
                0x011c92e5
                0x011c92e9
                0x011c92eb
                0x011c92fb
                0x011c9302
                0x011c9309
                0x011c930c
                0x011c930f
                0x011c9312
                0x011c9315
                0x011c9318
                0x011c931a
                0x011c931d
                0x011c9324
                0x011c9329
                0x011c9348
                0x011c934d
                0x011c9356
                0x011c9362
                0x011c9367
                0x011c936e
                0x011c9373
                0x011c9376
                0x011c937b
                0x011c937e
                0x011c9380
                0x011c93f8
                0x011c93fb
                0x011c93fe
                0x011c9401
                0x011c9404
                0x011c9407
                0x011c9409
                0x011c940c
                0x011c940f
                0x011c9412
                0x011c9415
                0x011c941c
                0x011c9421
                0x011c942b
                0x011c9436
                0x011c943f
                0x011c9444
                0x011c944e
                0x011c9459
                0x011c9477
                0x011c9480
                0x011c9486
                0x011c9490
                0x011c949a
                0x011c94a1
                0x011c94ad
                0x011c94ba
                0x011c94c0
                0x011c94c8
                0x011c94d2
                0x011c94d8
                0x011c94df
                0x011c94e4
                0x011c94ee
                0x011c94f3
                0x011c94fa
                0x011c94ff
                0x011c9509
                0x011c950e
                0x011c951b
                0x011c9382
                0x011c9388
                0x011c938f
                0x011c939a
                0x011c93a0
                0x011c93a8
                0x011c93af
                0x011c93b4
                0x011c93be
                0x011c93c3
                0x011c93ca
                0x011c93cf
                0x011c93d9
                0x011c93de
                0x011c93eb
                0x011c93eb
                0x011c929d
                0x011c92a3
                0x011c92a7
                0x011c92ae
                0x011c92b3
                0x011c92bd
                0x011c92c2
                0x011c92cf
                0x011c92cf
                0x011c91d8
                0x011c91de
                0x011c91de
                0x011c91d6
                0x011c9524
                0x011c953a

                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID:
                • String ID: Find new Version:%d$not Get Setup Version
                • API String ID: 0-2956712007
                • Opcode ID: 4f6631f4e775acfe4c7ae1459f2658972b2007dd2ebb9f2f03b3b6e85e82f659
                • Instruction ID: 9970fb45d397470099b927746f8c0fc35e78aee259151df9e94a22788b97cb01
                • Opcode Fuzzy Hash: 4f6631f4e775acfe4c7ae1459f2658972b2007dd2ebb9f2f03b3b6e85e82f659
                • Instruction Fuzzy Hash: 30C16C70C04259CADB28EBA4DD55BEEBBB5AF64704F1081EDD01AA7291DB301F84CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5900 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 106filethreadCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E011C5900(void* __edx, void* __eflags, intOrPtr _a4) {
				long _v8;
				char _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				signed int _t47;
				WCHAR* _t57;
				signed int _t85;

				_t47 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				__imp__#296(_t47 ^ _t85,  *[fs:0x0], E011CC654, 0xffffffff);
				_v8 = 0;
				E011C5CE0( &_v72, __edx,  &_v72);
				_v28 = E011C5AE0( &_v72, __eflags,  &_v60, "%Y%m%d%H%M%S");
				_v32 = _v28;
				_v8 = 1;
				_v36 = E011C5240( &_v56, L"DumpService_", _v32);
				_v40 = _v36;
				_v8 = 2;
				_v44 = E011C5180( &_v52, _v40, L".dmp");
				_v48 = _v44;
				_v8 = 3;
				_t57 = _v48;
				__imp__#1523(_t57);
				_v8 = 2;
				__imp__#1045();
				_v8 = 1;
				__imp__#1045();
				_v8 = 0;
				__imp__#1045();
				__imp__#1663();
				_v20 = CreateFileW(_t57, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v20 != 0xffffffff) {
					_v80 = _a4;
					_v84 = GetCurrentThreadId();
					_v76 = 1;
					_push(0);
					_push(0);
					_push( &_v84);
					_push(0);
					_push(_v20);
					_push(GetCurrentProcessId());
					_push(GetCurrentProcess());
					L011CC14A();
					CloseHandle(_v20);
				}
				_v64 = 1;
				_v8 = 0xffffffff;
				__imp__#1045();
				 *[fs:0x0] = _v16;
				return _v64;
			}
























                0x011c5914
                0x011c591f
                0x011c5928
                0x011c592e
                0x011c5939
                0x011c5954
                0x011c595a
                0x011c595d
                0x011c5976
                0x011c597c
                0x011c597f
                0x011c5993
                0x011c5999
                0x011c599c
                0x011c59a0
                0x011c59a7
                0x011c59ad
                0x011c59b4
                0x011c59ba
                0x011c59c1
                0x011c59c7
                0x011c59ce
                0x011c59e9
                0x011c59f6
                0x011c59fd
                0x011c5a02
                0x011c5a0b
                0x011c5a0e
                0x011c5a15
                0x011c5a17
                0x011c5a1c
                0x011c5a1d
                0x011c5a22
                0x011c5a29
                0x011c5a30
                0x011c5a31
                0x011c5a3a
                0x011c5a3a
                0x011c5a40
                0x011c5a47
                0x011c5a51
                0x011c5a5d
                0x011c5a68

                APIs
                • #316.MFC140U(5A3FFFE3), ref: 011C5928
                  • Part of subcall function 011C5CE0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,011C593E,?), ref: 011C5CE5
                  • Part of subcall function 011C5AE0: #290.MFC140U(?,5A3FFFE3,011C5954), ref: 011C5B16
                  • Part of subcall function 011C5AE0: #6967.MFC140U ref: 011C5B2F
                  • Part of subcall function 011C5AE0: #1506.MFC140U(?,00000000), ref: 011C5B55
                  • Part of subcall function 011C5240: #5922.MFC140U(?,?,?,?,000000FF), ref: 011C526F
                  • Part of subcall function 011C5240: #305.MFC140U(00000000,?,?,?,?,000000FF), ref: 011C5279
                  • Part of subcall function 011C5240: #5885.MFC140U(?,?,?,?,000000FF), ref: 011C5289
                  • Part of subcall function 011C5240: #6967.MFC140U(00000000,?,?,?,?,000000FF), ref: 011C5293
                  • Part of subcall function 011C5240: #14322.MFC140U(5A3FFFE3,00000000,?,?,?,?,000000FF), ref: 011C529E
                  • Part of subcall function 011C5240: #3009.MFC140U(00000000,5A3FFFE3,00000000,5A3FFFE3), ref: 011C52B0
                  • Part of subcall function 011C5240: #280.MFC140U(?), ref: 011C52C0
                  • Part of subcall function 011C5240: #1506.MFC140U ref: 011C52D9
                  • Part of subcall function 011C5180: #5922.MFC140U ref: 011C51AF
                  • Part of subcall function 011C5180: #305.MFC140U(00000000), ref: 011C51B9
                  • Part of subcall function 011C5180: #14322.MFC140U(?), ref: 011C51CA
                  • Part of subcall function 011C5180: #5885.MFC140U(00000000,00000000,5A3FFFE3,?), ref: 011C51DB
                  • Part of subcall function 011C5180: #6967.MFC140U(00000000), ref: 011C51E5
                  • Part of subcall function 011C5180: #3009.MFC140U(?,00000000), ref: 011C51F0
                  • Part of subcall function 011C5180: #280.MFC140U(?), ref: 011C5200
                  • Part of subcall function 011C5180: #1506.MFC140U ref: 011C5219
                • #1523.MFC140U(?,?,?,?,?,.dmp,?), ref: 011C59A7
                • #1506.MFC140U(?,?,?,?,.dmp,?), ref: 011C59B4
                • #1506.MFC140U(?,?,?,?,.dmp,?), ref: 011C59C1
                • #1506.MFC140U(?,?,?,?,.dmp,?), ref: 011C59CE
                • #6967.MFC140U(40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,.dmp,?), ref: 011C59E9
                • CreateFileW.KERNEL32(00000000,?,?,?,?,.dmp,?), ref: 011C59F0
                • GetCurrentThreadId.KERNEL32 ref: 011C5A05
                • GetCurrentProcessId.KERNEL32(000000FF,00000000,?,00000000,00000000,?,?,?,?,.dmp), ref: 011C5A23
                • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,.dmp), ref: 011C5A2A
                • MiniDumpWriteDump.DBGHELP(00000000,?,?,?,?,.dmp), ref: 011C5A31
                • CloseHandle.KERNEL32(000000FF,00000000,?,?,?,?,.dmp), ref: 011C5A3A
                • #1506.MFC140U(?,?,?,?,.dmp,?), ref: 011C5A51
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506$#6967$Current$#14322#280#3009#305#5885#5922DumpProcess$#1523#290#316CloseCreateFileHandleMiniThreadWrite_time64
                • String ID: %Y%m%d%H%M%S$.dmp$DumpService_
                • API String ID: 3719392179-1207471924
                • Opcode ID: 8aaabbe948080aab41135b2ceaefd52b91f9dd900b61a29bb7ebde8bb140bd6c
                • Instruction ID: 75ad5e573cbb05e90dde9fd7d2708322944c8089c62b1fbd2d0031c25ef34ab6
                • Opcode Fuzzy Hash: 8aaabbe948080aab41135b2ceaefd52b91f9dd900b61a29bb7ebde8bb140bd6c
                • Instruction Fuzzy Hash: A541FDB1D00248EFDF18DFE4E949BDEBBB4BB58704F10422DE521A7280DB756A45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9730 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 144COMMON
                Download Yara Rule
                C-Code - Quality: 32%
                			E011C9730(intOrPtr __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				void* _v8;
				char _v16;
				void* _v20;
				void* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				int _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				int _v80;
				intOrPtr _v84;
				signed int _t67;
				intOrPtr _t74;
				void* _t80;
				void* _t116;
				signed int _t128;
				void* _t129;
				void* _t130;
				void* _t134;

				_t116 = __edx;
				_t130 = _t129 - 0x44;
				_t67 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				_v72 = __ecx;
				_v44 = 0;
				_v8 = 0;
				_v76 = 0x104;
				_v20 = 0;
				_v40 = 0;
				__imp__#296(_t67 ^ _t128,  *[fs:0x0], E011CCAC3, 0xffffffff);
				_v8 = 1;
				_v32 = GetFileVersionInfoSizeW(E011CAA30(),  &_v52);
				if(_v32 > 0) {
					_push(_v32);
					_t80 = E011CB3AC(_t116);
					_t134 = _t130 + 4;
					_v48 = _t80;
					_v20 = _v48;
					if(GetFileVersionInfoW(E011CAA30(), _v52, _v32, _v20) != 0 && VerQueryValueW(_v20, "\\",  &_v40,  &_v80) != 0) {
						_v24 = _v40;
						__imp__#4815( &_v28, L"%d.%d.%d.%d",  *(_v24 + 0x10) >> 0x10,  *(_v24 + 0x10) & 0x0000ffff,  *(_v24 + 0x14) >> 0x10,  *(_v24 + 0x14) & 0x0000ffff);
						_t134 = _t134 + 0x18;
					}
					_v56 = _v20;
					_push(_v56);
					L011CB3B5();
					_t130 = _t134 + 4;
					_v20 = 0;
				}
				__imp__#296();
				_v8 = 2;
				_t74 = E011C5240( &_v68, L"Get Currenet Version:",  &_v28);
				_v60 = _t74;
				_v64 = _v60;
				_v8 = 3;
				__imp__#1663();
				__imp__#4815( &_v36, _t74);
				_v8 = 2;
				__imp__#1045();
				_v84 = _t130 + 0x14;
				__imp__#280( &_v68);
				E011C8630( &_v36);
				__imp__#280( &_v28);
				_v44 = _v44 | 0x00000001;
				_v8 = 1;
				__imp__#1045();
				_v8 = 0;
				__imp__#1045();
				_v8 = 0xffffffff;
				E011C2CC0();
				 *[fs:0x0] = _v16;
				return _a4;
			}






























                0x011c9730
                0x011c9741
                0x011c9744
                0x011c974f
                0x011c9755
                0x011c9758
                0x011c975f
                0x011c9766
                0x011c976d
                0x011c9774
                0x011c977e
                0x011c9784
                0x011c979a
                0x011c97a1
                0x011c97aa
                0x011c97ab
                0x011c97b0
                0x011c97b3
                0x011c97b9
                0x011c97d8
                0x011c97f7
                0x011c9830
                0x011c9836
                0x011c9836
                0x011c983c
                0x011c9842
                0x011c9843
                0x011c9848
                0x011c984b
                0x011c984b
                0x011c9855
                0x011c985b
                0x011c986c
                0x011c9874
                0x011c987a
                0x011c987d
                0x011c9884
                0x011c988f
                0x011c9898
                0x011c989f
                0x011c98a8
                0x011c98af
                0x011c98b5
                0x011c98c4
                0x011c98d0
                0x011c98d3
                0x011c98da
                0x011c98e0
                0x011c98e7
                0x011c98ed
                0x011c98f7
                0x011c9902
                0x011c990d

                APIs
                • #316.MFC140U ref: 011C977E
                • GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 011C9795
                • GetFileVersionInfoW.VERSION(00000000,?,00000000,00000000), ref: 011C97D1
                • VerQueryValueW.VERSION(00000000,011CE680,00000000,00000000,00000000,?,00000000,00000000), ref: 011C97EB
                • #4815.MFC140U(011CCAC3,%d.%d.%d.%d,?,?,?,?,00000000,011CE680,00000000,00000000,00000000,?,00000000,00000000), ref: 011C9830
                • #316.MFC140U(00000000,?), ref: 011C9855
                • #6967.MFC140U ref: 011C9884
                • #4815.MFC140U(?,00000000), ref: 011C988F
                • #1506.MFC140U ref: 011C989F
                • #280.MFC140U(?), ref: 011C98AF
                • #280.MFC140U(011CCAC3), ref: 011C98C4
                • #1506.MFC140U ref: 011C98DA
                • #1506.MFC140U ref: 011C98E7
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506$#280#316#4815FileInfoVersion$#6967QuerySizeValue
                • String ID: %d.%d.%d.%d$Get Currenet Version:
                • API String ID: 4204548726-3455792170
                • Opcode ID: 17837377321656026a3e41413cf6d7192a55b2741b9cad831c899b1e152a92c8
                • Instruction ID: a466773a41cd4f8e92b6864982086df165495ce94528f490bd58834c2e6712a9
                • Opcode Fuzzy Hash: 17837377321656026a3e41413cf6d7192a55b2741b9cad831c899b1e152a92c8
                • Instruction Fuzzy Hash: 72512BB1D00249DFDF08DFD4E945AEEBBB4BF68704F10852DE416A7280DB74AA45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA070 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011CA070(signed char* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void _v528;
				signed int _v532;
				signed char* _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				signed int _t27;
				signed int _t35;
				signed int _t39;
				signed int _t55;
				void* _t57;
				signed int _t60;
				signed char* _t63;
				void* _t74;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;

				_t74 = __esi;
				_t70 = __edx;
				_t27 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t27 ^ _t75;
				_v536 = __ecx;
				_v540 = _t76;
				__imp__#286(__ecx);
				E011C8630(L"ParseDriverData");
				_t77 = _t76 + 4;
				_v532 = E011CA220(_v536, _a4);
				_t55 = _v532 & 0x0000ffff;
				if(_t55 != 0x20) {
					memset( &_v528, 0, 0x208);
					_push(E011CAA30());
					_t57 =  &_v528;
					_t35 = E011CAB60(_t57, 0x104, L"%c:\\%s", _v532 & 0x0000ffff);
					_t79 = _t77 + 0x20;
					__eflags = _t35;
					if(_t35 != 0) {
						_t79 = _t79 - 0x18;
						_v548 = _t79;
						E011C2BF0( &_v528);
						_t57 = _v536;
						E011CA3A0();
					}
					_v552 = _t79;
					__imp__#286(_t57);
					E011C8630( &_v528);
					_push(E011CAA30());
					_t60 = _v532 & 0x0000ffff;
					_t39 = E011CAB60( &_v528, 0x104, L"%c:\\%s", _t60);
					_t81 = _t79 + 0x18;
					__eflags = _t39;
					if(_t39 != 0) {
						_t60 = _v536 + 0x20;
						__eflags = _t60;
						E011C8D00(_t60,  &_v528);
					}
					_v556 = _t81;
					_t70 =  &_v528;
					__imp__#286(_t60);
					E011C8630( &_v528);
					E011C8F50(_v536, _t74, __eflags);
					_t63 = _v536;
					E011C90F0(_t63,  &_v528, _t74);
					_v560 = _t81 + 4;
					__imp__#286(_t63);
					E011C8630(L"Device Prepared");
				} else {
					_v544 = _t77;
					__imp__#286(_t55);
					E011C8630(L"Device not Prepared");
				}
				return E011CB089(_v8 ^ _t75, _t70);
			}


























                0x011ca070
                0x011ca070
                0x011ca079
                0x011ca080
                0x011ca083
                0x011ca08c
                0x011ca097
                0x011ca09d
                0x011ca0a2
                0x011ca0b4
                0x011ca0bb
                0x011ca0c5
                0x011ca0f8
                0x011ca10a
                0x011ca11d
                0x011ca124
                0x011ca129
                0x011ca12c
                0x011ca12e
                0x011ca130
                0x011ca135
                0x011ca142
                0x011ca147
                0x011ca14d
                0x011ca14d
                0x011ca155
                0x011ca162
                0x011ca168
                0x011ca17a
                0x011ca17b
                0x011ca194
                0x011ca199
                0x011ca19c
                0x011ca19e
                0x011ca1ad
                0x011ca1ad
                0x011ca1b0
                0x011ca1b0
                0x011ca1b8
                0x011ca1be
                0x011ca1c5
                0x011ca1cb
                0x011ca1d9
                0x011ca1de
                0x011ca1e4
                0x011ca1ec
                0x011ca1f7
                0x011ca1fd
                0x011ca0c7
                0x011ca0ca
                0x011ca0d5
                0x011ca0db
                0x011ca0e3
                0x011ca214

                APIs
                • #286.MFC140U(ParseDriverData,?), ref: 011CA097
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #286.MFC140U(Device not Prepared,?,?), ref: 011CA0D5
                • memset.VCRUNTIME140(?,00000000,00000208,?), ref: 011CA0F8
                • _swprintf.LIBCMTD ref: 011CA124
                • #286.MFC140U(?,?,?,?,?,?,?,?,?,?), ref: 011CA162
                • _swprintf.LIBCMTD ref: 011CA194
                • #286.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 011CA1C5
                • #286.MFC140U(Device Prepared), ref: 011CA1F7
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$_swprintf$#1506#280memset
                • String ID: %c:\%s$%c:\%s$Device Prepared$Device not Prepared$ParseDriverData$Version
                • API String ID: 2996126082-4055863599
                • Opcode ID: 25aa355ffc1e969bf0a289d8f573b3126a27670748aba87c7233565fbd2b0292
                • Instruction ID: c94af6d304bdc54be0f0e76ea91a6dcae2dd2500b7a7cc3cfe771baf0d56eb60
                • Opcode Fuzzy Hash: 25aa355ffc1e969bf0a289d8f573b3126a27670748aba87c7233565fbd2b0292
                • Instruction Fuzzy Hash: AE41B6F595021D6BCB2CBB94EC4ABAD7775AF74B04F0041ACF41A93141EB705E808FA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C3E60 Relevance: 24.2, APIs: 16, Instructions: 227COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E011C3E60(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed char _v21;
				signed char _v22;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				char _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v112;
				void* __ecx;
				signed int _t111;
				intOrPtr* _t114;
				signed char _t117;
				signed int _t127;
				signed char _t130;
				intOrPtr _t132;
				signed char _t135;
				signed int _t136;
				signed char _t139;
				intOrPtr _t142;
				void* _t145;
				void* _t147;
				signed int _t187;
				signed int _t205;
				intOrPtr _t210;
				void* _t221;
				void* _t223;
				signed int _t225;
				void* _t226;
				intOrPtr _t227;
				intOrPtr _t228;

				_t227 = _t226 - 0x5c;
				_t111 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				_v20 = _t227;
				_v28 = 0;
				_t114 = _a4;
				__imp__?width@ios_base@std@@QBE_JXZ(_t111 ^ _t225, _t221, _t223, _t145, _t147,  *[fs:0x0], E011CC418, 0xffffffff);
				_v88 = _t114;
				_v84 = _a4 +  *((intOrPtr*)( *_t114 + 4));
				_t228 = _v84;
				if(_t228 < 0 || _t228 <= 0 && _v88 <= 0) {
					L5:
					_v36 = 0;
				} else {
					_t142 = _a4;
					__imp__?width@ios_base@std@@QBE_JXZ();
					_t230 = _t142 - _a12;
					if(_t142 <= _a12) {
						goto L5;
					} else {
						__imp__?width@ios_base@std@@QBE_JXZ();
						_v36 = _a4 - _a12;
					}
				}
				_v32 = _v36;
				E011C4AA0(_t230, _a4);
				_v8 = 0;
				_t117 = E011C5130( &_v112);
				if((_t117 & 0x000000ff) != 0) {
					_v8 = 1;
					__imp__?flags@ios_base@std@@QBEHXZ();
					_v40 = _t117;
					__eflags = (_v40 & 0x000001c0) - 0x40;
					if((_v40 & 0x000001c0) != 0x40) {
						while(1) {
							__eflags = _v32;
							if(_v32 <= 0) {
								goto L15;
							}
							_t135 =  *_a4;
							__imp__?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ();
							_v21 = _t135;
							__imp__?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ();
							_v44 = _t135;
							_t136 = _v21 & 0x000000ff;
							__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t136);
							_v48 = _t136;
							_v52 = _v48;
							_v56 = E011C7100(_t136);
							_t139 = E011C7110(_v48,  &_v56,  &_v52);
							_t227 = _t227 + 8;
							__eflags = _t139 & 0x000000ff;
							if((_t139 & 0x000000ff) == 0) {
								_t187 = _v32 - 1;
								__eflags = _t187;
								_v32 = _t187;
								continue;
							} else {
								_v28 = _v28 | 0x00000004;
							}
							goto L15;
						}
					}
					L15:
					__eflags = _v28;
					if(_v28 != 0) {
						L19:
						while(1) {
							__eflags = _v32;
							if(_v32 <= 0) {
								goto L25;
							}
							__imp__?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ();
							_v22 = _a4;
							__imp__?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ();
							_v64 = _a4;
							_t127 = _v22 & 0x000000ff;
							__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t127);
							_v68 = _t127;
							_v72 = _v68;
							_v76 = E011C7100(_t127);
							_t130 = E011C7110(_v68,  &_v76,  &_v72);
							_t227 = _t227 + 8;
							__eflags = _t130 & 0x000000ff;
							if((_t130 & 0x000000ff) == 0) {
								_t205 = _v32 - 1;
								__eflags = _t205;
								_v32 = _t205;
								continue;
							} else {
								_v28 = _v28 | 0x00000004;
							}
							goto L25;
						}
					} else {
						__imp__?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ();
						_v60 = _a4;
						_t132 = _a12;
						_t210 = _a8;
						__imp__?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z(_t210, _t132, 0);
						_v96 = _t132;
						_v92 = _t210;
						_v104 = _a12;
						_v100 = 0;
						__eflags = _v96 - _v104;
						if(_v96 != _v104) {
							L18:
							_v28 = _v28 | 0x00000004;
						} else {
							__eflags = _v92 - _v100;
							if(_v92 == _v100) {
								goto L19;
							} else {
								goto L18;
							}
						}
					}
					L25:
					__imp__?width@ios_base@std@@QAE_J_J@Z(0, 0);
					_v8 = 0;
				} else {
					_v28 = _v28 | 0x00000004;
				}
				__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(_v28, 0);
				_v80 = _a4;
				_v8 = 0xffffffff;
				E011C50A0();
				 *[fs:0x0] = _v16;
				return _v80;
			}



















































                0x011c3e72
                0x011c3e78
                0x011c3e83
                0x011c3e89
                0x011c3e8c
                0x011c3e93
                0x011c3ea0
                0x011c3ea6
                0x011c3ea9
                0x011c3eac
                0x011c3eb0
                0x011c3eed
                0x011c3eed
                0x011c3eba
                0x011c3eba
                0x011c3ec7
                0x011c3ecd
                0x011c3ed0
                0x00000000
                0x011c3ed2
                0x011c3edf
                0x011c3ee8
                0x011c3ee8
                0x011c3ed0
                0x011c3ef7
                0x011c3f01
                0x011c3f06
                0x011c3f10
                0x011c3f1a
                0x011c3f2a
                0x011c3f39
                0x011c3f3f
                0x011c3f4a
                0x011c3f4d
                0x011c3f5a
                0x011c3f5a
                0x011c3f5e
                0x00000000
                0x00000000
                0x011c3f63
                0x011c3f6b
                0x011c3f71
                0x011c3f7f
                0x011c3f85
                0x011c3f88
                0x011c3f90
                0x011c3f96
                0x011c3f9c
                0x011c3fa4
                0x011c3faf
                0x011c3fb4
                0x011c3fba
                0x011c3fbc
                0x011c3f54
                0x011c3f54
                0x011c3f57
                0x00000000
                0x011c3fbe
                0x011c3fc4
                0x011c3fc4
                0x00000000
                0x011c3fbc
                0x011c3f5a
                0x011c3fcb
                0x011c3fcb
                0x011c3fcf
                0x011c402a
                0x011c4035
                0x011c4035
                0x011c4039
                0x00000000
                0x00000000
                0x011c4048
                0x011c404e
                0x011c405e
                0x011c4064
                0x011c4067
                0x011c406f
                0x011c4075
                0x011c407b
                0x011c4083
                0x011c408e
                0x011c4093
                0x011c4099
                0x011c409b
                0x011c402f
                0x011c402f
                0x011c4032
                0x00000000
                0x011c409d
                0x011c40a3
                0x011c40a3
                0x00000000
                0x011c409b
                0x011c3fd1
                0x011c3fde
                0x011c3fe4
                0x011c3fe7
                0x011c3fee
                0x011c3ff5
                0x011c3ffb
                0x011c3ffe
                0x011c4006
                0x011c4009
                0x011c400f
                0x011c4012
                0x011c401c
                0x011c4022
                0x011c4014
                0x011c4017
                0x011c401a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x011c401a
                0x011c4012
                0x011c40aa
                0x011c40bb
                0x011c40e0
                0x011c3f1c
                0x011c3f22
                0x011c3f22
                0x011c4101
                0x011c410a
                0x011c410d
                0x011c4117
                0x011c4122
                0x011c4130

                APIs
                • ?width@ios_base@std@@QBE_JXZ.MSVCP140(5A3FFFE3), ref: 011C3EA0
                • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 011C3EC7
                • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 011C3EDF
                • ?flags@ios_base@std@@QBEHXZ.MSVCP140(?), ref: 011C3F39
                • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 011C3F6B
                • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 011C3F7F
                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 011C3F90
                • char_traits.LIBCPMTD ref: 011C3FAF
                • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 011C3FDE
                • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000), ref: 011C3FF5
                • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 011C4048
                • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 011C405E
                • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 011C406F
                • char_traits.LIBCPMTD ref: 011C408E
                • ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 011C40BB
                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 011C4101
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@char_traits$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
                • String ID:
                • API String ID: 2533869809-0
                • Opcode ID: 7326a43ce178936b678645ee0e0fbd3202acf93cade912d49aa89a324e1eaed6
                • Instruction ID: 267363d2b673cc2a2c1aa7f9a820b85b614fd1bbd72c1ab470256a571c162f08
                • Opcode Fuzzy Hash: 7326a43ce178936b678645ee0e0fbd3202acf93cade912d49aa89a324e1eaed6
                • Instruction Fuzzy Hash: 29A1FA74A00249DFCF18CF98D495AAEBBB2FF98704F14812DE916AB384D735A941CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8DD0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 112libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 26%
                			E011C8DD0(intOrPtr __ecx) {
				void* _v8;
				struct HINSTANCE__* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _t58;
				intOrPtr _t71;
				intOrPtr _t85;

				_t71 = __ecx;
				_v40 = __ecx;
				_v28 = 0;
				_v32 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_v24 = 0;
				_v12 = LoadLibraryW(L"wtsapi32.dll");
				if(_v12 != 0) {
					_v16 = GetProcAddress(_v12, "WTSQuerySessionInformationW");
					_v24 = GetProcAddress(_v12, "WTSFreeMemory");
					if(_v16 == 0 || _v24 == 0) {
						L20:
						if(_v12 != 0) {
							FreeLibrary(_v12);
						}
						if(_v28 != _v32) {
							_v36 = 0;
						} else {
							_v36 = 1;
						}
						return _v36;
					} else {
						_push( &_v20);
						_push( &_v8);
						_push(0x19);
						_push(0xffffffff);
						_push(0);
						if(_v16() == 0) {
							L12:
							_t58 =  &_v20;
							__imp__WTSGetActiveConsoleSessionId(0x19,  &_v8, _t58);
							_push(_t58);
							_push(0);
							if(_v16() == 0) {
								goto L20;
							}
							if(_v20 > 0) {
								if( *_v8 == 1) {
									_v32 =  *((intOrPtr*)(_v8 + 8));
								}
								_v24(_v8);
								_v8 = 0;
								goto L20;
							}
							if(_v12 != 0) {
								FreeLibrary(_v12);
							}
							return 0;
						}
						if(_v20 > 0) {
							if( *_v8 == 1) {
								_v28 =  *((intOrPtr*)(_v8 + 8));
							}
							_v24(_v8);
							_v8 = 0;
							goto L12;
						}
						if(_v12 != 0) {
							FreeLibrary(_v12);
						}
						return 0;
					}
				}
				_v44 = _t85;
				__imp__#286(_t71);
				E011C85A0(L"Load Library failed");
				return 0;
			}
















                0x011c8dd0
                0x011c8dd6
                0x011c8dd9
                0x011c8de0
                0x011c8de7
                0x011c8dee
                0x011c8df5
                0x011c8dfc
                0x011c8e0e
                0x011c8e15
                0x011c8e46
                0x011c8e58
                0x011c8e5f
                0x011c8f13
                0x011c8f17
                0x011c8f1d
                0x011c8f1d
                0x011c8f29
                0x011c8f34
                0x011c8f2b
                0x011c8f2b
                0x011c8f2b
                0x00000000
                0x011c8e6f
                0x011c8e72
                0x011c8e76
                0x011c8e77
                0x011c8e79
                0x011c8e7b
                0x011c8e82
                0x011c8ec0
                0x011c8ec0
                0x011c8eca
                0x011c8ed0
                0x011c8ed1
                0x011c8ed8
                0x00000000
                0x00000000
                0x011c8ede
                0x011c8efa
                0x011c8f02
                0x011c8f02
                0x011c8f09
                0x011c8f0c
                0x00000000
                0x011c8f0c
                0x011c8ee4
                0x011c8eea
                0x011c8eea
                0x00000000
                0x011c8ef0
                0x011c8e88
                0x011c8ea7
                0x011c8eaf
                0x011c8eaf
                0x011c8eb6
                0x011c8eb9
                0x00000000
                0x011c8eb9
                0x011c8e8e
                0x011c8e94
                0x011c8e94
                0x00000000
                0x011c8e9a
                0x011c8e5f
                0x011c8e1a
                0x011c8e22
                0x011c8e28
                0x00000000

                APIs
                • LoadLibraryW.KERNEL32(wtsapi32.dll), ref: 011C8E08
                • #286.MFC140U(Load Library failed), ref: 011C8E22
                  • Part of subcall function 011C85A0: #280.MFC140U(00000000,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85D6
                  • Part of subcall function 011C85A0: #286.MFC140U(Error,?,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85EE
                  • Part of subcall function 011C85A0: #1506.MFC140U(?,5A3FFFE3,011C90C3,?,00000000), ref: 011C860E
                • GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationW), ref: 011C8E40
                • GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 011C8E52
                • FreeLibrary.KERNEL32(00000000), ref: 011C8E94
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286AddressLibraryProc$#1506#280FreeLoad
                • String ID: Load Library failed$WTSFreeMemory$WTSQuerySessionInformationW$wtsapi32.dll
                • API String ID: 443175885-353417041
                • Opcode ID: fa19750a0140d07a401f660d033966075ec971dfec92c3b51851dc913a852da3
                • Instruction ID: 0253bd5cbacab20f350153f712190b47bde0efc9776221ff07c66e5d69dba71e
                • Opcode Fuzzy Hash: fa19750a0140d07a401f660d033966075ec971dfec92c3b51851dc913a852da3
                • Instruction Fuzzy Hash: 6C41D774900209EFEF18DFD4D989BEEBBB5BF14B05F10455CE61166280C7785A85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C83B0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • #316.MFC140U(5A3FFFE3,?,?,?,00000000), ref: 011C83DF
                • #5117.MFC140U(00000105,00000104,?,?,?,00000000), ref: 011C83F9
                • GetModuleFileNameW.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 011C8402
                • #12559.MFC140U(000000FF,?,?,?,00000000), ref: 011C840D
                • #12884.MFC140U(0000005C,?,?,?,00000000), ref: 011C8418
                • #8360.MFC140U(?,00000000,\Log,?,?,?,00000000), ref: 011C8431
                  • Part of subcall function 011C5180: #5922.MFC140U ref: 011C51AF
                  • Part of subcall function 011C5180: #305.MFC140U(00000000), ref: 011C51B9
                  • Part of subcall function 011C5180: #14322.MFC140U(?), ref: 011C51CA
                  • Part of subcall function 011C5180: #5885.MFC140U(00000000,00000000,5A3FFFE3,?), ref: 011C51DB
                  • Part of subcall function 011C5180: #6967.MFC140U(00000000), ref: 011C51E5
                  • Part of subcall function 011C5180: #3009.MFC140U(?,00000000), ref: 011C51F0
                  • Part of subcall function 011C5180: #280.MFC140U(?), ref: 011C5200
                  • Part of subcall function 011C5180: #1506.MFC140U ref: 011C5219
                • #1523.MFC140U(?,?,?,?,?,?,?,00000000), ref: 011C8468
                • #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C8475
                • #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C8482
                • #280.MFC140U(000000FF,?,?,?,?,?,?,00000000), ref: 011C848F
                • #1506.MFC140U(?,?,?,?,?,?,00000000), ref: 011C84A8
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506$#280$#12559#12884#14322#1523#3009#305#316#5117#5885#5922#6967#8360FileModuleName
                • String ID: \Log
                • API String ID: 3188396538-3903625265
                • Opcode ID: b3b9dcc331a33c206343518c2cc8c94f15432a3709513419a02e5928761ae3c8
                • Instruction ID: 4245297b90711a805dedc8f5ed8950f0e8e364363950f6e3d7312cfa7e6a49c1
                • Opcode Fuzzy Hash: b3b9dcc331a33c206343518c2cc8c94f15432a3709513419a02e5928761ae3c8
                • Instruction Fuzzy Hash: 51310AB1910549DFCF18DFD4E944BEEFBB4FB18714F104229E522A3284DB706A44CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5FF0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 131COMMON
                Download Yara Rule
                C-Code - Quality: 45%
                			E011C5FF0(intOrPtr __ecx, void* __esi, void* __eflags, char* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				intOrPtr _v72;
				char _v96;
				char _v100;
				intOrPtr _v104;
				char* _v108;
				intOrPtr _v112;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				signed int _t50;
				signed int _t51;
				signed int _t82;
				char* _t92;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				intOrPtr _t110;

				_t103 = __esi;
				_push(0xffffffff);
				_push(E011CC6C1);
				_push( *[fs:0x0]);
				_t50 =  *0x11d3258; // 0x5a3fffe3
				_t51 = _t50 ^ _t104;
				_v20 = _t51;
				_push(_t51);
				 *[fs:0x0] =  &_v16;
				_v104 = __ecx;
				E011C35E0( &_v96);
				_t107 = _t105 - 0x70 + 4;
				_v8 = 0;
				E011C2B70( &_v68,  &_v96);
				_v8 = 1;
				E011C2BF0(L"IdeaShare");
				_v8 = 2;
				_v112 = E011C71F0( &_v68,  &_v44, 0);
				if(_v112 < 0) {
					 *((intOrPtr*)(_v104 + 0x10c)) = _v72;
				}
				_t100 = _a4;
				_v108 = _a4;
				if(_v108 == 0x8000) {
					__imp__#296();
					_v8 = 3;
					_t82 = E011C8DD0(_v104 + 0xd4) & 0x000000ff;
					__eflags = _t82;
					if(_t82 == 0) {
						L9:
						__imp__#4815( &_v100, L"Service is not active when arrival, lock status %d",  *0x11d36b8 & 0x000000ff);
						_v128 = _t107 + 0xc;
						_t100 =  &_v100;
						__imp__#280(_t82);
						E011C8630( &_v100);
						L10:
						_v8 = 2;
						__imp__#1045();
						goto L11;
					}
					__eflags =  *0x11d36b8 & 0x000000ff;
					if(( *0x11d36b8 & 0x000000ff) != 0) {
						goto L9;
					}
					_t92 =  &_v100;
					__imp__#4815(_t92, L"Service is active  when arrival, lock status %d",  *0x11d36b8 & 0x000000ff);
					_t110 = _t107 + 0xc;
					_v120 = _t110;
					_t100 =  &_v100;
					__imp__#280(_t92);
					E011C8630( &_v100);
					_v124 = _t110 + 4;
					__imp__#286(_t110);
					E011C8630(L"Device Arrial");
					E011C5DD0(_v104,  &_v100, _t103, __eflags, _a4, _a8);
					goto L10;
				} else {
					if(_v108 == 0x8004) {
						E011C61D0(_v104, __eflags, _a8);
					}
					L11:
					_v116 = 1;
					_v8 = 1;
					E011C2CC0();
					_v8 = 0;
					E011C2CC0();
					_v8 = 0xffffffff;
					E011C4C90( &_v96);
					 *[fs:0x0] = _v16;
					return E011CB089(_v20 ^ _t104, _t100);
				}
			}



























                0x011c5ff0
                0x011c5ff3
                0x011c5ff5
                0x011c6000
                0x011c6004
                0x011c6009
                0x011c600b
                0x011c600e
                0x011c6012
                0x011c6018
                0x011c601f
                0x011c6024
                0x011c6027
                0x011c6035
                0x011c603a
                0x011c6046
                0x011c604b
                0x011c605d
                0x011c6064
                0x011c606c
                0x011c606c
                0x011c6072
                0x011c6075
                0x011c607f
                0x011c60a3
                0x011c60a9
                0x011c60bb
                0x011c60be
                0x011c60c0
                0x011c612a
                0x011c613b
                0x011c6147
                0x011c614a
                0x011c614e
                0x011c6154
                0x011c615c
                0x011c615c
                0x011c6163
                0x00000000
                0x011c6163
                0x011c60c9
                0x011c60cb
                0x00000000
                0x00000000
                0x011c60da
                0x011c60de
                0x011c60e4
                0x011c60ea
                0x011c60ed
                0x011c60f1
                0x011c60f7
                0x011c6102
                0x011c610a
                0x011c6110
                0x011c6123
                0x00000000
                0x011c6081
                0x011c6088
                0x011c6096
                0x011c6096
                0x011c6178
                0x011c6178
                0x011c617f
                0x011c6186
                0x011c618b
                0x011c6192
                0x011c6197
                0x011c61a1
                0x011c61ac
                0x011c61c1
                0x011c61c1

                Strings
                • Service is active when arrival, lock status %d, xrefs: 011C60D5
                • Device Arrial, xrefs: 011C6105
                • IdeaShare, xrefs: 011C603E
                • Service is not active when arrival, lock status %d, xrefs: 011C6132
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286
                • String ID: Device Arrial$IdeaShare$Service is active when arrival, lock status %d$Service is not active when arrival, lock status %d
                • API String ID: 1812580176-631395576
                • Opcode ID: 32fd83bfe2d516b40754e22643d17e2419154b1d77dee2d282493e95a86ad2ea
                • Instruction ID: 7d02ccd13a00c349377bffb4885bf4852a1280cb193921244849ec9064ddaa16
                • Opcode Fuzzy Hash: 32fd83bfe2d516b40754e22643d17e2419154b1d77dee2d282493e95a86ad2ea
                • Instruction Fuzzy Hash: 4E518DB0D04248DFCB0CDFE4E854BEDBBB4BBA4B04F14812DE4166B281DB741A44CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8F50 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E011C8F50(char* __ecx, void* __esi, void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				char _v92;
				signed char _v93;
				signed char _v94;
				signed char _v95;
				char* _v100;
				void* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				signed int _t48;
				signed int _t49;
				void* _t54;
				char* _t93;
				signed int _t102;
				void* _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;

				_t104 = _t103 - 0x80;
				_t48 =  *0x11d3258; // 0x5a3fffe3
				_t49 = _t48 ^ _t102;
				_v20 = _t49;
				 *[fs:0x0] =  &_v16;
				_v100 = __ecx;
				_v128 = _t104;
				__imp__#286(__ecx, _t49, __esi,  *[fs:0x0], E011CC9A0, 0xffffffff);
				E011C8630("Check Setup Path");
				_t105 = _t104 + 4;
				_v132 = _t105;
				_v108 = E011C96D0(_v100,  &_v44);
				_v112 = _v108;
				_v8 = 0;
				_t54 = E011CAA30();
				__imp__#286(_t104);
				E011C8630(_t54);
				_t106 = _t105 + 4;
				_v8 = 0xffffffff;
				E011C2CC0();
				_v116 = E011C96D0(_v100,  &_v68);
				_v93 = E011CAA80(_v116);
				E011C2CC0();
				if((_v93 & 0x000000ff) == 0) {
					_t107 = _t106 - 0x18;
					_v140 = _t107;
					_v120 = E011C96D0(_v100,  &_v92);
					_v124 = _v120;
					_v8 = 1;
					E011C2BF0(E011CAA30());
					_v94 = E011CA260(_v100);
					if((_v94 & 0x000000ff) != 0) {
						_v104 = 0;
					} else {
						_v104 = 1;
					}
					_t97 = _v104;
					_v95 = _v104;
					_v8 = 0xffffffff;
					E011C2CC0();
					if((_v95 & 0x000000ff) == 0) {
						_t97 = _v100;
						 *_v100 = 1;
					} else {
						_v144 = _t107;
						__imp__#286( &_v92);
						E011C85A0(L"PathFileExistsCheck:not Exist");
						 *_v100 = 0;
					}
				} else {
					_t93 = _v100;
					 *_t93 = 0;
					_v136 = _t106;
					__imp__#286(_t93);
					E011C85A0(L"Get Setup Path:empty");
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t102, _t97);
			}


































                0x011c8f61
                0x011c8f67
                0x011c8f6c
                0x011c8f6e
                0x011c8f76
                0x011c8f7c
                0x011c8f82
                0x011c8f8a
                0x011c8f90
                0x011c8f95
                0x011c8f9b
                0x011c8faa
                0x011c8fb0
                0x011c8fb3
                0x011c8fbd
                0x011c8fc5
                0x011c8fcb
                0x011c8fd0
                0x011c8fd3
                0x011c8fdd
                0x011c8fee
                0x011c8ff9
                0x011c8fff
                0x011c900a
                0x011c9033
                0x011c9038
                0x011c904a
                0x011c9050
                0x011c9053
                0x011c9065
                0x011c9072
                0x011c907b
                0x011c9086
                0x011c907d
                0x011c907d
                0x011c907d
                0x011c908d
                0x011c9090
                0x011c9093
                0x011c909d
                0x011c90a8
                0x011c90ce
                0x011c90d1
                0x011c90aa
                0x011c90ad
                0x011c90b8
                0x011c90be
                0x011c90c9
                0x011c90c9
                0x011c900c
                0x011c900c
                0x011c900f
                0x011c9015
                0x011c9020
                0x011c9026
                0x011c902b
                0x011c90d7
                0x011c90ed

                APIs
                • #286.MFC140U(Check Setup Path,?,5A3FFFE3), ref: 011C8F8A
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 011C8FA5
                • #286.MFC140U(00000000,?), ref: 011C8FC5
                • Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 011C8FE9
                • std::ios_base::good.LIBCPMTD ref: 011C8FF4
                • #286.MFC140U(Get Setup Path:empty,?,?), ref: 011C9020
                  • Part of subcall function 011C85A0: #280.MFC140U(00000000,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85D6
                  • Part of subcall function 011C85A0: #286.MFC140U(Error,?,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85EE
                  • Part of subcall function 011C85A0: #1506.MFC140U(?,5A3FFFE3,011C90C3,?,00000000), ref: 011C860E
                • Concurrency::details::SchedulerBase::GetPolicy.LIBCMTD ref: 011C9045
                • #286.MFC140U(PathFileExistsCheck:not Exist,?,00000000,?,?,?,?,?,?,?), ref: 011C90B8
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$Base::Concurrency::details::PolicyScheduler$#1506#280$std::ios_base::good
                • String ID: Check Setup Path$Get Setup Path:empty$PathFileExistsCheck:not Exist
                • API String ID: 2543794021-125277733
                • Opcode ID: 5369d2087ee2eb6b5092155677c677adc1860d055caca42beb854992b192ce0a
                • Instruction ID: 187264618411216f9f15133af65d8211ad250c43374cc92a7c9187f070ec0012
                • Opcode Fuzzy Hash: 5369d2087ee2eb6b5092155677c677adc1860d055caca42beb854992b192ce0a
                • Instruction Fuzzy Hash: C8418CB0E1435C8BDB18EFE8D8517ADBBB5BF64B18F00016DE41AAB281DB711900CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA400 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 94processCOMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E011CA400(intOrPtr __ecx, void* __eflags) {
				WCHAR* _v8;
				char _v16;
				signed int _v20;
				char _v44;
				void* _v45;
				signed char _v46;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct _PROCESS_INFORMATION _v84;
				struct _STARTUPINFOW _v152;
				signed int _t31;
				signed int _t32;
				signed char _t35;
				char* _t61;
				signed int _t67;
				void* _t68;
				intOrPtr _t69;
				void* _t70;
				void* _t71;

				_t69 = _t68 - 0x88;
				_t31 =  *0x11d3258; // 0x5a3fffe3
				_t32 = _t31 ^ _t67;
				_v20 = _t32;
				 *[fs:0x0] =  &_v16;
				_v52 = __ecx;
				_v64 = _t69;
				__imp__#286(__ecx, _t32,  *[fs:0x0], E011CCC39, 0xffffffff);
				E011C8630(L"Try to Start IdeaShareKey");
				_t70 = _t69 + 4;
				_t35 = E011C8DD0(_v52);
				_t75 = (_t35 & 0x000000ff) - 1;
				if((_t35 & 0x000000ff) == 1) {
					E011CA300(_v52, _t75);
					memset( &_v152, 0, 0x44);
					_t71 = _t70 + 0xc;
					_v152.cb = 0x44;
					_v60 = E011C9590(_v52, _t75,  &_v44);
					if(CreateProcessW(E011CAA30(), 0, 0, 0, 0, 0, 0, 0,  &_v152,  &_v84) == 0) {
						_v45 = 0;
					} else {
						_v45 = 1;
					}
					_v46 = _v45;
					E011C2CC0();
					__imp__#296();
					_v8 = 0;
					_t61 =  &_v56;
					__imp__#4815(_t61, L"Start IdeaShareKey Result:%d", _v46 & 0x000000ff);
					_v68 = _t71 + 0xc;
					_t64 =  &_v56;
					__imp__#280(_t61);
					E011C8630( &_v56);
					_v8 = 0xffffffff;
					__imp__#1045();
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t67, _t64);
			}

























                0x011ca411
                0x011ca417
                0x011ca41c
                0x011ca41e
                0x011ca425
                0x011ca42b
                0x011ca431
                0x011ca439
                0x011ca43f
                0x011ca444
                0x011ca44a
                0x011ca452
                0x011ca455
                0x011ca45e
                0x011ca46e
                0x011ca473
                0x011ca476
                0x011ca4a5
                0x011ca4b9
                0x011ca4c1
                0x011ca4bb
                0x011ca4bb
                0x011ca4bb
                0x011ca4c8
                0x011ca4ce
                0x011ca4d6
                0x011ca4dc
                0x011ca4ed
                0x011ca4f1
                0x011ca4fd
                0x011ca500
                0x011ca504
                0x011ca50a
                0x011ca512
                0x011ca51c
                0x011ca51c
                0x011ca525
                0x011ca53a

                APIs
                • #286.MFC140U(Try to Start IdeaShareKey,?,5A3FFFE3), ref: 011CA439
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                  • Part of subcall function 011C8DD0: LoadLibraryW.KERNEL32(wtsapi32.dll), ref: 011C8E08
                  • Part of subcall function 011C8DD0: #286.MFC140U(Load Library failed), ref: 011C8E22
                  • Part of subcall function 011CA300: #286.MFC140U(Try to Close AirPresenceKey,?,?,?,?,011CA463), ref: 011CA314
                  • Part of subcall function 011CA300: FindWindowW.USER32(00000000,IdeaShare Key), ref: 011CA329
                  • Part of subcall function 011CA300: SendMessageA.USER32(00000000,00000012,00000000,00000000), ref: 011CA342
                  • Part of subcall function 011CA300: #286.MFC140U(SendMessageA Close), ref: 011CA353
                • memset.VCRUNTIME140(00000000,00000000,00000044), ref: 011CA46E
                  • Part of subcall function 011C9590: GetModuleFileNameW.KERNEL32(00000000,?,00000104,5A3FFFE3), ref: 011C95D9
                  • Part of subcall function 011C9590: #286.MFC140U(?), ref: 011C95EC
                  • Part of subcall function 011C9590: #12884.MFC140U(0000005C), ref: 011C9601
                  • Part of subcall function 011C9590: #8360.MFC140U(?,?), ref: 011C9624
                  • Part of subcall function 011C9590: #6967.MFC140U ref: 011C9653
                  • Part of subcall function 011C9590: #1506.MFC140U(00000000), ref: 011C967B
                  • Part of subcall function 011C9590: #1506.MFC140U ref: 011C968B
                  • Part of subcall function 011C9590: #1506.MFC140U ref: 011C969E
                • CreateProcessW.KERNEL32 ref: 011CA4B1
                • #316.MFC140U ref: 011CA4D6
                • #4815.MFC140U(?,Start IdeaShareKey Result:%d,?), ref: 011CA4F1
                • #280.MFC140U(?), ref: 011CA504
                • #1506.MFC140U ref: 011CA51C
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1506$#280$#12884#316#4815#6967#8360CreateFileFindLibraryLoadMessageModuleNameProcessSendWindowmemset
                • String ID: D$Start IdeaShareKey Result:%d$Try to Start IdeaShareKey
                • API String ID: 4038364603-1376062188
                • Opcode ID: 168aa81bf5dbfbb2b42441041825e76c510cd582e82e700611221cd99ae5e9b2
                • Instruction ID: 938b42e340ab9f17dc0685984fcc77e2076780824ac1c707f28701af637fed9d
                • Opcode Fuzzy Hash: 168aa81bf5dbfbb2b42441041825e76c510cd582e82e700611221cd99ae5e9b2
                • Instruction Fuzzy Hash: 003172B1D14258AFDB18DFA4ED45BEDBBB4BF28B04F00012DF516A7280EB755904CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C4D8F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63COMMON
                Download Yara Rule
                APIs
                • #316.MFC140U ref: 011C4D95
                • #4815.MFC140U(?,%Ts (%Ts:%d)%Ts,Exception thrown in destructor,c:\program files (x86)\microsoft visual studio\2017\professional\vc\tools\msvc\14.16.27023\atlmfc\include\afxwin1.inl,0000004D,?), ref: 011C4DE3
                • #4815.MFC140U(?,%Ts (%Ts:%d),Exception thrown in destructor,c:\program files (x86)\microsoft visual studio\2017\professional\vc\tools\msvc\14.16.27023\atlmfc\include\afxwin1.inl,0000004D), ref: 011C4E06
                • #6967.MFC140U(00000000,00000000), ref: 011C4E19
                • #2304.MFC140U(00000000), ref: 011C4E20
                • #1506.MFC140U(00000000), ref: 011C4E2F
                Strings
                • %Ts (%Ts:%d)%Ts, xrefs: 011C4DD7
                • %Ts (%Ts:%d), xrefs: 011C4DFA
                • Exception thrown in destructor, xrefs: 011C4DD2, 011C4DF5
                • c:\program files (x86)\microsoft visual studio\2017\professional\vc\tools\msvc\14.16.27023\atlmfc\include\afxwin1.inl, xrefs: 011C4DCD, 011C4DF0
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #4815$#1506#2304#316#6967
                • String ID: %Ts (%Ts:%d)$%Ts (%Ts:%d)%Ts$Exception thrown in destructor$c:\program files (x86)\microsoft visual studio\2017\professional\vc\tools\msvc\14.16.27023\atlmfc\include\afxwin1.inl
                • API String ID: 2792190715-882324090
                • Opcode ID: cf82729c4494d5da415be395fce51f7cea37bdb8bb87897cc2bc5500bf582c6b
                • Instruction ID: 74291b206dad92791c36716b331f5d6d53e9999b4bcd7ca963021db74cfa541b
                • Opcode Fuzzy Hash: cf82729c4494d5da415be395fce51f7cea37bdb8bb87897cc2bc5500bf582c6b
                • Instruction Fuzzy Hash: B22156B0A442189FDB28DB54DD55BEDB774AB68B04F4080FCE20967281CB705AC5CF99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C7500 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E011C7500(void* __ebx, int __ecx, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				char _v12;
				void _v44;
				int _v48;
				char _v49;
				signed int _v50;
				signed int _v56;
				int _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				signed int _t62;
				signed int _t66;
				int _t68;
				signed char _t81;
				signed char _t87;
				char* _t92;
				signed int _t109;
				signed int _t129;

				_t62 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t62 ^ _t129;
				_v48 = __ecx;
				_v72 = E011C7100(_t62 ^ _t129);
				_t66 = E011C7110( &_v72,  &_v72,  &_a4);
				_t140 = _t66 & 0x000000ff;
				if((_t66 & 0x000000ff) == 0) {
					__imp__?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
					__eflags = _t66;
					if(_t66 == 0) {
						L5:
						_t121 = _v48;
						__eflags =  *(_t121 + 0x4c);
						if( *(_t121 + 0x4c) != 0) {
							E011C6C50(_t66, _v48);
							_t68 = _v48;
							__eflags =  *(_t68 + 0x38);
							if( *(_t68 + 0x38) != 0) {
								_v84 = 0x20;
								_v50 = E011C7BC0( &_a4);
								_t121 = _v48 + 0x40;
								_t72 = _v48;
								__imp__?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z(_v48 + 0x40,  &_v50,  &_v49,  &_v80,  &_v44,  &_v12,  &_v76);
								_v56 = _v48;
								__eflags = _v56;
								if(_v56 < 0) {
									L26:
									E011C7100(_t72);
									L27:
									return E011CB089(_v8 ^ _t129, _t121);
								}
								__eflags = _v56 - 1;
								if(_v56 <= 1) {
									_t109 = _v76 -  &_v44;
									__eflags = _t109;
									_v60 = _t109;
									if(_t109 == 0) {
										L19:
										 *((char*)(_v48 + 0x3d)) = 1;
										_t121 =  &_v50;
										__eflags = _v80 -  &_v50;
										if(_v80 ==  &_v50) {
											E011C7100(_t72);
										}
										goto L27;
									}
									_t121 = _v60;
									_t72 = fwrite( &_v44, 1, _v60,  *(_v48 + 0x4c));
									__eflags = _v60 - _t72;
									if(_v60 == _t72) {
										goto L19;
									}
									E011C7100(_t72);
									goto L27;
								}
								__eflags = _v56 - 3;
								if(_v56 == 3) {
									_t121 = _v50 & 0x000000ff;
									_t81 = E011C3E20( *(_v48 + 0x4c), _v50 & 0x000000ff,  *(_v48 + 0x4c));
									_t82 = _t81 & 0x000000ff;
									__eflags = _t81 & 0x000000ff;
									if((_t81 & 0x000000ff) == 0) {
										_v68 = E011C7100(_t82);
									} else {
										_v68 = _a4;
									}
									goto L27;
								}
								goto L26;
							}
							_t87 = E011C3E20(E011C7BC0( &_a4) & 0x000000ff, E011C7BC0( &_a4) & 0x000000ff,  *(_v48 + 0x4c));
							_t121 = _t87 & 0x000000ff;
							__eflags = _t87 & 0x000000ff;
							if((_t87 & 0x000000ff) == 0) {
								_v64 = E011C7100(_t87);
							} else {
								_v64 = _a4;
							}
							goto L27;
						}
						E011C7100(_t66);
						goto L27;
					}
					__imp__?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
					__imp__?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
					__eflags = _t66 - _t66;
					if(_t66 >= _t66) {
						goto L5;
					}
					_t92 = E011C7BC0( &_a4);
					__imp__?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ();
					 *_t92 = _t92;
					goto L27;
				}
				E011C73F0(_t140,  &_a4);
				goto L27;
			}

























                0x011c7506
                0x011c750d
                0x011c7512
                0x011c751a
                0x011c7525
                0x011c7530
                0x011c7532
                0x011c7548
                0x011c754e
                0x011c7550
                0x011c758b
                0x011c758b
                0x011c758e
                0x011c7592
                0x011c75a1
                0x011c75a6
                0x011c75a9
                0x011c75ad
                0x011c75ed
                0x011c7600
                0x011c761e
                0x011c7622
                0x011c7628
                0x011c762e
                0x011c7631
                0x011c7635
                0x011c76c7
                0x011c76c7
                0x011c76ce
                0x011c76db
                0x011c76db
                0x011c763b
                0x011c763f
                0x011c764f
                0x011c764f
                0x011c7651
                0x011c7654
                0x011c767c
                0x011c767f
                0x011c7683
                0x011c7686
                0x011c7689
                0x011c7690
                0x011c7690
                0x00000000
                0x011c7689
                0x011c765d
                0x011c7667
                0x011c7670
                0x011c7673
                0x00000000
                0x00000000
                0x011c7675
                0x00000000
                0x011c7675
                0x011c7641
                0x011c7645
                0x011c769e
                0x011c76a3
                0x011c76ab
                0x011c76ae
                0x011c76b0
                0x011c76bf
                0x011c76b2
                0x011c76b5
                0x011c76b5
                0x00000000
                0x011c76c2
                0x00000000
                0x011c7647
                0x011c75c6
                0x011c75ce
                0x011c75d1
                0x011c75d3
                0x011c75e2
                0x011c75d5
                0x011c75d8
                0x011c75d8
                0x00000000
                0x011c75e5
                0x011c7594
                0x00000000
                0x011c7594
                0x011c7555
                0x011c7560
                0x011c7566
                0x011c7568
                0x00000000
                0x00000000
                0x011c756e
                0x011c757b
                0x011c7581
                0x00000000
                0x011c7583
                0x011c7538
                0x00000000

                APIs
                • char_traits.LIBCPMTD ref: 011C7525
                • char_traits.LIBCPMTD ref: 011C7538
                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7548
                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7555
                • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7560
                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 011C757B
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@char_traits$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
                • String ID:
                • API String ID: 122709516-3916222277
                • Opcode ID: fb00ecfa38c71d0cb34c47ea4f3b9a307a0cac9c6bf0c1b3edc48a8191d5da50
                • Instruction ID: 90d885e93be3830d72054b06ca7374fd107248a7a96734c19dba3747cce8ba40
                • Opcode Fuzzy Hash: fb00ecfa38c71d0cb34c47ea4f3b9a307a0cac9c6bf0c1b3edc48a8191d5da50
                • Instruction Fuzzy Hash: E1515FB5D00119DFDB1DDBACD8809EDBBB5AF78704F04802DE512A7280EB719944CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C65D0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 73sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E011C65D0(intOrPtr __ecx, void* __esi, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _t31;

				_v8 = __ecx;
				_v12 = _a4;
				_t31 = _v12 - 1;
				_v12 = _t31;
				if(_v12 <= 7) {
					switch( *((intOrPtr*)(_v12 * 4 +  &M011C66D0))) {
						case 0:
							_push(_t31);
							_v16 = _t38;
							__imp__#286();
							E011C8630(L"CONSOLE CONNECT");
							E011C5DD0(_v8, _t36, __esi, _t40, _a4, 0);
							goto L6;
						case 1:
							_push(__ecx);
							__ecx = __esp;
							_v20 = __esp;
							__imp__#286();
							__eax = E011C8630(L"CONSOLE DISCONNECT");
							__ecx = _v8;
							__ecx = _v8 + 0xd4;
							__eax = E011CA300(__ecx, __eflags);
							goto L6;
						case 2:
							goto L6;
						case 3:
							 *0x11d36b8 = 1;
							_push(__ecx);
							__ecx = __esp;
							_v24 = __esp;
							__imp__#286();
							__eax = E011C8630(L"SESSION LOCK");
							__ecx = _v8;
							__ecx = _v8 + 0xd4;
							__eax = E011CA540(__ecx, __eflags);
							goto L6;
						case 4:
							 *0x11d36b8 = 0;
							_push(__ecx);
							__ecx = __esp;
							_v28 = __esp;
							__imp__#286();
							__eax = E011C8630(L"SESSION UNLOCK");
							Sleep(0x7d0);
							__ecx = _a4;
							__ecx = _v8;
							__eax = E011C5DD0(__ecx, __edx, __esi, __eflags, _a4, 0);
							goto L6;
					}
				}
				L6:
				return E011C6590(_a4, _v8, _a4, _a8);
			}










                0x011c65d6
                0x011c65dc
                0x011c65e2
                0x011c65e5
                0x011c65ec
                0x011c65f5
                0x00000000
                0x011c65fc
                0x011c65ff
                0x011c6607
                0x011c660d
                0x011c661e
                0x00000000
                0x00000000
                0x011c6628
                0x011c6629
                0x011c662b
                0x011c6633
                0x011c6639
                0x011c6641
                0x011c6644
                0x011c664a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x011c6651
                0x011c6658
                0x011c6659
                0x011c665b
                0x011c6663
                0x011c6669
                0x011c6671
                0x011c6674
                0x011c667a
                0x00000000
                0x00000000
                0x011c6681
                0x011c6688
                0x011c6689
                0x011c668b
                0x011c6693
                0x011c6699
                0x011c66a6
                0x011c66ae
                0x011c66b2
                0x011c66b5
                0x00000000
                0x00000000
                0x011c65f5
                0x011c66ba
                0x011c66cd

                APIs
                • #286.MFC140U(CONSOLE CONNECT,?), ref: 011C6607
                • #286.MFC140U(CONSOLE DISCONNECT), ref: 011C6633
                • #286.MFC140U(SESSION LOCK), ref: 011C6663
                • #286.MFC140U(SESSION UNLOCK), ref: 011C6693
                • Sleep.KERNEL32(000007D0), ref: 011C66A6
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$Sleep
                • String ID: CONSOLE CONNECT$CONSOLE DISCONNECT$SESSION LOCK$SESSION UNLOCK
                • API String ID: 1313979844-2359570800
                • Opcode ID: e668360c94f88b9d8d5e311631fd78ae96b28883015c8aace13760fbd0a51564
                • Instruction ID: e183fc86ed7d4fd7a742f1e52e8dc9add68307ce1c65a0011e7e1ebae9c1dc77
                • Opcode Fuzzy Hash: e668360c94f88b9d8d5e311631fd78ae96b28883015c8aace13760fbd0a51564
                • Instruction Fuzzy Hash: 3E211DB0A14209EBCB0CEFD8E856AAD7B75EB64B14F10406DF51667340DB716A44CBD3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9590 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,5A3FFFE3), ref: 011C95D9
                • #286.MFC140U(?), ref: 011C95EC
                • #12884.MFC140U(0000005C), ref: 011C9601
                • #8360.MFC140U(?,?), ref: 011C9624
                  • Part of subcall function 011C5180: #5922.MFC140U ref: 011C51AF
                  • Part of subcall function 011C5180: #305.MFC140U(00000000), ref: 011C51B9
                  • Part of subcall function 011C5180: #14322.MFC140U(?), ref: 011C51CA
                  • Part of subcall function 011C5180: #5885.MFC140U(00000000,00000000,5A3FFFE3,?), ref: 011C51DB
                  • Part of subcall function 011C5180: #6967.MFC140U(00000000), ref: 011C51E5
                  • Part of subcall function 011C5180: #3009.MFC140U(?,00000000), ref: 011C51F0
                  • Part of subcall function 011C5180: #280.MFC140U(?), ref: 011C5200
                  • Part of subcall function 011C5180: #1506.MFC140U ref: 011C5219
                • #6967.MFC140U ref: 011C9653
                • #1506.MFC140U(00000000), ref: 011C967B
                • #1506.MFC140U ref: 011C968B
                • #1506.MFC140U ref: 011C969E
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506$#6967$#12884#14322#280#286#3009#305#5885#5922#8360FileModuleName
                • String ID: IdeaShareKey.exe
                • API String ID: 1015009508-3948293654
                • Opcode ID: 18b27c462a18cd6397d6c04b3c08b4c51591241dc97da3f60cc29ab334debb18
                • Instruction ID: e6aea9a0f41372ff1a14dd5eb5c8ce2c2f1a62ea65c7ffe42573683359ddab72
                • Opcode Fuzzy Hash: 18b27c462a18cd6397d6c04b3c08b4c51591241dc97da3f60cc29ab334debb18
                • Instruction Fuzzy Hash: 51312075945258EFCB24DF94EC49BDDBBB4FB18710F1042A9E416A3290DB746B84CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C76E0 Relevance: 15.1, APIs: 10, Instructions: 109COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E011C76E0(signed char __eax, intOrPtr __ecx, char _a4) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				signed char _t49;
				intOrPtr _t57;
				intOrPtr _t72;
				void* _t80;
				void* _t81;
				void* _t84;

				_t34 = __eax;
				_v12 = __ecx;
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				if(__eax == 0) {
					L5:
					_t57 = _v12;
					__eflags =  *(_t57 + 0x4c);
					if( *(_t57 + 0x4c) == 0) {
						L7:
						return E011C7100(_t34);
					}
					_v24 = E011C7100(_t34);
					_t34 = E011C7110(_t57,  &_v24,  &_a4);
					_t81 = _t80 + 8;
					__eflags = _t34 & 0x000000ff;
					if((_t34 & 0x000000ff) == 0) {
						_t72 = _v12;
						__eflags =  *(_t72 + 0x38);
						if( *(_t72 + 0x38) != 0) {
							L11:
							__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
							__eflags = _t34 - _v12 + 0x3c;
							if(_t34 == _v12 + 0x3c) {
								return E011C7100(_t34);
							}
							 *((char*)(_v12 + 0x3c)) = E011C7BC0( &_a4);
							E011C6C90(_t40, _v12);
							return _a4;
						}
						_v5 = E011C7BC0( &_a4);
						_t34 = E011C43F0(_v12,  &_v5,  *((intOrPtr*)(_v12 + 0x4c)));
						_t81 = _t81 + 0xc;
						__eflags = _t34 & 0x000000ff;
						if((_t34 & 0x000000ff) == 0) {
							goto L11;
						}
						return _a4;
					}
					goto L7;
				}
				__imp__?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				if(__eax >= __eax) {
					goto L5;
				}
				_v16 = E011C7100(__eax);
				_t49 = E011C7110( &_v16,  &_v16,  &_a4);
				_t84 = _t80 + 8;
				if((_t49 & 0x000000ff) != 0) {
					L4:
					__imp__?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ();
					return E011C73F0(_t90,  &_a4);
				}
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				_v20 = E011C7BD0(_t49 + 0xffffffffffffffff);
				_t34 = E011C7110( &_v20,  &_v20,  &_a4);
				_t80 = _t84 + 0xc;
				_t90 = _t34 & 0x000000ff;
				if((_t34 & 0x000000ff) == 0) {
					goto L5;
				}
				goto L4;
			}














                0x011c76e0
                0x011c76e7
                0x011c76ed
                0x011c76f5
                0x011c7787
                0x011c7787
                0x011c778a
                0x011c778e
                0x011c77af
                0x00000000
                0x011c77af
                0x011c7795
                0x011c77a0
                0x011c77a5
                0x011c77ab
                0x011c77ad
                0x011c77b8
                0x011c77bb
                0x011c77bf
                0x011c77f1
                0x011c77f4
                0x011c7800
                0x011c7802
                0x00000000
                0x011c7825
                0x011c7813
                0x011c7819
                0x00000000
                0x011c781e
                0x011c77cd
                0x011c77db
                0x011c77e0
                0x011c77e6
                0x011c77e8
                0x00000000
                0x00000000
                0x00000000
                0x011c77ea
                0x00000000
                0x011c77ad
                0x011c76fe
                0x011c7709
                0x011c7711
                0x00000000
                0x00000000
                0x011c7718
                0x011c7723
                0x011c7728
                0x011c7730
                0x011c7768
                0x011c776b
                0x00000000
                0x011c777a
                0x011c7735
                0x011c774e
                0x011c7759
                0x011c775e
                0x011c7764
                0x011c7766
                0x00000000
                0x00000000
                0x00000000

                APIs
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C76ED
                • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C76FE
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7709
                • char_traits.LIBCPMTD ref: 011C7723
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7735
                • char_traits.LIBCPMTD ref: 011C7759
                • ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 011C776B
                • char_traits.LIBCPMTD ref: 011C7775
                • char_traits.LIBCPMTD ref: 011C77A0
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$char_traits$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
                • String ID:
                • API String ID: 1248759640-0
                • Opcode ID: 7ce7721a9a426d73a6f23df33aa2dd7f8227a4f73110f09a982a2cca06fc1a0e
                • Instruction ID: 3f5c4b6e832a6d463d3a63c9db9c02a0f62349fcc9b74fa680cb1af6362cfd59
                • Opcode Fuzzy Hash: 7ce7721a9a426d73a6f23df33aa2dd7f8227a4f73110f09a982a2cca06fc1a0e
                • Instruction Fuzzy Hash: EA4191B5D00109AFDB0DEBE4E8549EE7B79AFB0605F04807DE9029B281EB749A45CFD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8270 Relevance: 13.6, APIs: 9, Instructions: 52COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #5885#6967$#1506#280#3009#305#5922
                • String ID:
                • API String ID: 1980762339-0
                • Opcode ID: f70c3122d4ef6e5718ea06b362e86274a876df556aeb559b12572ce925945bfb
                • Instruction ID: 46c03f23292632779d62ab800c667a0abd843b773ade4a9155f8933ec7e84edc
                • Opcode Fuzzy Hash: f70c3122d4ef6e5718ea06b362e86274a876df556aeb559b12572ce925945bfb
                • Instruction Fuzzy Hash: CD1121B1500108EFCF18DF94ED58AAEBFB9FB48314F104239F82693694DB345A40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C1F50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152filesynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E011C1F50(void** _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _t147;

				_v8 = 0;
				_v12 = 0;
				_v20 = _a4[0xc];
				if(_a4[6] != 0) {
					L4:
					if(_a16 < 0) {
						L7:
						_v16 = GetOverlappedResult( *_a4,  &(_a4[8]),  &_v8, 1);
						_a4[6] = 0;
						if(_v16 != 0 && _v8 > 0) {
							if( *(_a4[7]) != 0) {
								if(_a12 <= _v8) {
									_v28 = _a12;
								} else {
									_v28 = _v8;
								}
								_v12 = _v28;
								E011C24B0(_a8, _v12, _a4[7], _v12);
								_t147 = _t147 + 0x10;
							} else {
								_v8 = _v8 - 1;
								if(_a12 <= _v8) {
									_v24 = _a12;
								} else {
									_v24 = _v8;
								}
								_v12 = _v24;
								E011C24B0(_a8, _v12, _a4[7] + 1, _v12);
								_t147 = _t147 + 0x10;
							}
						}
						L18:
						if(_v16 != 0) {
							return _v12;
						}
						_push("GetOverlappedResult");
						return E011C26B0(_a4) | 0xffffffff;
					}
					_v16 = WaitForSingleObject(_v20, _a16);
					if(_v16 == 0) {
						goto L7;
					}
					return 0;
				}
				_a4[6] = 1;
				E011C10E0(_a4[7], _a4[3], 0, _a4[3]);
				_t147 = _t147 + 0x10;
				ResetEvent(_v20);
				_v16 = ReadFile( *_a4, _a4[7], _a4[3],  &_v8,  &(_a4[8]));
				if(_v16 != 0 || GetLastError() == 0x3e5) {
					goto L4;
				} else {
					CancelIo( *_a4);
					_a4[6] = 0;
					goto L18;
				}
			}










                0x011c1f56
                0x011c1f5d
                0x011c1f6a
                0x011c1f74
                0x011c2003
                0x011c2007
                0x011c2027
                0x011c2040
                0x011c2046
                0x011c2051
                0x011c2075
                0x011c20c2
                0x011c20cf
                0x011c20c4
                0x011c20c7
                0x011c20c7
                0x011c20d5
                0x011c20eb
                0x011c20f0
                0x011c2077
                0x011c207d
                0x011c2086
                0x011c2093
                0x011c2088
                0x011c208b
                0x011c208b
                0x011c2099
                0x011c20b2
                0x011c20b7
                0x011c20b7
                0x011c2075
                0x011c20f3
                0x011c20f7
                0x00000000
                0x011c210f
                0x011c20f9
                0x00000000
                0x011c210a
                0x011c2017
                0x011c201e
                0x00000000
                0x00000000
                0x00000000
                0x011c2020
                0x011c1f7d
                0x011c1f9b
                0x011c1fa0
                0x011c1fa7
                0x011c1fd2
                0x011c1fd9
                0x00000000
                0x011c1fe8
                0x011c1fee
                0x011c1ff7
                0x00000000
                0x011c1ff7

                APIs
                • ResetEvent.KERNEL32(?), ref: 011C1FA7
                • ReadFile.KERNEL32(00000000,?,?,00000000,-00000020), ref: 011C1FCC
                • GetLastError.KERNEL32 ref: 011C1FDB
                • CancelIo.KERNEL32 ref: 011C1FEE
                • WaitForSingleObject.KERNEL32(?,00000000), ref: 011C2011
                • GetOverlappedResult.KERNEL32(00000000,-00000020,00000000,00000001), ref: 011C203A
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: CancelErrorEventFileLastObjectOverlappedReadResetResultSingleWait
                • String ID: GetOverlappedResult
                • API String ID: 3829721164-1732891777
                • Opcode ID: f366f2a5168f67d7e1b08600ad85c82727224dfe47f8af170725fb7ff210f142
                • Instruction ID: da733d4ceb3330ebb78070b6e4793999bc67665399363ed8fc39a64730989684
                • Opcode Fuzzy Hash: f366f2a5168f67d7e1b08600ad85c82727224dfe47f8af170725fb7ff210f142
                • Instruction Fuzzy Hash: 4F512C74A00209EFDB08CF98C484AAEBBB6FF98714F10855DE9199B345C735EA91CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C21A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103fileCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E011C21A0(void* __eflags, void** _a4, void* _a8, long _a12) {
				void* _v8;
				int _v12;
				long _v16;
				struct _OVERLAPPED _v36;
				void* _t87;
				void* _t88;

				E011C10E0( &_v36, 0x14, 0, 0x14);
				_t88 = _t87 + 0x10;
				if(_a12 < (_a4[2] & 0x0000ffff)) {
					_v8 = malloc(_a4[2] & 0x0000ffff);
					E011C24B0(_v8, _a12, _a8, _a12);
					E011C10E0(_v8 + _a12, (_a4[2] & 0x0000ffff) - _a12, 0, (_a4[2] & 0x0000ffff) - _a12);
					_t88 = _t88 + 0x24;
					_a12 = _a4[2] & 0x0000ffff;
				} else {
					_v8 = _a8;
				}
				_v12 = WriteFile( *_a4, _v8, _a12, 0,  &_v36);
				if(_v12 != 0 || GetLastError() == 0x3e5) {
					_v12 = GetOverlappedResult( *_a4,  &_v36,  &_v16, 1);
					if(_v12 == 0) {
						_push("WriteFile");
						E011C26B0(_a4);
						_t88 = _t88 + 8;
						_v16 = 0xffffffff;
					}
				} else {
					_push("WriteFile");
					E011C26B0(_a4);
					_t88 = _t88 + 8;
					_v16 = 0xffffffff;
				}
				if(_v8 != _a8) {
					free(_v8);
				}
				return _v16;
			}









                0x011c21b0
                0x011c21b5
                0x011c21c2
                0x011c21dd
                0x011c21f0
                0x011c2217
                0x011c221c
                0x011c2226
                0x011c21c4
                0x011c21c7
                0x011c21c7
                0x011c2243
                0x011c224a
                0x011c2289
                0x011c2290
                0x011c2292
                0x011c229b
                0x011c22a0
                0x011c22a3
                0x011c22a3
                0x011c2259
                0x011c2259
                0x011c2262
                0x011c2267
                0x011c226a
                0x011c226a
                0x011c22b0
                0x011c22b6
                0x011c22bc
                0x011c22c5

                APIs
                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C21D4
                • WriteFile.KERNEL32(?,?,?,00000000,?), ref: 011C223D
                • GetLastError.KERNEL32 ref: 011C224C
                • GetOverlappedResult.KERNEL32(?,?,?,00000001), ref: 011C2283
                  • Part of subcall function 011C26B0: GetLastError.KERNEL32(00000400,00000000,00000000,00000000,00000000,Send Feature Report GetOverLappedResult), ref: 011C26C3
                  • Part of subcall function 011C26B0: FormatMessageW.KERNEL32(00001300,00000000,00000000), ref: 011C26D1
                  • Part of subcall function 011C26B0: LocalFree.KERNEL32(?), ref: 011C270E
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C22B6
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ErrorLast$FileFormatFreeLocalMessageOverlappedResultWritefreemalloc
                • String ID: WriteFile$WriteFile
                • API String ID: 1210738206-988621820
                • Opcode ID: d161a24c0505ca0d3540856c0800e5ae9f1df62afe09666a74c53d1fdfc44060
                • Instruction ID: f8946252f96ae2f43fe76b954cd660afbe229b74795e805ef4edf388eb603d6f
                • Opcode Fuzzy Hash: d161a24c0505ca0d3540856c0800e5ae9f1df62afe09666a74c53d1fdfc44060
                • Instruction Fuzzy Hash: B0415BB5900209EFCB08DF98D885EAE7B75FF58B14F14855CF9199B284D730AA90CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA540 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33windowCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011CA540(intOrPtr __ecx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _t8;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;

				_v12 = __ecx;
				_t13 = _t15;
				_v16 = _t15;
				__imp__#286(__ecx);
				E011C8630(L"Try to Stop IdeaShareKey");
				_t16 = _t15 + 4;
				_t8 = FindWindowW(0, L"IdeaShare Key");
				_v8 = _t8;
				if(_v8 != 0) {
					SendMessageA(_v8, 0x10, 0, 0);
					_v20 = _t16;
					__imp__#286(_t13);
					return E011C8630(L"SendMessageA QUIT");
				}
				return _t8;
			}











                0x011ca546
                0x011ca54a
                0x011ca54c
                0x011ca554
                0x011ca55a
                0x011ca55f
                0x011ca569
                0x011ca56f
                0x011ca576
                0x011ca582
                0x011ca58b
                0x011ca593
                0x00000000
                0x011ca59e
                0x011ca5a4

                APIs
                • #286.MFC140U(Try to Stop IdeaShareKey,?,?,?,011C6217,00000001), ref: 011CA554
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • FindWindowW.USER32(00000000,IdeaShare Key), ref: 011CA569
                • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 011CA582
                • #286.MFC140U(SendMessageA QUIT,?,?,?,?,011C6217), ref: 011CA593
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1506#280FindMessageSendWindow
                • String ID: IdeaShare Key$SendMessageA QUIT$Try to Stop IdeaShareKey
                • API String ID: 683426990-1069736648
                • Opcode ID: cbd1a5abf883d75c1cdbe801ac76fb39538eb2e68ee4b638c7104958bc023a8f
                • Instruction ID: 9ddc7b372c11fef04cab6a7a94c846554d538799e6b81e60a0c9ba33cdc5f2f3
                • Opcode Fuzzy Hash: cbd1a5abf883d75c1cdbe801ac76fb39538eb2e68ee4b638c7104958bc023a8f
                • Instruction Fuzzy Hash: F1F03AB0E54308BFEB18ABE5EC0BB5DBE64AB24F05F00417DF515A6280D7B12A408BD2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA300 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33windowCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011CA300(intOrPtr __ecx, void* __eflags) {
				struct HWND__* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _t8;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;

				_v12 = __ecx;
				_t13 = _t15;
				_v16 = _t15;
				__imp__#286(__ecx);
				E011C8630(L"Try to Close AirPresenceKey");
				_t16 = _t15 + 4;
				_t8 = FindWindowW(0, L"IdeaShare Key");
				_v8 = _t8;
				if(_v8 != 0) {
					SendMessageA(_v8, 0x12, 0, 0);
					_v20 = _t16;
					__imp__#286(_t13);
					return E011C8630(L"SendMessageA Close");
				}
				return _t8;
			}











                0x011ca306
                0x011ca30a
                0x011ca30c
                0x011ca314
                0x011ca31a
                0x011ca31f
                0x011ca329
                0x011ca32f
                0x011ca336
                0x011ca342
                0x011ca34b
                0x011ca353
                0x00000000
                0x011ca35e
                0x011ca364

                APIs
                • #286.MFC140U(Try to Close AirPresenceKey,?,?,?,?,011CA463), ref: 011CA314
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • FindWindowW.USER32(00000000,IdeaShare Key), ref: 011CA329
                • SendMessageA.USER32(00000000,00000012,00000000,00000000), ref: 011CA342
                • #286.MFC140U(SendMessageA Close), ref: 011CA353
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1506#280FindMessageSendWindow
                • String ID: IdeaShare Key$SendMessageA Close$Try to Close AirPresenceKey
                • API String ID: 683426990-789647379
                • Opcode ID: 71aba9ee405b9d0b568c1c9017eceb341e3f18063efe2831d388076beb45ea81
                • Instruction ID: fc8b2c2906793e30b48703ad53e893d013ca5534b80de6a9a6c7ed01170952d5
                • Opcode Fuzzy Hash: 71aba9ee405b9d0b568c1c9017eceb341e3f18063efe2831d388076beb45ea81
                • Instruction Fuzzy Hash: 08F030B0E54208BFDB18ABE5AC0FB5D7E64AB54F05F00407DF51567280D7B526408BD3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C24B0 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 011C24E5
                • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 011C24F1
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: _errno_invalid_parameter_noinfo
                • String ID:
                • API String ID: 2959964966-0
                • Opcode ID: ceeffcc66af08ecdd431f5256e0eb14700ee7fc7724f24e132df11d6b5ad8c72
                • Instruction ID: ba308c0ff22492b601ff0c4b98eae0d2a44be9b0f2c24773d8a9bb5910d63c84
                • Opcode Fuzzy Hash: ceeffcc66af08ecdd431f5256e0eb14700ee7fc7724f24e132df11d6b5ad8c72
                • Instruction Fuzzy Hash: DD31F875904209DFDF18DF94D9687EEBBB1FB24B14F108069E81657280D3B5CA84CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5180 Relevance: 12.1, APIs: 8, Instructions: 53COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #14322#1506#280#3009#305#5885#5922#6967
                • String ID:
                • API String ID: 3864542063-0
                • Opcode ID: 9abc68d7b6711c82e28dd25412ba9ca183414d09acf9d90dfe4ac9c2b435c513
                • Instruction ID: 00e8fab392216e636ee99f214aa713c610f5792b7919495d7bcf4c5376321463
                • Opcode Fuzzy Hash: 9abc68d7b6711c82e28dd25412ba9ca183414d09acf9d90dfe4ac9c2b435c513
                • Instruction Fuzzy Hash: 6B1133B1900108EFCB18DF94ED54AAEBBB8FB48314F10463DF826D7284DB346A44CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5240 Relevance: 12.1, APIs: 8, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • #5922.MFC140U(?,?,?,?,000000FF), ref: 011C526F
                • #305.MFC140U(00000000,?,?,?,?,000000FF), ref: 011C5279
                • #5885.MFC140U(?,?,?,?,000000FF), ref: 011C5289
                • #6967.MFC140U(00000000,?,?,?,?,000000FF), ref: 011C5293
                • #14322.MFC140U(5A3FFFE3,00000000,?,?,?,?,000000FF), ref: 011C529E
                • #3009.MFC140U(00000000,5A3FFFE3,00000000,5A3FFFE3), ref: 011C52B0
                • #280.MFC140U(?), ref: 011C52C0
                • #1506.MFC140U ref: 011C52D9
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #14322#1506#280#3009#305#5885#5922#6967
                • String ID:
                • API String ID: 3864542063-0
                • Opcode ID: 4e3dba130624022f605cc9882bd800e36f23dfc74112b22ada118ed618f95a80
                • Instruction ID: 6b4d91c323276f9e76023222a6d10591fa18d387d8e1f990449215093a081e2b
                • Opcode Fuzzy Hash: 4e3dba130624022f605cc9882bd800e36f23dfc74112b22ada118ed618f95a80
                • Instruction Fuzzy Hash: 481121B1900109EFCB18DF94ED54AAEBBB8FB48314F004639F82693684DB346A44CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C7BE0 Relevance: 10.7, APIs: 7, Instructions: 188COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E011C7BE0(signed int __ecx, void* __edx, void* __esi) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v44;
				signed int _v48;
				char _v49;
				char _v50;
				char _v51;
				signed int _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v68;
				signed char _v72;
				intOrPtr _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				signed int _t79;
				signed int _t80;
				char* _t81;
				intOrPtr _t82;
				int _t85;
				void* _t89;
				void* _t99;
				signed char _t115;
				intOrPtr _t125;
				intOrPtr _t127;
				signed int _t171;
				signed int _t173;
				void* _t174;
				void* _t175;

				_t175 = _t174 - 0x4c;
				_t79 =  *0x11d3258; // 0x5a3fffe3
				_t80 = _t79 ^ _t173;
				_v20 = _t80;
				_t81 =  &_v16;
				 *[fs:0x0] = _t81;
				_v48 = __ecx;
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ(_t80, __esi,  *[fs:0x0], E011CC7D8, 0xffffffff);
				if(_t81 == 0) {
					L3:
					_t82 = _v48;
					__eflags =  *(_t82 + 0x4c);
					if( *(_t82 + 0x4c) != 0) {
						E011C6C50(_t82, _v48);
						_t125 = _v48;
						__eflags =  *(_t125 + 0x38);
						if( *(_t125 + 0x38) != 0) {
							E011C4790();
							_v8 = 0;
							while(1) {
								_t127 = _v48;
								_t156 =  *(_t127 + 0x4c);
								_t85 = fgetc( *(_t127 + 0x4c));
								_t175 = _t175 + 4;
								_v72 = _t85;
								__eflags = _v72 - 0xffffffff;
								if(_v72 == 0xffffffff) {
									break;
								}
								E011C7840( &_v44, _v72 & 0x000000ff);
								_t89 = E011C7090();
								_t156 = _v48 + 0x40;
								_t92 = _v48;
								__imp__?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z(_v48 + 0x40, E011C7090(), _t89 + E011C7AF0( &_v44),  &_v64,  &_v51,  &_v50,  &_v80);
								_v60 = _v48;
								__eflags = _v60;
								if(_v60 < 0) {
									L24:
									_v92 = E011C7100(_t92);
									_v8 = 0xffffffff;
									E011C4C40();
								} else {
									__eflags = _v60 - 1;
									if(_v60 <= 1) {
										__eflags = _v80 -  &_v51;
										if(_v80 ==  &_v51) {
											E011C7140( &_v44, __eflags, 0, _v64 - E011C7090());
											continue;
										} else {
											_t99 = E011C7090();
											_t171 = _t99 + E011C7AF0( &_v44) - _v64;
											__eflags = _t171;
											_v56 = _t171;
											while(1) {
												__eflags = _v56;
												if(_v56 <= 0) {
													break;
												}
												_v56 = _v56 - 1;
												_t156 = _v64 + _v56;
												ungetc( *(_v64 + _v56),  *(_v48 + 0x4c));
												_t175 = _t175 + 8;
											}
											_v84 = E011C7BD0( &_v51);
											_v8 = 0xffffffff;
											E011C4C40();
										}
									} else {
										__eflags = _v60 - 3;
										if(_v60 == 3) {
											_v88 =  *((char*)(E011C7270( &_v44)));
											_v8 = 0xffffffff;
											E011C4C40();
										} else {
											goto L24;
										}
									}
								}
								goto L26;
							}
							_v76 = E011C7100(_t85);
							_v8 = 0xffffffff;
							E011C4C40();
						} else {
							_t115 = E011C3DF0( &_v49,  &_v49,  *(_v48 + 0x4c));
							_t156 = _t115 & 0x000000ff;
							__eflags = _t115 & 0x000000ff;
							if((_t115 & 0x000000ff) == 0) {
								_v68 = E011C7100(_t115);
							} else {
								_v68 = E011C7BD0( &_v49);
							}
						}
					} else {
						E011C7100(_t82);
					}
				} else {
					__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
					__imp__?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
					if(_t81 >= _t81) {
						goto L3;
					} else {
						__imp__?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ();
						E011C7BD0(_t81);
					}
				}
				L26:
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t173, _t156);
			}



































                0x011c7bf1
                0x011c7bf4
                0x011c7bf9
                0x011c7bfb
                0x011c7c00
                0x011c7c03
                0x011c7c09
                0x011c7c0f
                0x011c7c17
                0x011c7c48
                0x011c7c48
                0x011c7c4b
                0x011c7c4f
                0x011c7c5e
                0x011c7c63
                0x011c7c66
                0x011c7c6a
                0x011c7caa
                0x011c7caf
                0x011c7cb6
                0x011c7cb6
                0x011c7cb9
                0x011c7cbd
                0x011c7cc3
                0x011c7cc6
                0x011c7cc9
                0x011c7ccd
                0x00000000
                0x00000000
                0x011c7cf6
                0x011c7d0e
                0x011c7d2c
                0x011c7d30
                0x011c7d36
                0x011c7d3c
                0x011c7d3f
                0x011c7d43
                0x011c7e0a
                0x011c7e0f
                0x011c7e12
                0x011c7e1c
                0x011c7d49
                0x011c7d49
                0x011c7d4d
                0x011c7d61
                0x011c7d64
                0x011c7de1
                0x00000000
                0x011c7d66
                0x011c7d69
                0x011c7d7a
                0x011c7d7a
                0x011c7d7d
                0x011c7d80
                0x011c7d80
                0x011c7d84
                0x00000000
                0x00000000
                0x011c7d8c
                0x011c7d99
                0x011c7da0
                0x011c7da6
                0x011c7da6
                0x011c7db7
                0x011c7dba
                0x011c7dc4
                0x011c7dc9
                0x011c7d4f
                0x011c7d4f
                0x011c7d53
                0x011c7df3
                0x011c7df6
                0x011c7e00
                0x011c7d59
                0x00000000
                0x011c7d59
                0x011c7d53
                0x011c7d4d
                0x00000000
                0x011c7d43
                0x011c7cd4
                0x011c7cd7
                0x011c7ce1
                0x011c7c6c
                0x011c7c77
                0x011c7c7f
                0x011c7c82
                0x011c7c84
                0x011c7c9c
                0x011c7c86
                0x011c7c92
                0x011c7c92
                0x011c7c9f
                0x011c7c51
                0x011c7c51
                0x011c7c51
                0x011c7c19
                0x011c7c1c
                0x011c7c27
                0x011c7c2f
                0x00000000
                0x011c7c31
                0x011c7c34
                0x011c7c3b
                0x011c7c40
                0x011c7c2f
                0x011c7e3a
                0x011c7e3d
                0x011c7e53

                APIs
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(5A3FFFE3), ref: 011C7C0F
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7C1C
                • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7C27
                • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 011C7C34
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
                • String ID:
                • API String ID: 623893373-0
                • Opcode ID: 5c3aeff44a25ba640dace08641f7c9a0b4e68f58a09b32378c3b8f43c62043b4
                • Instruction ID: ec404db63a09390f17a4e97ac937e58589b3a64c08e36d26261f397e91c8cc26
                • Opcode Fuzzy Hash: 5c3aeff44a25ba640dace08641f7c9a0b4e68f58a09b32378c3b8f43c62043b4
                • Instruction Fuzzy Hash: FD714B72D00119DFCB1CDBA8D894AEDBBB5AF68B14F14822DE412B72D0EB706945CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C1DC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 107COMMON
                Download Yara Rule
                C-Code - Quality: 36%
                			E011C1DC0(void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v66;
				signed short _v68;
				char _v72;
				signed int _v73;
				intOrPtr* _v80;
				char _v84;
				intOrPtr _v88;
				signed int _t37;
				void* _t51;
				void* _t66;
				signed int _t86;

				_t37 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t37 ^ _t86;
				_v84 = 0;
				if(E011C1C70() >= 0) {
					_v80 = E011C25C0(_t66);
					 *_v80 = E011C2660(_a4, 0);
					if( *_v80 != 0xffffffff) {
						_v73 =  *0x11d35d8( *_v80, 0x40);
						if((_v73 & 0x000000ff) != 0) {
							_v73 =  *0x11d35cc( *_v80,  &_v84);
							if((_v73 & 0x000000ff) != 0) {
								_t83 = _v84;
								_v88 =  *0x11d35d4(_v84,  &_v72);
								if(_v88 == 0x110000) {
									 *((short*)(_v80 + 8)) = _v66;
									 *(_v80 + 0xc) = _v68 & 0x0000ffff;
									 *0x11d35d0(_v84);
									_t51 = malloc( *(_v80 + 0xc));
									_t83 = _v80;
									 *(_v80 + 0x1c) = _t51;
								} else {
									E011C26B0(_v80);
									 *0x11d35d0(_v84, "HidP_GetCaps");
									goto L12;
								}
							} else {
								_push("HidD_GetPreparsedData");
								E011C26B0(_v80);
								goto L12;
							}
						} else {
							_push("HidD_SetNumInputBuffers");
							E011C26B0(_v80);
							goto L12;
						}
					} else {
						_push("CreateFile");
						E011C26B0(_v80);
						L12:
						E011C1130(_v80);
					}
				} else {
				}
				return E011CB089(_v8 ^ _t86, _t83);
			}















                0x011c1dc6
                0x011c1dcd
                0x011c1dd0
                0x011c1dde
                0x011c1dec
                0x011c1e00
                0x011c1e08
                0x011c1e2e
                0x011c1e37
                0x011c1e5f
                0x011c1e68
                0x011c1e81
                0x011c1e8b
                0x011c1e95
                0x011c1eb1
                0x011c1ebc
                0x011c1ec3
                0x011c1ed0
                0x011c1ed9
                0x011c1edc
                0x011c1e97
                0x011c1ea0
                0x011c1ee8
                0x00000000
                0x011c1ee8
                0x011c1e6a
                0x011c1e6a
                0x011c1e73
                0x00000000
                0x011c1e78
                0x011c1e39
                0x011c1e39
                0x011c1e42
                0x00000000
                0x011c1e47
                0x011c1e0a
                0x011c1e0a
                0x011c1e13
                0x011c1eee
                0x011c1ef2
                0x011c1efa
                0x011c1de0
                0x011c1de0
                0x011c1f09

                APIs
                • hid_init.IDEASHARESERVICE ref: 011C1DD7
                  • Part of subcall function 011C1C70: hid_exit.IDEASHARESERVICE(?,011C1254), ref: 011C1C87
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: hid_exithid_init
                • String ID: CreateFile$HidD_GetPreparsedData$HidD_SetNumInputBuffers$HidP_GetCaps
                • API String ID: 2394251436-1068784098
                • Opcode ID: 488dc4207ab13151245782859dc61a71742473041012909e10473642c9bafe39
                • Instruction ID: f288495c9b09c304f7f38d2b6775a26f15f7ba58b12d04a6d048eadad9400324
                • Opcode Fuzzy Hash: 488dc4207ab13151245782859dc61a71742473041012909e10473642c9bafe39
                • Instruction Fuzzy Hash: 534181B4E00219EFCB09DFE4D8459AEBBB5BF68A04F00812DE825E7345EB35D842CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C4430 Relevance: 10.6, APIs: 7, Instructions: 85COMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E011C4430(intOrPtr _a4) {
				char _v8;
				char _v16;
				void* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				intOrPtr _v44;
				char _v56;
				signed int _t39;
				char _t42;
				intOrPtr _t46;
				signed int _t76;

				_t39 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				__imp__??0_Lockit@std@@QAE@H@Z(0, _t39 ^ _t76,  *[fs:0x0], E011CC451, 0xffffffff);
				_v8 = 0;
				_t42 =  *0x11d36c4; // 0x0
				_v20 = _t42;
				__imp__??Bid@locale@std@@QAEIXZ();
				_v36 = _t42;
				_v28 = E011C6A00(_a4, _v36);
				if(_v28 == 0) {
					if(_v20 == 0) {
						_t46 = _a4;
						__imp__?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z( &_v20, _t46);
						__eflags = _t46 - 0xffffffff;
						if(_t46 != 0xffffffff) {
							_v24 = _v20;
							E011C3D70(_v24);
							_v8 = 1;
							E011CC10C(__eflags, _v24);
							 *((intOrPtr*)( *((intOrPtr*)( *_v24 + 4))))();
							 *0x11d36c4 = _v20;
							_v28 = _v20;
							E011C78D0( &_v32);
							_v8 = 0;
							E011C4CB0( &_v32);
						} else {
							E011C4A00( &_v56);
							_push(0x11d010c);
							_push( &_v56);
							L011CC1E4();
						}
					} else {
						_v28 = _v20;
					}
				}
				_v44 = _v28;
				_v8 = 0xffffffff;
				__imp__??1_Lockit@std@@QAE@XZ();
				 *[fs:0x0] = _v16;
				return _v44;
			}

















                0x011c4444
                0x011c444f
                0x011c445a
                0x011c4460
                0x011c4467
                0x011c446c
                0x011c4475
                0x011c447b
                0x011c448a
                0x011c4491
                0x011c449b
                0x011c44a8
                0x011c44b0
                0x011c44b9
                0x011c44bc
                0x011c44d9
                0x011c44e3
                0x011c44e8
                0x011c44f0
                0x011c4503
                0x011c4508
                0x011c4511
                0x011c4517
                0x011c451c
                0x011c4523
                0x011c44be
                0x011c44c1
                0x011c44c6
                0x011c44ce
                0x011c44cf
                0x011c44cf
                0x011c449d
                0x011c44a0
                0x011c44a0
                0x011c449b
                0x011c452b
                0x011c452e
                0x011c4538
                0x011c4544
                0x011c454f

                APIs
                • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,5A3FFFE3), ref: 011C445A
                • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 011C4475
                • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,?), ref: 011C44B0
                • std::bad_alloc::bad_alloc.LIBCMTD ref: 011C44C1
                • _CxxThrowException.VCRUNTIME140(011D010C,011D010C), ref: 011C44CF
                • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 011C4538
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionGetcat@?$codecvt@Mbstatet@@@std@@ThrowV42@@Vfacet@locale@2@std::bad_alloc::bad_alloc
                • String ID:
                • API String ID: 1419741763-0
                • Opcode ID: eb43c580e313770591c6f87d89f6afe4043ee083bb7af312db0f2b725a8ca4dd
                • Instruction ID: 62ac5e0184638c42609bf4e8d34b07001239030e977816d0a2a1f96057dd353a
                • Opcode Fuzzy Hash: eb43c580e313770591c6f87d89f6afe4043ee083bb7af312db0f2b725a8ca4dd
                • Instruction Fuzzy Hash: 6F3130B4D0420ADFCB18DF94D991BEEBBB0FB68714F20462DE526A3790D7346A44CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C84C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59timeCOMMON
                Download Yara Rule
                APIs
                • #316.MFC140U ref: 011C84F2
                • GetLocalTime.KERNEL32(5A3FFFE3), ref: 011C8503
                • #4815.MFC140U(?,[%4d-%2d-%2d]-[%2d:%2d:%2d:%3d],5A3FFFE3,?,?,00000000,?,011CC879,?), ref: 011C8535
                • #280.MFC140U(?), ref: 011C8545
                • #1506.MFC140U ref: 011C855E
                Strings
                • [%4d-%2d-%2d]-[%2d:%2d:%2d:%3d], xrefs: 011C852C
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280#316#4815LocalTime
                • String ID: [%4d-%2d-%2d]-[%2d:%2d:%2d:%3d]
                • API String ID: 1085935146-978164945
                • Opcode ID: a33538bd111579930cef2bf582fd13c5819c34ceb3c0e50dc2335735661edb87
                • Instruction ID: 1a47c299d4ac9c94e5ead72a5e488e6b5fce1f2ab67df17bac3518433d40325a
                • Opcode Fuzzy Hash: a33538bd111579930cef2bf582fd13c5819c34ceb3c0e50dc2335735661edb87
                • Instruction Fuzzy Hash: D121E9B1904118EFCB18DFD5D945AFEBBB8FB4C711F10426EF916A2280EB395A44CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C6220 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E011C6220(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t19;
				intOrPtr _t24;
				char* _t27;
				signed int _t37;
				void* _t38;

				_t19 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				_v24 = __ecx;
				__imp__#296(_t19 ^ _t37,  *[fs:0x0], E011CC6F9, 0xffffffff);
				_v8 = 0;
				_t27 =  &_v20;
				__imp__#4815(_t27, L"End Session:%d", _a4);
				_v32 = _t38 - 0x10 + 0xc;
				__imp__#280(_t27);
				E011C8630( &_v20);
				_t24 = _a4;
				_v28 = _t24;
				if(_v28 == 1) {
					__eflags = _v24 + 0xd4;
					_t24 = E011CA540(_v24 + 0xd4, _v24 + 0xd4);
				}
				L011CBF1D();
				_v8 = 0xffffffff;
				__imp__#1045(_a4);
				 *[fs:0x0] = _v16;
				return _t24;
			}














                0x011c6234
                0x011c623f
                0x011c6245
                0x011c624b
                0x011c6251
                0x011c6261
                0x011c6265
                0x011c6271
                0x011c6278
                0x011c627e
                0x011c6286
                0x011c6289
                0x011c6290
                0x011c6297
                0x011c629d
                0x011c629d
                0x011c62a9
                0x011c62ae
                0x011c62b8
                0x011c62c1
                0x011c62cc

                APIs
                • #316.MFC140U(5A3FFFE3), ref: 011C624B
                • #4815.MFC140U(?,End Session:%d,?), ref: 011C6265
                • #280.MFC140U(?), ref: 011C6278
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #10049.MFC140U(?), ref: 011C62A9
                • #1506.MFC140U(?), ref: 011C62B8
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280$#10049#286#316#4815
                • String ID: End Session:%d
                • API String ID: 4219611940-2453954734
                • Opcode ID: 8f916ec31996b9066eca417ad666d6c3a64c14ea864b4e837de9bb333065ae8c
                • Instruction ID: 33fa2fb29d3c23e44c0528757114b7b5d27c8099d551abc17aac3a8eb8d77063
                • Opcode Fuzzy Hash: 8f916ec31996b9066eca417ad666d6c3a64c14ea864b4e837de9bb333065ae8c
                • Instruction Fuzzy Hash: 91116DB1904209EFCB08DFD4E945AAEBB74FB68714F00462DE922A7380DB316A04CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C7F30 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,?), ref: 011C7F5E
                • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 011C7F78
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 011C7FC5
                • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 011C7FFA
                • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 011C8030
                • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,?), ref: 011C806A
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?xsgetn@?$basic_streambuf@$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@Gnavail@?$basic_streambuf@fread
                • String ID:
                • API String ID: 4258528524-0
                • Opcode ID: 5e06216bd6576f93d90904803d00e66319fbde111695e0c525faac0143d2bec2
                • Instruction ID: 789acf2a717b2ee14e893020d997bfbe3682399d835bb8d612d805b9124a5d16
                • Opcode Fuzzy Hash: 5e06216bd6576f93d90904803d00e66319fbde111695e0c525faac0143d2bec2
                • Instruction Fuzzy Hash: 7C41D574A00209EFCB08CF98D894A9EBBB5FF98714F10C569F92997254C770AA90CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8080 Relevance: 9.1, APIs: 6, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 011C80AE
                • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 011C80C8
                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 011C8119
                • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 011C814A
                • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 011C8178
                • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 011C81B2
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?xsputn@?$basic_streambuf@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                • String ID:
                • API String ID: 3583806804-0
                • Opcode ID: 4dea9b0a5184f5a0d414b5056ee83d8c50278833c15cb6fa3222694edf7a59eb
                • Instruction ID: c3b625183851f86670c43a9dc146c8e994d69259a3d9cd9bef79a1cbd1be6efa
                • Opcode Fuzzy Hash: 4dea9b0a5184f5a0d414b5056ee83d8c50278833c15cb6fa3222694edf7a59eb
                • Instruction Fuzzy Hash: 0841E575A00249EFDB18CF98D884AAEBBB5FF98704F10C569E92997344C730AA50CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C4AA0 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 011C4970: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?), ref: 011C4994
                  • Part of subcall function 011C4970: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 011C49B1
                • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,5A3FFFE3,?,00000000,011CC538,000000FF,?,011C3F06,?), ref: 011C4AE4
                • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,011C3F06,?), ref: 011C4AFC
                • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,011C3F06,?), ref: 011C4B13
                • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,011C3F06,?), ref: 011C4B2B
                • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,011C3F06,?), ref: 011C4B33
                • ?good@ios_base@std@@QBE_NXZ.MSVCP140(?,011C3F06,?), ref: 011C4B46
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: U?$char_traits@$D@std@@@std@@$D@std@@@2@$?tie@?$basic_ios@V?$basic_ostream@$?good@ios_base@std@@?rdbuf@?$basic_ios@V?$basic_streambuf@$?flush@?$basic_ostream@V12@
                • String ID:
                • API String ID: 2615938766-0
                • Opcode ID: 50402ebe284f1f2f0454ac70326ce05871cfdb0667ce6367ef9c562a8c73c1b2
                • Instruction ID: 0b1a0900c51a35f7adefd4c86a942b36b1605353a5b4896d0c68239e66b0e146
                • Opcode Fuzzy Hash: 50402ebe284f1f2f0454ac70326ce05871cfdb0667ce6367ef9c562a8c73c1b2
                • Instruction Fuzzy Hash: DA210A74600208EFCB18CF58D894A69BBB2FF89754F14C269ED168B395CB31E941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C64A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E011C64A0(intOrPtr __ecx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t28;
				char* _t42;
				signed int _t57;
				void* _t58;

				_t28 =  *0x11d3258; // 0x5a3fffe3
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				__imp__#296(_t28 ^ _t57,  *[fs:0x0], E011CC759, 0xffffffff);
				_v8 = 0;
				_t42 =  &_v28;
				__imp__#4815(_t42, L"Power Broadcast:%d", _a4);
				_v36 = _t58 - 0x14 + 0xc;
				__imp__#280(_t42);
				E011C8630( &_v28);
				_v24 = _a4;
				if(_v24 == 4) {
					__eflags = _v20 + 0xd4;
					E011CA300(_v20 + 0xd4, _v20 + 0xd4);
				} else {
					if(_v24 == 7) {
						E011C5DD0(_v20, _a4, __esi, __eflags, _a4, 0);
					} else {
						if(_v24 == 0x12) {
							E011C5DD0(_v20,  &_v28, __esi, __eflags, _a4, 0);
						}
					}
				}
				_v32 = E011C6590(_a8, _v20, _a4, _a8);
				_v8 = 0xffffffff;
				__imp__#1045();
				 *[fs:0x0] = _v16;
				return _v32;
			}














                0x011c64b4
                0x011c64bf
                0x011c64c5
                0x011c64cb
                0x011c64d1
                0x011c64e1
                0x011c64e5
                0x011c64f1
                0x011c64f8
                0x011c64fe
                0x011c6509
                0x011c6510
                0x011c6545
                0x011c654b
                0x011c6512
                0x011c6516
                0x011c653b
                0x011c6518
                0x011c651c
                0x011c652b
                0x011c652b
                0x011c651c
                0x011c6516
                0x011c6560
                0x011c6563
                0x011c656d
                0x011c6579
                0x011c6584

                APIs
                • #316.MFC140U(5A3FFFE3), ref: 011C64CB
                • #4815.MFC140U(?,Power Broadcast:%d,?), ref: 011C64E5
                • #280.MFC140U(?), ref: 011C64F8
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #1506.MFC140U(?,?), ref: 011C656D
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280$#286#316#4815
                • String ID: Power Broadcast:%d
                • API String ID: 3723511950-1078042434
                • Opcode ID: 7b71fb19d88463f594e45731ec33561030954f9434ab89698da526caa102c2f1
                • Instruction ID: e0e767d283d269aa142d3adf8304f236ed5cd0c1d63c36a120f5dcecd165012c
                • Opcode Fuzzy Hash: 7b71fb19d88463f594e45731ec33561030954f9434ab89698da526caa102c2f1
                • Instruction Fuzzy Hash: 212162B1904209DFCB1CDF98D855ABFBBB4FB68B04F10412DE526A7380D7306A40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9CB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • #316.MFC140U(5A3FFFE3,?,011C5ECA,?,00000014), ref: 011C9CDB
                • #4815.MFC140U(?,HasValidSetup:%d,?,?,011C5ECA,?), ref: 011C9CF8
                • #280.MFC140U(?,?,?,?,?,?,?,?), ref: 011C9D0B
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #1506.MFC140U(?,?,?,?,?,?,?), ref: 011C9D2B
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280$#286#316#4815
                • String ID: HasValidSetup:%d
                • API String ID: 3723511950-4085193504
                • Opcode ID: e47d180d57f4327afeced2b611693276fe166ad25a57f81a48b74d19febde9a4
                • Instruction ID: 5c29a01cf45fb826b1c7ead1c692888a438f2bc6e9d5a6e05077f81ad4a6563f
                • Opcode Fuzzy Hash: e47d180d57f4327afeced2b611693276fe166ad25a57f81a48b74d19febde9a4
                • Instruction Fuzzy Hash: C91165B5D04249DFCB18DFE4E945AAEBF74EB59614F10426DE825A3380D7341A04CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C9F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • #316.MFC140U(5A3FFFE3,?,?,?,00000014), ref: 011C9F9B
                • #4815.MFC140U(?,IsSetupNewer:%d,?,?,?,?), ref: 011C9FB9
                • #280.MFC140U(?), ref: 011C9FCC
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #1506.MFC140U ref: 011C9FED
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280$#286#316#4815
                • String ID: IsSetupNewer:%d
                • API String ID: 3723511950-3210157722
                • Opcode ID: 767291adfb993f07a7a1bc189ad2b8fa90efdc6e6c669edaf575db3947dbf6f0
                • Instruction ID: c71dbfc7475049c5d9115b43777720a87d069692952a4bdebe7e2edfb3ffb193
                • Opcode Fuzzy Hash: 767291adfb993f07a7a1bc189ad2b8fa90efdc6e6c669edaf575db3947dbf6f0
                • Instruction Fuzzy Hash: 4611A5B5D04249DFCB18DFE4E945AAEFF78EB18614F10426DE82563380DB355A04CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C6380 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E011C6380(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v36;
				char _v120;
				intOrPtr _v124;
				int _v128;
				int _v132;
				signed int _v136;
				signed int _v140;
				signed int _t32;
				signed int _t33;
				void* _t44;
				void* _t49;
				signed int _t76;

				_t74 = __edx;
				_push(0xffffffff);
				_push(E011CC728);
				_push( *[fs:0x0]);
				_t32 =  *0x11d3258; // 0x5a3fffe3
				_t33 = _t32 ^ _t76;
				_v20 = _t33;
				_push(_t33);
				 *[fs:0x0] =  &_v16;
				_v124 = __ecx;
				if(E011C5D60(_v124) == 0) {
					L011CBF17();
				} else {
					_push(_v124);
					L011CBD2B();
					_v8 = 0;
					E011C6750(_v124, 0x27, E011C5CA0( &_v120), 0);
					_v128 = GetSystemMetrics(0xc);
					_v132 = GetSystemMetrics(0xb);
					E011C4910( &_v36);
					E011C5C70(_v124,  &_v36);
					_t44 = E011C5D00( &_v36);
					asm("cdq");
					_v136 = _t44 - _v128 + 1 - _t74 >> 1;
					_t49 = E011C67E0( &_v36);
					asm("cdq");
					_v140 = _t49 - _v132 + 1 - _t74 >> 1;
					_t74 = _v140;
					E011C5A90( &_v120, _v140, _v136,  *((intOrPtr*)(_v124 + 0xd0)));
					_v8 = 0xffffffff;
					L011CBD31();
				}
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t76, _t74);
			}


















                0x011c6380
                0x011c6383
                0x011c6385
                0x011c6390
                0x011c6394
                0x011c6399
                0x011c639b
                0x011c639e
                0x011c63a2
                0x011c63a8
                0x011c63b5
                0x011c6473
                0x011c63bb
                0x011c63be
                0x011c63c2
                0x011c63c7
                0x011c63de
                0x011c63eb
                0x011c63f6
                0x011c63fc
                0x011c6408
                0x011c6410
                0x011c641b
                0x011c6420
                0x011c6429
                0x011c6434
                0x011c6439
                0x011c6450
                0x011c645a
                0x011c645f
                0x011c6469
                0x011c6469
                0x011c647b
                0x011c6490

                APIs
                  • Part of subcall function 011C5D60: IsIconic.USER32 ref: 011C5D6E
                • #890.MFC140U(?,5A3FFFE3), ref: 011C63C2
                  • Part of subcall function 011C6750: SendMessageW.USER32(?,?,00000000,00000000), ref: 011C676A
                • GetSystemMetrics.USER32 ref: 011C63E5
                • GetSystemMetrics.USER32 ref: 011C63F0
                  • Part of subcall function 011C5C70: GetClientRect.USER32 ref: 011C5C82
                  • Part of subcall function 011C5A90: DrawIcon.USER32 ref: 011C5AAA
                • #1391.MFC140U ref: 011C6469
                • #11038.MFC140U(5A3FFFE3), ref: 011C6473
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: MetricsSystem$#11038#1391#890ClientDrawIconIconicMessageRectSend
                • String ID:
                • API String ID: 841960643-0
                • Opcode ID: 9bf3f5cb7d36b6e68bb8ecee8bf529bce79d6d7b7c8260930436c24e5d1c872e
                • Instruction ID: 1109fa6949341ce3e9f8c4d7b89eb42679f1357e492ab2412875fd1f9ced19d7
                • Opcode Fuzzy Hash: 9bf3f5cb7d36b6e68bb8ecee8bf529bce79d6d7b7c8260930436c24e5d1c872e
                • Instruction Fuzzy Hash: 8E316DB19042099FCB28EFB4DC81BEDBBB5FB28A04F50426DE416A3291DF306900CF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C7900 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011C7900(void* __eax, intOrPtr __ecx, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				struct _IO_FILE* _t41;
				void* _t72;

				_v8 = __ecx;
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				if(__eax == _v8 + 0x3c && _a16 == 1 &&  *((intOrPtr*)(_v8 + 0x38)) == 0) {
					asm("sbb ecx, 0x0");
					_a8 = _a8 - 1;
				}
				if( *(_v8 + 0x4c) == 0 || (E011C68E0(_v8) & 0x000000ff) == 0) {
					L10:
					E011C4820(_a4, 0xffffffff, 0xffffffff);
					return _a4;
				} else {
					if((_a8 | _a12) != 0 || _a16 != 1) {
						_t41 =  *(_v8 + 0x4c);
						__imp___fseeki64(_t41, _a8, _a12, _a16);
						_t72 = _t72 + 0x10;
						if(_t41 != 0) {
							goto L10;
						}
						goto L9;
					} else {
						L9:
						if(fgetpos( *(_v8 + 0x4c),  &_v16) == 0) {
							E011C6C50(_t43, _v8);
							E011C47E0(_a4,  *((intOrPtr*)(_v8 + 0x40)),  *((intOrPtr*)(_v8 + 0x44)), _v16, _v12);
							return _a4;
						}
						goto L10;
					}
				}
			}








                0x011c7906
                0x011c790c
                0x011c791a
                0x011c7934
                0x011c7937
                0x011c793a
                0x011c7944
                0x011c799b
                0x011c79a2
                0x00000000
                0x011c7955
                0x011c795b
                0x011c7972
                0x011c7976
                0x011c797c
                0x011c7981
                0x00000000
                0x00000000
                0x00000000
                0x011c7983
                0x011c7983
                0x011c7999
                0x011c79af
                0x011c79ca
                0x00000000
                0x011c79cf
                0x00000000
                0x011c7999
                0x011c795b

                APIs
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C790C
                • _fseeki64.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?), ref: 011C7976
                • fgetpos.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 011C798E
                • fpos.LIBCPMTD ref: 011C79A2
                • fpos.LIBCPMTD ref: 011C79CA
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: fpos$?gptr@?$basic_streambuf@D@std@@@std@@U?$char_traits@_fseeki64fgetpos
                • String ID:
                • API String ID: 2986089438-0
                • Opcode ID: 0b40a04cc3a98ad01d033d3b1b22279bb0b1df11e59fdec7aee7675c27c05eac
                • Instruction ID: c83479c17c86b87663229322f399be796d052a9bd3ef9e83e0d4b9e941e80076
                • Opcode Fuzzy Hash: 0b40a04cc3a98ad01d033d3b1b22279bb0b1df11e59fdec7aee7675c27c05eac
                • Instruction Fuzzy Hash: 29311A70A00109EFDB18DF98D9949AE77B6BF54720F10825CF9159B291E730EE50CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C79E0 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011C79E0(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				char _v24;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr _t52;

				_t52 = __edx;
				_v8 = __ecx;
				_v16 = E011C5100( &_a8);
				_v12 = _t52;
				if( *(_v8 + 0x4c) == 0 || (E011C68E0(_v8) & 0x000000ff) == 0 || fsetpos( *(_v8 + 0x4c),  &_v16) != 0) {
					E011C4820(_a4, 0xffffffff, 0xffffffff);
					return _a4;
				} else {
					_t34 = E011C7B10( &_a8,  &_v24);
					_t35 = _v8;
					 *((intOrPtr*)(_t35 + 0x40)) =  *_t34;
					 *((intOrPtr*)(_t35 + 0x44)) =  *((intOrPtr*)(_t34 + 4));
					E011C6C50(_t35, _v8);
					E011C47E0(_a4,  *((intOrPtr*)(_v8 + 0x40)),  *((intOrPtr*)(_v8 + 0x44)), _v16, _v12);
					return _a4;
				}
			}










                0x011c79e0
                0x011c79e6
                0x011c79f1
                0x011c79f4
                0x011c79fe
                0x011c7a2e
                0x00000000
                0x011c7a38
                0x011c7a3f
                0x011c7a49
                0x011c7a4c
                0x011c7a4f
                0x011c7a55
                0x011c7a70
                0x00000000
                0x011c7a75

                APIs
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: fpos$fsetpos
                • String ID:
                • API String ID: 2040621005-0
                • Opcode ID: 75df5715e229598f03a42ee9e2d576c3af9451b2cd9abac1d037d1fa92ec541f
                • Instruction ID: c6a6e68ef7074960fd888306bd0d05dc60bd688ef40426f8b43d2426011ee77a
                • Opcode Fuzzy Hash: 75df5715e229598f03a42ee9e2d576c3af9451b2cd9abac1d037d1fa92ec541f
                • Instruction Fuzzy Hash: B621BD75A04109EFCB1CDF99D990DAE77B5AF98610B14829CE5155B2A1D730EF00DF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C7E60 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E011C7E60(void* __eax, intOrPtr* __ecx) {
				intOrPtr* _v8;
				char _v12;
				char _v16;

				_v8 = __ecx;
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				if(__eax == 0) {
					L3:
					_v12 =  *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x1c))))();
					_v16 = E011C7100(_t22);
					if((E011C7110( &_v12,  &_v16,  &_v12) & 0x000000ff) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 0x10))))(_v12);
						return _v12;
					}
					return _v12;
				}
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				__imp__?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				if(__eax >= __eax) {
					goto L3;
				}
				__imp__?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ();
				return E011C7BD0(__eax);
			}






                0x011c7e67
                0x011c7e6d
                0x011c7e75
                0x011c7ea5
                0x011c7eb2
                0x011c7eba
                0x011c7ed2
                0x011c7eea
                0x00000000
                0x011c7eec
                0x00000000
                0x011c7ed4
                0x011c7e7a
                0x011c7e85
                0x011c7e8d
                0x00000000
                0x00000000
                0x011c7e92
                0x00000000

                APIs
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7E6D
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7E7A
                • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7E85
                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C7E92
                • char_traits.LIBCPMTD ref: 011C7EC5
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@char_traits
                • String ID:
                • API String ID: 81576237-0
                • Opcode ID: 9cd0515e0569859c98f46c8b8372028c7c4d6978e3947cdd240e816376431943
                • Instruction ID: a58029c8c89cb64fe9460d219be725f74b9ed8290b281b8bd850982ca617c8f0
                • Opcode Fuzzy Hash: 9cd0515e0569859c98f46c8b8372028c7c4d6978e3947cdd240e816376431943
                • Instruction Fuzzy Hash: 01113075E00118EFCB18EFE8E98589DBBB5AF98600B1045A9D416A7394EB70AF40DF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C68E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97fileCOMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E011C68E0(signed int __ecx) {
				signed int _v8;
				char _v12;
				void _v44;
				signed int _v48;
				intOrPtr _v52;
				int _v56;
				int _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				signed int _t41;
				void* _t53;
				signed int _t66;
				int _t74;
				signed int _t75;
				signed int _t81;

				_t41 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t41 ^ _t81;
				_v48 = __ecx;
				_t43 = _v48;
				if( *((intOrPtr*)(_v48 + 0x38)) != 0) {
					_t66 = _v48;
					_t77 =  *(_t66 + 0x3d) & 0x000000ff;
					if(( *(_t66 + 0x3d) & 0x000000ff) != 0) {
						_v64 =  *((intOrPtr*)( *((intOrPtr*)( *_v48 + 0xc))))(E011C7100(_t43));
						_v68 = E011C7100(_t49);
						_t77 =  &_v68;
						if((E011C7110( &_v64,  &_v68,  &_v64) & 0x000000ff) == 0) {
							_v76 = 0x20;
							_t53 =  &_v44;
							_t77 = _v48;
							__imp__?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z(_v48 + 0x40, _t53,  &_v12,  &_v72);
							_v52 = _t53;
							if(_v52 == 0) {
								 *((char*)(_v48 + 0x3d)) = 0;
								goto L10;
							} else {
								if(_v52 == 1) {
									L10:
									_t74 = _v72 -  &_v44;
									_v56 = _t74;
									if(_t74 == 0) {
										L13:
										_t75 = _v48;
										_t77 =  *(_t75 + 0x3d) & 0x000000ff;
										if(( *(_t75 + 0x3d) & 0x000000ff) != 0) {
											_v60 = 0;
										} else {
											_v60 = 1;
										}
									} else {
										_t77 = _v56;
										if(_v56 == fwrite( &_v44, 1, _v56,  *(_v48 + 0x4c))) {
											goto L13;
										} else {
										}
									}
								} else {
									if(_v52 == 3) {
									}
								}
							}
						} else {
						}
					} else {
						goto L2;
					}
				}
				return E011CB089(_v8 ^ _t81, _t77);
			}




















                0x011c68e6
                0x011c68ed
                0x011c68f0
                0x011c68f3
                0x011c68fa
                0x011c68fc
                0x011c68ff
                0x011c6905
                0x011c6921
                0x011c6929
                0x011c6930
                0x011c6941
                0x011c694a
                0x011c6959
                0x011c6964
                0x011c696a
                0x011c6970
                0x011c6977
                0x011c698a
                0x00000000
                0x011c6979
                0x011c697d
                0x011c698e
                0x011c6994
                0x011c6996
                0x011c6999
                0x011c69be
                0x011c69be
                0x011c69c1
                0x011c69c7
                0x011c69d2
                0x011c69c9
                0x011c69c9
                0x011c69c9
                0x011c699b
                0x011c69a2
                0x011c69b8
                0x00000000
                0x011c69ba
                0x011c69ba
                0x011c69b8
                0x011c697f
                0x011c6983
                0x011c6983
                0x011c6983
                0x011c697d
                0x011c6943
                0x011c6943
                0x00000000
                0x00000000
                0x00000000
                0x011c6905
                0x011c69f1

                APIs
                • char_traits.LIBCPMTD ref: 011C6934
                • ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z.MSVCP140(?,?,?,00000000), ref: 011C696A
                • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 011C69AC
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ?unshift@?$codecvt@Mbstatet@@Mbstatet@@@std@@char_traitsfwrite
                • String ID:
                • API String ID: 1930296228-3916222277
                • Opcode ID: 58df8cbb2e034552d52f42a5b86e42303d199720f97f2a603738db25d6a9d1c9
                • Instruction ID: cb01ad78093ebd76832075ab8743eee9309aba6b70ce484912a3a9860f3ea1df
                • Opcode Fuzzy Hash: 58df8cbb2e034552d52f42a5b86e42303d199720f97f2a603738db25d6a9d1c9
                • Instruction Fuzzy Hash: 81313970D04108EFDF1DDFA8D884AEDBBB5BFA8604F14816EE4126B341E7309945CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C85A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                Download Yara Rule
                APIs
                • #280.MFC140U(00000000,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85D6
                • #286.MFC140U(Error,?,?,5A3FFFE3,011C90C3,?,00000000), ref: 011C85EE
                  • Part of subcall function 011C86C0: #500.MFC140U(5A3FFFE3), ref: 011C86EF
                  • Part of subcall function 011C86C0: #503.MFC140U(5A3FFFE3), ref: 011C86FE
                  • Part of subcall function 011C86C0: #316.MFC140U(5A3FFFE3), ref: 011C870A
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000), ref: 011C8750
                  • Part of subcall function 011C86C0: #4715.MFC140U(00000000), ref: 011C875D
                  • Part of subcall function 011C86C0: #6967.MFC140U(00000000,00000000), ref: 011C876B
                  • Part of subcall function 011C86C0: CreateDirectoryW.KERNELBASE(00000000), ref: 011C8772
                  • Part of subcall function 011C86C0: #6967.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87C5
                  • Part of subcall function 011C86C0: #11962.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87CF
                  • Part of subcall function 011C86C0: #1506.MFC140U(00000000,?,?,?,?,00000000,00000000), ref: 011C87DB
                  • Part of subcall function 011C86C0: #1506.MFC140U(?,?,?,?,00000000,00000000), ref: 011C87E8
                  • Part of subcall function 011C86C0: #14606.MFC140U(?,00000002,?,?,?,?,00000000,00000000), ref: 011C8811
                • #1506.MFC140U(?,5A3FFFE3,011C90C3,?,00000000), ref: 011C860E
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#6967$#11962#14606#280#286#316#4715#500#503CreateDirectory
                • String ID: Error
                • API String ID: 3432314039-2619118453
                • Opcode ID: 36454c89a209475fcee335395852a398107ceec928fa82e94eddb863d2a89dce
                • Instruction ID: 04df57ad5b31ea0571515555aec5d7cf726247f5565bc9b7d1be21e42e753057
                • Opcode Fuzzy Hash: 36454c89a209475fcee335395852a398107ceec928fa82e94eddb863d2a89dce
                • Instruction Fuzzy Hash: 6C015EB5D08248EFCB18DFA8E90579DBFB8EB19714F1042ADF829A3380D7751644CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C8330 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1506#280#286
                • String ID: IdeaShareService.log
                • API String ID: 2934518568-861790017
                • Opcode ID: 05269fbd93ada38983b0ddff89c2263bc381fd4432f776c3d1c2379af8621c60
                • Instruction ID: 3e034d291009aea905ab3ed9c46430d92a3ca98051ff46ce2fc90b73181a4aa1
                • Opcode Fuzzy Hash: 05269fbd93ada38983b0ddff89c2263bc381fd4432f776c3d1c2379af8621c60
                • Instruction Fuzzy Hash: 81011271904549DFCB18CF94D945BADBBB4FB08714F10462DE826A33C0DB746A04CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C19B0 Relevance: 6.3, APIs: 5, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011C19B0(void* _a4) {
				void** _v8;
				void* _v12;
				void* _t17;
				void* _t29;

				_t17 = _a4;
				_v8 = _t17;
				while(_v8 != 0) {
					_v12 = _v8[8];
					free( *_v8);
					free(_v8[2]);
					free(_v8[4]);
					free(_v8[5]);
					free(_v8);
					_t29 = _t29 + 0x14;
					_t17 = _v12;
					_v8 = _t17;
				}
				return _t17;
			}







                0x011c19b6
                0x011c19b9
                0x011c19bc
                0x011c19c8
                0x011c19d1
                0x011c19e1
                0x011c19f1
                0x011c1a01
                0x011c1a0e
                0x011c1a14
                0x011c1a17
                0x011c1a1a
                0x011c1a1a
                0x011c1a22

                APIs
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 011C19D1
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C19E1
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C19F1
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C1A01
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 011C1A0E
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: free
                • String ID:
                • API String ID: 1294909896-0
                • Opcode ID: a942c3ac1395a5b0ab1318d0b2d75ac43bc527fa299f6f9cfdb08dd22be95650
                • Instruction ID: a4bcd14531c5239efddecc1354ec435f40a02d5be3ecb4567a8ad49c3eb95725
                • Opcode Fuzzy Hash: a942c3ac1395a5b0ab1318d0b2d75ac43bc527fa299f6f9cfdb08dd22be95650
                • Instruction Fuzzy Hash: E201EDB4900108EFCB18DF94E94485DBBB5BF88305F2045B8E80757305E631EE55DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C1130 Relevance: 6.3, APIs: 5, Instructions: 25COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E011C1130(void** _a4) {
				void** _t14;

				CloseHandle(_a4[0xc]);
				CloseHandle( *_a4);
				LocalFree(_a4[4]);
				_t14 = _a4;
				free( *(_t14 + 0x1c));
				free(_a4);
				return _t14;
			}




                0x011c113a
                0x011c1146
                0x011c1153
                0x011c1159
                0x011c1160
                0x011c116d
                0x011c1177

                APIs
                • CloseHandle.KERNEL32(?,?,011C11A0,00000000), ref: 011C113A
                • CloseHandle.KERNEL32(00000000,?,011C11A0,00000000), ref: 011C1146
                • LocalFree.KERNEL32(?,?,011C11A0,00000000), ref: 011C1153
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,011C11A0,00000000), ref: 011C1160
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 011C116D
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: CloseHandlefree$FreeLocal
                • String ID:
                • API String ID: 2078629759-0
                • Opcode ID: cbe3ef0d0f5ff9497ab7ee5a7f0fa79c86d55df3afe5e2ec4feb59d891ca1bb1
                • Instruction ID: 4fb550a957566dd7ccf6157886a14839ff700210d5ce3ec1fbb66a0540c674d7
                • Opcode Fuzzy Hash: cbe3ef0d0f5ff9497ab7ee5a7f0fa79c86d55df3afe5e2ec4feb59d891ca1bb1
                • Instruction Fuzzy Hash: C0F030B8100204AFCB18DFA8F888C5A7F7ABF883647008478FD1A8B305D631E991CBD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5B70 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                Download Yara Rule
                C-Code - Quality: 32%
                			E011C5B70(intOrPtr __ecx, wchar_t* __edx, void* _a4, wchar_t* _a8) {
				signed int _v8;
				long _v264;
				struct _tm _v300;
				signed int _v304;
				short _v308;
				intOrPtr _v312;
				signed int _t26;
				tm* _t28;
				signed int _t54;

				_t50 = __edx;
				_t26 =  *0x11d3258; // 0x5a3fffe3
				_v8 = _t26 ^ _t54;
				_v312 = __ecx;
				_v304 = 0;
				if(_a8 != 0) {
					_t28 =  &_v300;
					__imp___localtime64_s(_t28, _v312);
					if(_t28 != 0) {
						E011C55E0(_t28, 0x80070057);
					}
					if(wcsftime( &_v264, 0x80, _a8,  &_v300) == 0) {
						_v308 = 0;
						if(_v308 >= 0x100) {
							E011CAFAF();
						}
						 *((short*)(_t54 + _v308 - 0x104)) = 0;
					}
					_t50 =  &_v264;
					__imp__#286( &_v264);
					_v304 = _v304 | 0x00000001;
				} else {
					__imp__#286(_a8);
					_v304 = _v304 | 0x00000001;
				}
				return E011CB089(_v8 ^ _t54, _t50);
			}












                0x011c5b70
                0x011c5b79
                0x011c5b80
                0x011c5b83
                0x011c5b89
                0x011c5b97
                0x011c5bc4
                0x011c5bcb
                0x011c5bd6
                0x011c5bdd
                0x011c5bdd
                0x011c5c04
                0x011c5c0e
                0x011c5c1e
                0x011c5c22
                0x011c5c22
                0x011c5c2f
                0x011c5c2f
                0x011c5c37
                0x011c5c41
                0x011c5c50
                0x011c5b99
                0x011c5ba0
                0x011c5baf
                0x011c5bb5
                0x011c5c66

                APIs
                • #286.MFC140U(00000000), ref: 011C5BA0
                • _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?), ref: 011C5BCB
                • wcsftime.API-MS-WIN-CRT-TIME-L1-1-0(?,00000080,00000000,?), ref: 011C5BF9
                • #286.MFC140U(?), ref: 011C5C41
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$_localtime64_swcsftime
                • String ID:
                • API String ID: 1884029608-0
                • Opcode ID: 56a40e5291320666f2b4f0f647f43168849bc77fe6c435f593bfbf9a71c72b89
                • Instruction ID: 03bd532c57355cc809bc387624a4a3295311e127bb7778d1ea5e28c1491be8ca
                • Opcode Fuzzy Hash: 56a40e5291320666f2b4f0f647f43168849bc77fe6c435f593bfbf9a71c72b89
                • Instruction Fuzzy Hash: 62215C70A00118DFDB68DFA8DC45BD977B9BF58704F0081A9E95997240EB30AB90CF94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C137C Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • SetupDiEnumDeviceInterfaces.SETUPAPI(FFFFFFFF,00000000,4D1E55B2,00000000,0000001C), ref: 011C12D3
                • SetupDiEnumDeviceInfo.SETUPAPI(FFFFFFFF,00000000,0000001C), ref: 011C13A0
                • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(FFFFFFFF,0000001C,00000007,00000000,?,00000100,00000000), ref: 011C13DA
                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 011C192B
                • SetupDiDestroyDeviceInfoList.SETUPAPI(FFFFFFFF), ref: 011C194F
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: DeviceSetup$EnumInfo$DestroyInterfacesListPropertyRegistryfree
                • String ID:
                • API String ID: 2866960349-0
                • Opcode ID: 3d4007e97b4376dc73bc67514b7ab5012c7a909e57ad2552fb86bb1a973deb99
                • Instruction ID: 6d3b2145b8dc6c64ebbca7e8c82e76089917cd49dd64ca8eacb9eb39b7887e6c
                • Opcode Fuzzy Hash: 3d4007e97b4376dc73bc67514b7ab5012c7a909e57ad2552fb86bb1a973deb99
                • Instruction Fuzzy Hash: 3C110AB5A00928EFCB78DB94DC44BEBB775AF89316F0042DEE54AA6241DB305AC0CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CA260 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E011CA260(intOrPtr __ecx, void* _a4) {
				char _v8;
				char _v16;
				char _v17;
				char _v18;
				intOrPtr _v24;
				void* _v44;
				signed int _t20;
				void* _t23;
				signed int _t36;

				_push(0xffffffff);
				_push(E011CCBE0);
				_push( *[fs:0x0]);
				_t20 =  *0x11d3258; // 0x5a3fffe3
				_push(_t20 ^ _t36);
				 *[fs:0x0] =  &_v16;
				_v24 = __ecx;
				_v8 = 0;
				_v17 = 0;
				L011CBF59();
				_v8 = 1;
				_push(0);
				_push(0);
				_t23 = E011CAA30();
				_push(_t23);
				L011CBF5F();
				if(_t23 != 0) {
					_v17 = 1;
				}
				L011CBF6B();
				_v18 = _v17;
				_v8 = 0;
				L011CBF71();
				_v8 = 0xffffffff;
				E011C2CC0();
				 *[fs:0x0] = _v16;
				return _v18;
			}












                0x011ca263
                0x011ca265
                0x011ca270
                0x011ca274
                0x011ca27b
                0x011ca27f
                0x011ca285
                0x011ca288
                0x011ca28f
                0x011ca296
                0x011ca29b
                0x011ca29f
                0x011ca2a1
                0x011ca2a6
                0x011ca2ab
                0x011ca2af
                0x011ca2b6
                0x011ca2b8
                0x011ca2b8
                0x011ca2bf
                0x011ca2c7
                0x011ca2ca
                0x011ca2d1
                0x011ca2d6
                0x011ca2e0
                0x011ca2eb
                0x011ca2f6

                APIs
                • #500.MFC140U(5A3FFFE3,00000000,011CCBE0,000000FF,?,011C9072,00000000), ref: 011CA296
                • #11962.MFC140U(00000000,00000000,00000000,5A3FFFE3,00000000,011CCBE0,000000FF,?,011C9072,00000000), ref: 011CA2AF
                • #2885.MFC140U(00000000,00000000,00000000,5A3FFFE3,00000000,011CCBE0,000000FF,?,011C9072,00000000), ref: 011CA2BF
                • #1142.MFC140U(00000000,00000000,00000000,5A3FFFE3,00000000,011CCBE0,000000FF,?,011C9072,00000000), ref: 011CA2D1
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #1142#11962#2885#500
                • String ID:
                • API String ID: 2815327706-0
                • Opcode ID: 3ee16de3ba57fb142815d8f15b4eb7f70c52d5abc5a41c28022514f9e2d95a1d
                • Instruction ID: 6f9b65d55568f0396ea4e0389b2ebcdf8a1e22ed79cb57b59b8b106a775fad49
                • Opcode Fuzzy Hash: 3ee16de3ba57fb142815d8f15b4eb7f70c52d5abc5a41c28022514f9e2d95a1d
                • Instruction Fuzzy Hash: 3A11C231808189EACB09EFA8C940BDDBF74AF34B54F04419DE415A73C1DB715708CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011CB09A Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 75%
                			E011CB09A(signed char __edx, int _a4) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed char _v44;
				signed int _v48;
				void* _t51;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				intOrPtr _t73;
				signed int _t75;
				intOrPtr _t82;
				intOrPtr* _t84;
				signed char _t85;
				intOrPtr* _t87;
				signed char _t97;
				intOrPtr* _t99;
				signed int _t102;
				signed int _t105;
				void* _t111;
				void* _t112;
				void* _t114;

				_t97 = __edx;
				while(1) {
					_t51 = malloc(_a4);
					if(_t51 != 0) {
						return _t51;
					}
					_push(_a4);
					L011CC262();
					if(_t51 == 0) {
						if(_a4 != 0xffffffff) {
							_push(_t111);
							_t111 = _t114;
							_t114 = _t114 - 0xc;
							E011CB8F9( &_v20);
							_push(0x11d0584);
							_push( &_v20);
							L011CC1E4();
							asm("int3");
						}
						_push(_t111);
						_t112 = _t114;
						E011CB92C( &_v20);
						_push(0x11d05bc);
						_push( &_v20);
						L011CC1E4();
						asm("int3");
						_push(_t112);
						 *0x11d3abc =  *0x11d3abc & 0x00000000;
						 *0x11d3270 =  *0x11d3270 | 1;
						if(IsProcessorFeaturePresent(0xa) != 0) {
							_v28 = _v28 & 0x00000000;
							 *0x11d3270 =  *0x11d3270 | 0x00000002;
							 *0x11d3abc = 1;
							_t99 =  &_v48;
							_push(1);
							asm("cpuid");
							_pop(_t82);
							 *_t99 = 0;
							 *((intOrPtr*)(_t99 + 4)) = 1;
							 *((intOrPtr*)(_t99 + 8)) = 0;
							 *(_t99 + 0xc) = _t97;
							_v24 = _v48;
							_v20 = _v36 ^ 0x49656e69;
							_v16 = _v40 ^ 0x6c65746e;
							_push(1);
							asm("cpuid");
							_t84 =  &_v48;
							 *_t84 = 1;
							 *((intOrPtr*)(_t84 + 4)) = _t82;
							 *((intOrPtr*)(_t84 + 8)) = 0;
							 *(_t84 + 0xc) = _t97;
							if((_v16 | _v20 | _v44 ^ 0x756e6547) != 0) {
								L17:
								_t102 =  *0x11d3ac0; // 0x2
							} else {
								_t75 = _v48 & 0x0fff3ff0;
								if(_t75 == 0x106c0 || _t75 == 0x20660 || _t75 == 0x20670 || _t75 == 0x30650 || _t75 == 0x30660 || _t75 == 0x30670) {
									_t105 =  *0x11d3ac0; // 0x2
									_t102 = _t105 | 0x00000001;
									 *0x11d3ac0 = _t102;
								} else {
									goto L17;
								}
							}
							_t67 = _v40;
							_v16 = _t67;
							if(_v24 < 7) {
								_t85 = _v28;
							} else {
								_t73 = 7;
								_push(_t84);
								asm("cpuid");
								_t87 =  &_v48;
								 *_t87 = _t73;
								_t67 = _v16;
								 *((intOrPtr*)(_t87 + 4)) = _t84;
								 *((intOrPtr*)(_t87 + 8)) = 0;
								 *(_t87 + 0xc) = _t97;
								_t85 = _v44;
								if((_t85 & 0x00000200) != 0) {
									 *0x11d3ac0 = _t102 | 0x00000002;
								}
							}
							if((_t67 & 0x00100000) != 0) {
								 *0x11d3270 =  *0x11d3270 | 0x00000004;
								 *0x11d3abc = 2;
								if((_t67 & 0x08000000) != 0 && (_t67 & 0x10000000) != 0) {
									asm("xgetbv");
									_v32 = _t67;
									_v28 = _t97;
									if((_v32 & 0x00000006) == 6) {
										_t70 =  *0x11d3270; // 0x2f
										_t71 = _t70 | 0x00000008;
										 *0x11d3abc = 3;
										 *0x11d3270 = _t71;
										if((_t85 & 0x00000020) != 0) {
											 *0x11d3abc = 5;
											 *0x11d3270 = _t71 | 0x00000020;
										}
									}
								}
							}
						}
						return 0;
					} else {
						continue;
					}
					break;
				}
			}





























                0x011cb09a
                0x011cb0ac
                0x011cb0af
                0x011cb0b7
                0x011cb0ba
                0x011cb0ba
                0x011cb09f
                0x011cb0a2
                0x011cb0aa
                0x011cb0bf
                0x011cb982
                0x011cb983
                0x011cb985
                0x011cb98b
                0x011cb990
                0x011cb998
                0x011cb999
                0x011cb99e
                0x011cb99e
                0x011cb99f
                0x011cb9a0
                0x011cb9a8
                0x011cb9ad
                0x011cb9b5
                0x011cb9b6
                0x011cb9bb
                0x011cb9bc
                0x011cb9bf
                0x011cb9cd
                0x011cb9dc
                0x011cb9e2
                0x011cb9e8
                0x011cb9f3
                0x011cb9f9
                0x011cb9fc
                0x011cb9fd
                0x011cba01
                0x011cba02
                0x011cba04
                0x011cba07
                0x011cba0c
                0x011cba15
                0x011cba26
                0x011cba31
                0x011cba37
                0x011cba38
                0x011cba3d
                0x011cba40
                0x011cba4a
                0x011cba4d
                0x011cba50
                0x011cba53
                0x011cba98
                0x011cba98
                0x011cba55
                0x011cba58
                0x011cba62
                0x011cba87
                0x011cba8d
                0x011cba90
                0x00000000
                0x00000000
                0x00000000
                0x011cba62
                0x011cbaa2
                0x011cbaa5
                0x011cbaa8
                0x011cbadc
                0x011cbaaa
                0x011cbaac
                0x011cbaaf
                0x011cbab0
                0x011cbab5
                0x011cbab8
                0x011cbaba
                0x011cbabd
                0x011cbac0
                0x011cbac3
                0x011cbac6
                0x011cbacf
                0x011cbad4
                0x011cbad4
                0x011cbacf
                0x011cbae6
                0x011cbae8
                0x011cbaef
                0x011cbafe
                0x011cbb09
                0x011cbb0c
                0x011cbb0f
                0x011cbb1e
                0x011cbb20
                0x011cbb25
                0x011cbb28
                0x011cbb32
                0x011cbb3a
                0x011cbb3f
                0x011cbb49
                0x011cbb49
                0x011cbb3a
                0x011cbb1e
                0x011cbafe
                0x011cbae6
                0x011cbb52
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x011cb0aa

                APIs
                • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,011C2F4C,00000000,?,011C2819,00000000), ref: 011CB0A2
                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,011C2F4C,00000000,?,011C2819,00000000), ref: 011CB0AF
                • _CxxThrowException.VCRUNTIME140(?,011D0584), ref: 011CB999
                • _CxxThrowException.VCRUNTIME140(?,011D05BC), ref: 011CB9B6
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: ExceptionThrow$_callnewhmalloc
                • String ID:
                • API String ID: 4113974480-0
                • Opcode ID: 1f02d3f5276a8d8d4465a65ca490ecb84368ad94c9a88161b14d20f781c5803c
                • Instruction ID: e7e2f21769de685e1566ff920694ae6c503c775689e777a141a4b916fbc538b6
                • Opcode Fuzzy Hash: 1f02d3f5276a8d8d4465a65ca490ecb84368ad94c9a88161b14d20f781c5803c
                • Instruction Fuzzy Hash: EEF0BB3480830EB6CB1CBAFADC06A9D7B3C4930D94F50412DED29D1491EF70E654C9D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C6C90 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                Download Yara Rule
                APIs
                • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C6C9A
                • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C6CAD
                • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 011C6CBC
                • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(?,?,?), ref: 011C6CE0
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
                • String ID:
                • API String ID: 3089488326-0
                • Opcode ID: 1ffa6806254aa0eadddea6bded53104ce3a3aaa62090368d7a13c038bd26ed23
                • Instruction ID: b2b42b396e2d431a010a35c4aeb9b53c37c518870b5cd850e125ccc060f29017
                • Opcode Fuzzy Hash: 1ffa6806254aa0eadddea6bded53104ce3a3aaa62090368d7a13c038bd26ed23
                • Instruction Fuzzy Hash: 8BF0AF74901108EFCB1CDF99EA5595DBBB6FF88305B2441ADE406A3345DB306F50EB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5670 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E011C5670(intOrPtr __ecx, void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v44;
				char _v68;
				void* _v92;
				intOrPtr _v96;
				char _v120;
				intOrPtr* _v124;
				intOrPtr _v128;
				short _v130;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				char _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				signed int _v172;
				signed int _v176;
				char _v352;
				void* _v356;
				signed int _t78;
				signed int _t79;
				signed int _t140;
				signed int _t147;
				void* _t148;
				intOrPtr _t150;

				_push(0xffffffff);
				_push(E011CC5FB);
				_push( *[fs:0x0]);
				_t78 =  *0x11d3258; // 0x5a3fffe3
				_t79 = _t78 ^ _t147;
				_v20 = _t79;
				_push(_t79);
				 *[fs:0x0] =  &_v16;
				_v128 = __ecx;
				E011C35E0( &_v120);
				_t150 = _t148 - 0x150 + 4;
				_v8 = 0;
				E011C2B70( &_v68,  &_v120);
				_v8 = 1;
				E011C2BF0(L"IdeaShare");
				_v8 = 2;
				_t136 =  &_v44;
				_v152 = E011C71F0( &_v68,  &_v44, 0);
				if(_v152 >= 0) {
					_t136 = _v128 + 0x10c;
					__eflags = _v128 + 0x10c;
					E011C34B0(_v128 + 0x10c);
					_t150 = _t150 + 4;
				} else {
					 *(_v128 + 0x10c) = _v96;
				}
				E011C4610( &_v352, "defAudioID.txt", 0x32, 0x40, 1);
				_v8 = 3;
				if((E011C7310( &_v352) & 0x000000ff) != 0) {
					_v164 = E011C6800();
					if( *(_v128 + 0x10c) != 0) {
						_v140 =  *(_v128 + 0x10c);
						_t157 = _v140;
						if(_v140 != 0) {
							_v124 = _v140;
							_t140 = _v124 + 2;
							__eflags = _t140;
							_v156 = _t140;
							do {
								_v130 =  *_v124;
								_v124 = _v124 + 2;
								__eflags = _v130;
							} while (_v130 != 0);
							_v160 = _v124 - _v156 >> 1;
							_v136 = _v160 + 1;
							__eflags = _v136 - 0x3fffffff;
							if(_v136 <= 0x3fffffff) {
								E011CB380();
								_v168 = _t150;
								__eflags = _v136 << 1;
								_v144 = E011C5600(_v168, _v168, _v140, _v136 << 1, _v164);
							} else {
								_v144 = 0;
							}
							_v148 = _v144;
						} else {
							_v148 = 0;
						}
						_v172 = E011C4720(_v148);
						_v176 = _v172;
						_v8 = 4;
						_t136 = _v176;
						E011C3DC0(_t157,  &_v352, _v176);
						_v8 = 3;
						E011C4C40();
					}
					E011C7010( &_v352);
				}
				_v8 = 2;
				E011C53E0( &_v352, _t157);
				_v8 = 1;
				E011C2CC0();
				_v8 = 0;
				E011C2CC0();
				_v8 = 0xffffffff;
				E011C4C90( &_v120);
				 *[fs:0x0] = _v16;
				return E011CB089(_v20 ^ _t147, _t136);
			}

































                0x011c5673
                0x011c5675
                0x011c5680
                0x011c5687
                0x011c568c
                0x011c568e
                0x011c5691
                0x011c5695
                0x011c569b
                0x011c56a2
                0x011c56a7
                0x011c56aa
                0x011c56b8
                0x011c56bd
                0x011c56c9
                0x011c56ce
                0x011c56d4
                0x011c56e0
                0x011c56ed
                0x011c5700
                0x011c5700
                0x011c5707
                0x011c570c
                0x011c56ef
                0x011c56f5
                0x011c56f5
                0x011c5720
                0x011c5725
                0x011c5739
                0x011c5744
                0x011c5754
                0x011c5763
                0x011c5769
                0x011c5770
                0x011c5787
                0x011c578d
                0x011c578d
                0x011c5790
                0x011c5796
                0x011c579c
                0x011c57a0
                0x011c57a4
                0x011c57a4
                0x011c57b6
                0x011c57c5
                0x011c57cb
                0x011c57d5
                0x011c57eb
                0x011c57f0
                0x011c5803
                0x011c5819
                0x011c57d7
                0x011c57d7
                0x011c57d7
                0x011c5825
                0x011c5772
                0x011c5772
                0x011c5772
                0x011c583a
                0x011c5846
                0x011c584c
                0x011c5850
                0x011c585e
                0x011c5866
                0x011c586d
                0x011c586d
                0x011c5878
                0x011c5878
                0x011c587d
                0x011c5887
                0x011c588c
                0x011c5893
                0x011c5898
                0x011c589f
                0x011c58a4
                0x011c58ae
                0x011c58bc
                0x011c58d1

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: __alloca_probe_16
                • String ID: IdeaShare$defAudioID.txt
                • API String ID: 1700504859-384376394
                • Opcode ID: 6ea0e1a3383099f32c1b019fc5597da479ed7fb38452fe69b3bf2f24b095652e
                • Instruction ID: 3d6d23275e7be8ae9075fa6f7fef28f7dcdb6af27cbfdc49f9a9a6cc252d4834
                • Opcode Fuzzy Hash: 6ea0e1a3383099f32c1b019fc5597da479ed7fb38452fe69b3bf2f24b095652e
                • Instruction Fuzzy Hash: A3615870D00218DFDB28DFA8C840BDEB7B1BF65704F5081ADD459A7281DB746A88CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 011C5FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E011C5FC0(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t4;
				intOrPtr _t8;

				_v8 = __ecx;
				_v12 = _t8;
				__imp__#286(__ecx);
				_t4 = E011C8630(L"OnDestroy");
				L011CBF4D();
				return _t4;
			}







                0x011c5fc6
                0x011c5fcc
                0x011c5fd4
                0x011c5fda
                0x011c5fe5
                0x011c5fed

                APIs
                • #286.MFC140U(OnDestroy), ref: 011C5FD4
                  • Part of subcall function 011C8630: #280.MFC140U(?,?,5A3FFFE3,?,011C3A3A), ref: 011C8666
                  • Part of subcall function 011C8630: #286.MFC140U(Info,?,?,5A3FFFE3,?,011C3A3A), ref: 011C867E
                  • Part of subcall function 011C8630: #1506.MFC140U(?,5A3FFFE3,?,011C3A3A), ref: 011C869E
                • #9418.MFC140U ref: 011C5FE5
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.878783012.00000000011C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 011C0000, based on PE: true
                • Associated: 0000000B.00000002.878776154.00000000011C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878798555.00000000011CD000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878811550.00000000011D3000.00000004.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011D4000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011DF000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.00000000011FA000.00000002.00000001.01000000.00000008.sdmpDownload File
                • Associated: 0000000B.00000002.878816654.0000000001231000.00000002.00000001.01000000.00000008.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_11_2_11c0000_IdeaShareService.jbxd
                Similarity
                • API ID: #286$#1506#280#9418
                • String ID: OnDestroy
                • API String ID: 3653476901-215485032
                • Opcode ID: 1bbe2fc6e5b2de1b807e8484283938aad55b6e4a42449c457cab9a9a08df27a4
                • Instruction ID: 871c9ec0660390ada0ebe6a61845e3188ad817dcfd562aeb85fc755a5f6390dd
                • Opcode Fuzzy Hash: 1bbe2fc6e5b2de1b807e8484283938aad55b6e4a42449c457cab9a9a08df27a4
                • Instruction Fuzzy Hash: 5CD05EB0D14208ABCB08AB94FC0742C7B349A21904B0001BDE80512340EB312E148BD3
                Uniqueness

                Uniqueness Score: -1.00%